[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" International Panel Discussion (4) by Hiroyuki Itabashi
0 likes40 views
The Information Security Early Warning Partnership aims to enhance cybersecurity by providing guidelines for handling vulnerability-related information to prevent damage from unauthorized access and computer viruses. The partnership facilitates communication between vulnerability discoverers, software developers, and website operators to address security issues effectively. Recent operational data indicates challenges in timely communication and the need for greater awareness and proactive measures among developers and website operators regarding vulnerabilities.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" International Panel Discussion (4) by Hiroyuki Itabashi
- 1. Introduction of the Information Security Early Warning Partnership October 28, 2022 Information-technology Promotion Agency, Japan Security Center Vulnerability Countermeasures Group, Security Promotion Dept. Hiroyuki Itabashi
- 2. 2 What is the Information Security Partnership? The purpose of this regulation is stipulated by the Ministry of Economy, Trade and Industry's "Regulations for Handling Vulnerability-Related Information on Software Products, etc.". Objective: The purpose of these rules is to prevent damage caused by computer viruses, unauthorized computer access, etc. to unspecified persons or large numbers of persons, to take countermeasures against such damage, and to contribute to the realization of a society in which citizens can live safely and securely, by defining recommended acts for those who handle vulnerability-related information of software products, etc., in order to ensure cybersecurity. The purpose of this document is to promote the appropriate distribution of information, to improve the vitality and sustainable development of the economy and society, and to contribute to the realization of a society in which citizens can live safely and with peace of mind. Information Security Early Warning Partnership (Vulnerability Reporting System) -About the System (1)
- 3. 3 What is the Information Security Partnership Guideline? ■Origin of the System The "Information Security Early Warning Partnership Guideline" is a compilation of recommended actions to be taken by concerned parties in order to realize the appropriate distribution of vulnerability- related information(*) , based on the aforementioned public notice. Specifically, the Guidelines describe the process of addressing vulnerabilities in cooperation with the discoverers of vulnerability-related information, software product developers, and website operators, with the Information-technology Promotion Agency, Japan, acting as the receiving organization, and the JPCERT Coordination Center, a general incorporated association, acting as the coordinating organization. (*) Vulnerability-related information, which refers to any of the following: vulnerability information (nature and characteristics of the vulnerability), verification methods, and attack methods. ■ Scope of Application The guideline covers vulnerabilities that may affect a large number of people; specifically, software products widely used in Japan and web applications that run on websites presumed to be accessed primarily from Japan (for example, websites written in Japanese, URLs that use the “jp” domain and so on.). Information Security Early Warning Partnership (Vulnerability Reporting System) -About the System (2)
- 4. 4 The parties and benefits of the "Information Security Partnership Guide Line" are as follows Relevant Parties Advantages of Information Security Early Warning Partnership Discoverer • Can prompt software developers and website operators to take countermeasures against vulnerabilities through a public entity. • May be publicly credited on a document when the vulnerability countermeasure is published. Product Developers • Can learn about non-public vulnerabilities that may affect their own products. • Can make users publicly aware of how to address vulnerabilities. • Can demonstrate that they are seriously engaged in addressing vulnerabilities. Website operators • Can address their websites before the existence of a vulnerability becomes widely known. • Can check for and address previously unnoticed vulnerabilities. • Can improve user safety on their websites. Information Security Early Warning Partnership (Vulnerability Reporting System) -About the System (3)
- 5. Security problems in software products, web applications, etc., where unauthorized computer access, computer viruses, or other attacks can impair their functionality and performance. vulnerability 5 Vulnerability Information Distribution Framework Information Security Early Warning Partnership (Vulnerability Reporting System) -Operational Structure, etc. Receive Vulnerability and Analyze Advanced Industrial Science and Technology Supporting Analysis Security Promotion Realizing Security Measures Distribution and others Determine announcement date, coordinate with developers and overseas agencies Verify Vulnerability reports Software and other product vulnerabilities Website vulnerabilities DiscoverVulnerability reports Pass on vulnerability reports Notification of vulnerability information Aggregate vulnerability handling situation, arrange announcement dates Announce in incident involving personal information disclosure Announce- ment of counter- measure Users Government Vulnerability reports Website operators verify and implement countermeasures Coordinate Vulnerability Information Portal Site Company Individual Software Developers System Integrators IPA: Information-technology Promotion Agency, Japan, JPCERT/CC: Japan Computer Emergency Response Team Coordination Center AIST: National Institute of Advanced Industrial Science and Technology
- 6. Information Security Early Warning Partnership (Vulnerability Reporting System) -Operational Status (1) 6 ■Japanese version: https://www.ipa.go.jp/security/vuln/report/vuln2022q2.html ■English version: https://www.ipa.go.jp/files/000100344.pdf Operation Status of the Information Security Partnership (Number of Notifications Received: End of December 2021) 33 112 288 197 231 154 128 141 185 271 209 442 1,045 462 326 232 244 309 140 294 315 374 2,391 1,446 379 691 671 884 1,118 413 370 142 238 905 754 605 173 579 1,182 1,753 4,375 5,9756,4827,314 8,170 9,325 10,652 11,507 12,922 13,526 14,090 15,227 16,225 17,139 0 2,000 4,000 6,000 8,000 10,000 12,000 14,000 16,000 18,000 0 500 1,000 1,500 2,000 2,500 3,000 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 Software Products Websites Cumulative Annually Reported Number Cumulative Number Reported
- 7. 7 Q2 2022 Number of vulnerability reports Classification. Number of cases in this quarter cumulative total Software Products 75 cases 5,157 cases Website 88 cases 12,308 cases total amount 163 cases 17,465 cases Q2 2022 Number of corrections completed (JVN announced) Classification. Number of cases in this quarter cumulative total Software Products 27 cases 2,417 cases Website 29 cases 8,290 total amount 56 cases 10,707 cases Information Security Early Warning Partnership (Vulnerability Reporting System) -Operational Status (2) For the last three years, there has been no significant change in the number of software filings, but the number of website filings has begun to decline since 2021. 61 67 61 52 58 73 71 80 93 63 75 75 284 105 200 136 188 230 180 223 109 85 98 88 4,389 4,456 4,517 4,569 4,627 4,700 4,771 4,851 4,944 5,007 5,082 5,157 10,666 10,771 10,971 11,107 11,295 11,525 11,705 11,928 12,037 12,122 12,220 12,308 0 2,000 4,000 6,000 8,000 10,000 12,000 14,000 0 100 200 300 400 500 600 700 800 3Q 2019 4Q 1Q 2020 2Q 3Q 4Q 1Q 2021 2Q 3Q 4Q 1Q 2022 2Q Cumulative Number Reported Annually Reported Number Software Products Websites Cumulative for Software Products Cumulative for Websites Quarterly number of vulnerability report 16 17 30 19 22 20 35 32 27 22 25 24 22 30 30 73 75 69 75 85 73 92 58 97 1,732 1,749 1,779 1,798 1,820 1,840 1,875 1,907 1,934 1,956 1,981 2,005 1,711 1,741 1,771 1,844 1,919 1,988 2,063 2,148 2,221 2,313 2,371 2,468 0 200 400 600 800 1,000 1,200 1,400 1,600 1,800 2,000 2,200 2,400 2,600 0 20 40 60 80 100 120 140 3Q 2019 4Q 1Q 2020 2Q 3Q 4Q 1Q 2021 2Q 3Q 4Q 1Q 2022 2Q Reported from domestic and foreign finder Contact from an overseas CSIRT Reported from domestic and foreign finder Contact from an overseas CSIRT Quarterly Number Cumulative Number Number of software product vulnerability countermeasure information released
- 8. 8 Reporting Website : Handling Status Reporting Software Products: Handling Status Information Security Early Warning Partnership (Vulnerability Reporting System) -Operational Status (3) Situation: The situation 40% of all filings are still being handled. Situation: The situation The number of terminated cases was 86% of all notifications, which is a higher percentage of terminations than for software products. Publicized, 2417 Handing, 2087 Not Accepted 506 Total 5157 0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000 5500 Software Products Vendor-Handled, 40 Non Vulnerability, 107 4651 Fixed, 8290 Securty Alert, 1130 Total 12308 0 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 11000 12000 13000 Website Unable to Handle, 231 Not Accepted, 285 Handling, 1662 Non Vulnerability, 710 12023
- 9. Information Security Early Warning Partnership (Vulnerability Reporting System) -Operational Status (4) 9 Type of product to be reported • Majority of "Web Application" and "Router" notifications. • Notifications of "applications for smartphones" also increased. Impact on notifiable products • Majority of the notifications for "Execution of arbitrary scripts," "Execution of arbitrary commands," and "Leakage of information". Software Products Number of Notifications by Impact Software Products Number of Notifications by Product Type 43% 9% 8% 5% 4% 4% 3% 2% 2% 2% 18% WebApplication Routers Smartphone Application Groupware Development/Runtime Smarthomeappliance WebBrowser FileManagement Software SystemAdm.Software OS Misc. 35% 12% 10% 8% 8% 5% 4% 4% 3% 11% Run arbitrary scripts Execute arbitrary command Information leak spoofing Execution of arbitrary code Access Restriction Bypass
- 10. Information Security Early Warning Partnership (Vulnerability Reporting System) -Operation Status (5) 10 Type of product to be reported • Majority with a "Cross Site Scripting" notification. • 80% of the notifications were for "Incomplete configuration of DNS information" and "SQL injection". Impact on notifiable products • Majority of the respondents filed a "Display of false information on a genuine website" report. Website Number of reports by impact Website Number of notifications by type of vulnerability 58% 11% 11% 4% 2% 2% 12% Cross-site Scripting Lamed DNS zone SQL injection Uninteded file disclosure Directory Traversal Inadvisability HTTPS handle Misc. 57% 12% 11% 4% 4% 3% 2% 7% Display a phony web page on the legitimate website Falsify and/or delete data Insert domain information Leakage of files in the server Leakage of personal information spoofing Leakage of cookie information
- 11. 11 Information Security Early Warning Partnership (Vulnerability Reporting System) -Challenges in Operation (1) Reporting Software Products Time-consuming for developers to respond to vulnerabilities The range of software products to be reported has expanded (smartphone apps, control software, etc.), and vulnerabilities. Even if you contact the product developer with the information, the product developer may not be able to investigate the vulnerability information (e.g., many types of target products), or may not be able to provide the information to the product developer. In some cases, it takes time to take action. Losing contact with the developer in the middle of coordination There is a wide variety of software products that are reported, including software products created by individual product developers, and even if vulnerability information is reported to the product developer, the product developer may not be reachable during the coordination process during the coordination process. Negative attitude toward the publication of vulnerability countermeasure information. Since the public disclosure of vulnerability information is perceived by product users to mean that software products have many vulnerabilities (i.e., poor quality), the situation has not fostered a climate of proactive disclosure of vulnerability information.
- 12. 12 Information Security Early Warning Partnership (Vulnerability Reporting System) -Challenges in Operation (2) Reporting Website Time-consuming to contact the website operator For websites to be reported, the contact information of the website operator will be investigated when contacting them with vulnerability information. Since the website does not clearly indicate a contact person (security-related contact person), we will investigate the the contact information. It takes time to reach to the right contacts. Vulnerability response takes time The actual operators of the reported websites vary widely (from large corporations to individuals, etc.), and even if the website operator is notified of the vulnerability, it may take some time for the website operator to investigate the vulnerability information (due to lack of countermeasure personnel, etc.) and take countermeasures.
- 13. 13 Information Security Early Warning Partnership (Vulnerability Reporting System) -Measures to Address Operational Issues Reporting Software Products Recognizing product developers who are proactive in taking vulnerability countermeasures The system will also consider a mechanism to evaluate product developers who proactively take vulnerability countermeasures and disclose vulnerability countermeasure information for software product vulnerabilities that are reported. Spreading the word about the need for vulnerability countermeasures to product developers Continue to provide educational materials on the necessity of vulnerability countermeasures for software developers with the cooperation of related organizations. Reporting Website Dissemination of clear contact information for website vulnerability information, etc. The "Establishment of a Security Contact Point" is available to website operators, and we will continue to spread the information and raise awareness. Continue to disseminate and raise awareness Continue to raise awareness Spreading the word about the need for vulnerability countermeasures to website operators We will continue to disseminate educational materials and videos to website operators to raise awareness of the need for vulnerability countermeasures. Continue to provide educational materials, videos, etc.