A leading security research company has recommended a new way to prevent cybercriminals from exploiting information about security flaws they buy on the black market: Good guys should buy the information before bad guys get their hands on it.
Between 60 percent and 80 percent of newly discovered security flaws are reported to software developers by security researchers who don’t try to charge for the effort of blocking up newly discovered holes in security, according to a report published Dec. 17 by NSS Labs.
Another 17 percent are acquired – for bug bonuses or outright purchase – by legitimate security-information services such as iDefense’s Vulnerability Contributor Program and HP TippingPoint’s Zero Day Initiative, which distribute information about new flaws to subscribers that often include the original developers.
Many of the rest are sold by individual hackers or researchers on the black market or through gray-market commercial zero-day exploit providers such as Endgame Systems, whose 2010 price list offers 25 zero-day exploits per year to subscribers willing to pay $2.5 million. The average price for a newly discovered security flaw is between $40,000 and $160,000, according to the report.
Subscriber lists are secret, but many of the buyers are reputed to be employed by national intelligence services or organized crime rings, according to NSS Labs.
A September study by McAfee showed that it takes an average of 312 days for zero-day flaws in newly released software to be discovered and that exploitation of zero-day flaws is a major contributor to the $100 billion malicious cyber activity costs the U.S. economy every year.
Software vendors bear much of the responsibility and should contribute to the cost of resolving the problem – with improvements in quality control and testing, and by raising the bug bounties to make it economically sensible for researchers who discover a new flaw to tell the vendor rather than sell the information on the black market, according to the report, which was written by NSS analysts Stefan Frei and Francisco Artes.
Since it appears to be difficult or impossible – or economically infeasible – for developers to produce major software products completely free of security vulnerabilities, however, organizations other than the developers have to step in and do something to keep criminals from getting first access to that information.
The solution Frei and Artes propose is the formation of an international vulnerability purchase program (IVPP) funded by governments, software vendors, user groups and other interested parties, that could buy up information about new flaws and provide incentives for the development of more secure software.
The total cost of the program would be an order of magnitude lower than the cost of the criminal activity it could prevent. U.S. cybercrime cost estimates range between $10 billion and $100 billion, which would place the cost of the IVPP at somewhere between 0.8 percent and 8 percent of the total. Even assuming that buying up new vulnerabilities reduced cybercrime by only 10 percent, IVPP would still deliver a cost-savings benefit in double-digit percentages, according to the report.
An international organization would also provide a single point of contact to report and track vulnerabilities as well as providing a neutral organization to coordinate the security- or quality-assurance efforts of many vendors.
So far no software developers or industry groups have stepped forward to help sponsor or promote the idea, however.
Image: NSS Labs