Companies are supposed to patch. But the process is flawed. For all sorts of good an bad reasons, vulnerabilities still exist. The solution: CVD (coordinated vulnerability disclosure) on steroids: connect the dots and use LIRs to close the gaps
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
LIR's key role in vulnerability management
1. And why the LIR is a key factor
M. Steltman - RIPE79 – 16-10-2019
The compelling case for vulnerability
management
2.
3. Why are we vulnerable ?
“We are vulnerable, because hard- and software has vulnerabilities.
The bad guys find them and use them for themselves.
So we need good guys to find them too, and then fix those leaks. It’s all
we have”
Bruce Schneier
10. => towards: CRD on steroids
10
Crawl and
scan
Crawl and
scan
Crawl and
scan
Crawl and
scan
Crawl and
scan
Crawl and
scan
networks
Add
performance
information
Collect and
aggregate
Forward
&
Policy
Members & Constituents of:
11. What can and should LIRs do?
11
** Where does LIR responsibility start and stop **?
-> LIR is NOT responsible, but is (as other intermediaries) a key actor in getting
this going
This goes way beyond ISP abuse mitigation!
-LIR ( as ISP, hoster, CSP) is a key actor , the essential “middle man”:
- Monitor: Which badness is visible in my networks: vulnerabilities and
abuse
- Receive: Subscribe to feeds, receive abuse- and vulnerability
information
- Triage: Who has the actual problem, which user or
cusromer?
- Forward: Who can and should fix this?
- Policy: “motivate” users / customers to act, or act yourself
12. Questions for RIPE community / LIRs
12
- Do you agree that this “actual vulnerability”approach can be very effective?
- Do you agree that the LIR is a key middleman in this approach?
Concrete actions for such LIRs, what can you already do NOW:
- Start with this mindset
- Update your policies, accept code of conduct NtD and Abuse
- Be reachable !
- Subscribe to offered aggregated feeds
- Forward info and act , to customers / users
- Using standard OSS systems such as Abuse-IO
• If this initiative will start, are YOU prepared to participate ?
13. 13
The current approach : motivate companies to patch 100%, is insufficient
The solution: Find ACTUAL leaks, aggregate, add performance info
Then forward to those who can fix– or who can make someone fix
In NL:
All we need is already there! Just need to go on steroids
Gov: (NCSC): please take the lead, connect the dots
Providers / LIRS: Adopt the CoC , connect to NBIP and start making a
difference
In your country: replicate the model
** It is time to act, now! **
And again: we are vulnerable. Very vulnerable. VPns vulnerabilities: as if your staff entry is open for everybodyOur scientific councel has said it: this van lead to diusrutions of society. What is vital and what not. Anything can turn out to be vital if it is donw or compromised long enough
It reall, is time to act. But how?
I was on a OECD congres last year, with Nelly, inspired by bruce. He made the matter very simple.
Let start with the technology. It is nog the only thing, but if that;s not safe,
Our approach: complain about vulnerabiloiies, strong language: we must patch, whi do;t we do it ?
And if you don;t, you are apparently neglicent and lazy. Shame on you?
Is it thast simple?
Let take a look at how it works.
It sounds easy enough: Know your software Crawl the CVE database Go to your supplier Update and patch your systems
done. We are all a lot safer!
But is hard, and cumvbersome,e
VCE has 20000 entries, Huge task to know your inventor and know when to patch. Easy to overlook one.
vendos don;t always supply patches.
And llots of your technologies atre with third parties, your hosters, SaaS providers. They can overloop patches too.
To make things worse, patching breaks things.
Lots of outages are caused by patching
And then the minister will say “I am going to ibtervene with companies who don’t manage their availability ?
There are too many patches to keep up with
Patching is a manual, time consuming process
Lack of resources
Some applications can’t be patched
End user resistance
Patching breaks things
Plan B: scan for things you see from the Internet. Act as the bad guys do. Then report to the compny who can fix this
So here is the plan:
Put RD on steroids.
It is a simple formula, that many of you recognize from other problems.
Scan
Forward and aggregate
Add: sticks and carrots
Then: send to those who do not have the problemj themselves, but KNOW who hasve the problem. LIR’s, hosters, providers. They KNOW whio is reponsible, understand the technical details, can formulate the right call to action.