- Email: [email protected]
Tenable: How lucrative are vulnerabilities?
NEWS
Report Analysis
Tenable: How lucrative are vulnerabilities?
O
ne of the take-away messages from this report, sub-titled ‘A closer look at the economics of the exploit supply chain’ is that cyber criminals are earning around 12 times as much as organisations are spending on cyber security. Gartner estimates that the cyber security spend worldwide will amount to around $136bn in 2019. But the bad guys are pumping $200bn just through money laundering operations alone.
You can take this any number of ways. For example, criminals can afford to invest more than organisations in their activities and still walk away with a handsome profit. However, the truth is that they don’t need to. The asymmetric nature of cyber security means that those engaged in defence have to spend lavishly on protection they never use, but the attackers have the luxury of choosing when, where and how to attack. You could conclude that we need to spend a lot more on cyber defence. Certainly, every CISO out there is constantly begging for more budget and it’s a fair bet that, if they got it, they would be able to put it to good use. Throwing money at the problem is likely to have some benefit, although maybe not as much as some might hope. After all, the weakness that kills you is the one you didn’t know you had – and therefore are unlikely to have already fixed even if you had the money. Spending the budget more wisely is a better bet. As the introduction to this report says: “The imbalance between the amount of resources that threat groups expend on cybercrime versus the more limited resources of defenders requires organisations to improve the efficiencies
A simplified representation of the vulnerability-toexploit supply chain. Source: Tenable.
4
Computer Fraud & Security
of their preventative measures. A riskbased approach to vulnerability management that prioritises those vulnerabilities most likely to be utilised in an attack (typically those that are in the most widely adopted technologies and applications) is necessary given the overwhelming number of vulnerabilities.” That last point is critical. While some improvements have been made in the area of code quality – for example, by integrating security into the software development lifecycle – it seems like this will always be undone by the race to exploit innovation. Desktop operating systems, for instance, are more secure than they’ve ever been. But in areas such as the Internet of Things (IoT), a desire to rush to market nearly always trumps concerns over safety. The software and cyber security industries have made some efforts to reduce the effectiveness – and therefore the black market value – of vulnerabilities. One of these is disclosure. Through mechanisms such as the Common Vulnerabilities and Exposures (CVE) database, organisations can keep on top of what dangers lurk within the software they’re using and make the necessary
efforts to enact fixes. And responsible disclosure processes are encouraged by the now-common bug bounties that provide an incentive for researchers to find vulnerabilities and report them in a way that benefits everyone other than the criminals. Nonetheless, zero-day exploits remain the basis of a lucrative trade. They are peddled by exploit brokers of varying degrees of respectability and governments will pay very large sums for them. The uses to which they put them may range across the ethical spectrum, but it does make life harder for common or garden cyber criminals to get their hands on them. According to Tenable’s report, the amounts paid for useful zero-days have soared by 500% in just over two years. This complex situation has resulted, explains Tenable, in markets for vulnerabilities of all shades of grey. At the white end of the scale are the responsible disclosure practices, public vulnerability and exploit databases and an open community working for the common good, as well as commercial enterprises striving to improve their products. At the black end of the spectrum lie the out-and-out criminals. And in between are governments, intelligence agencies and the shady organisations servicing them. Tenable’s report does a good job in explaining how all these pieces fit together in what it dubs a vulnerabilityto-exploit (V2E) supply chain, as well as the economic forces applying to these markets and actors. The report explains the lifecycle of a vulnerability from discovery, through research and development of an exploit and its subsequent brokering and dissemination. That last step also leads on to ‘productisation’, which could be anything from a Metasploit module to malware. And the last step of the supply chain is delivery. The report is available here: http://bit.ly/2P6cNAE.
December 2019
Report Analysis
Tenable: How lucrative are vulnerabilities?
O
ne of the take-away messages from this report, sub-titled ‘A closer look at the economics of the exploit supply chain’ is that cyber criminals are earning around 12 times as much as organisations are spending on cyber security. Gartner estimates that the cyber security spend worldwide will amount to around $136bn in 2019. But the bad guys are pumping $200bn just through money laundering operations alone.
You can take this any number of ways. For example, criminals can afford to invest more than organisations in their activities and still walk away with a handsome profit. However, the truth is that they don’t need to. The asymmetric nature of cyber security means that those engaged in defence have to spend lavishly on protection they never use, but the attackers have the luxury of choosing when, where and how to attack. You could conclude that we need to spend a lot more on cyber defence. Certainly, every CISO out there is constantly begging for more budget and it’s a fair bet that, if they got it, they would be able to put it to good use. Throwing money at the problem is likely to have some benefit, although maybe not as much as some might hope. After all, the weakness that kills you is the one you didn’t know you had – and therefore are unlikely to have already fixed even if you had the money. Spending the budget more wisely is a better bet. As the introduction to this report says: “The imbalance between the amount of resources that threat groups expend on cybercrime versus the more limited resources of defenders requires organisations to improve the efficiencies
A simplified representation of the vulnerability-toexploit supply chain. Source: Tenable.
4
Computer Fraud & Security
of their preventative measures. A riskbased approach to vulnerability management that prioritises those vulnerabilities most likely to be utilised in an attack (typically those that are in the most widely adopted technologies and applications) is necessary given the overwhelming number of vulnerabilities.” That last point is critical. While some improvements have been made in the area of code quality – for example, by integrating security into the software development lifecycle – it seems like this will always be undone by the race to exploit innovation. Desktop operating systems, for instance, are more secure than they’ve ever been. But in areas such as the Internet of Things (IoT), a desire to rush to market nearly always trumps concerns over safety. The software and cyber security industries have made some efforts to reduce the effectiveness – and therefore the black market value – of vulnerabilities. One of these is disclosure. Through mechanisms such as the Common Vulnerabilities and Exposures (CVE) database, organisations can keep on top of what dangers lurk within the software they’re using and make the necessary
efforts to enact fixes. And responsible disclosure processes are encouraged by the now-common bug bounties that provide an incentive for researchers to find vulnerabilities and report them in a way that benefits everyone other than the criminals. Nonetheless, zero-day exploits remain the basis of a lucrative trade. They are peddled by exploit brokers of varying degrees of respectability and governments will pay very large sums for them. The uses to which they put them may range across the ethical spectrum, but it does make life harder for common or garden cyber criminals to get their hands on them. According to Tenable’s report, the amounts paid for useful zero-days have soared by 500% in just over two years. This complex situation has resulted, explains Tenable, in markets for vulnerabilities of all shades of grey. At the white end of the scale are the responsible disclosure practices, public vulnerability and exploit databases and an open community working for the common good, as well as commercial enterprises striving to improve their products. At the black end of the spectrum lie the out-and-out criminals. And in between are governments, intelligence agencies and the shady organisations servicing them. Tenable’s report does a good job in explaining how all these pieces fit together in what it dubs a vulnerabilityto-exploit (V2E) supply chain, as well as the economic forces applying to these markets and actors. The report explains the lifecycle of a vulnerability from discovery, through research and development of an exploit and its subsequent brokering and dissemination. That last step also leads on to ‘productisation’, which could be anything from a Metasploit module to malware. And the last step of the supply chain is delivery. The report is available here: http://bit.ly/2P6cNAE.
December 2019