Over the past two years there has been an explosion in the number of ?security research? firms starting up with the sole purpose of discovering and selling exploits for security flaws in computer code. It is hardly surprising when the majority of the world?s governments are the key clients for these businesses, buying up new and unknown exploits to add to their ?cyber arsenal?. Globally, the business is expanding at an unprecedented rate in the tra de of what people call zero days.
Governments are starting to say, "In order to best protect my country, I need to find vulnerabilities in other countries," said Howard Schmidt, a former White House cyber security spokesperso n. "The problem is that we all fundamentally become less secure."
Ethics: An Interesting Dichotomy In the past, computer security researchers would have followed the ethically sound vulnerability disclosure p ath. Notifying the vendor of the software or hardware in question and giving them a reasonable period of time to release a fix for the vulnerability prior to publishing the vulnerability to the world. This allowed patches to be written, systems to be updated and gave users a chance to defend themselves.
In the past, all of this would have been done for little more than an honourable mention on a vendors website and attribution within the vulnerability database s. This current trend of selling exploits to the highest bidder puts the internet based businesses and digital citizens ultimately at risk.
Result: Fascist Defence becomes the Safest Offense
How do yo u start to defend against the unknown? As with every threat you have to start by looking at what you need to defend against and what you want to defend against, as these are often two different criterions.
The first and foremos t thing you should always do to ensure a robust defence is keep your software up to date. Keeping your applications patched as well as your operating system will reduce your attack likelihood.
Reducing who can access you can re ally help. For instance, if you were running an ecommerce business based in the UK and all your business was conducted within the UK why would you allow connections from other countries?
Simply whitelisting the UK address space would reduce your attack surface significantly but could you afford to lose out on the odd purchase from other countries?
Installing an application level firewall to limit the avenues and class of attacks will further reduce t he likelihood of an attack succeeding.
Last thing to mention in this short paper is passwords. A password should be 16 characters longs and include letters, numbers and special characters and it should be changed at least every 90 days.