[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” International Panel Discussion (2) by Allan Friedman

[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” International Panel Discussion (2) by Allan Friedman
TLP:WHITE January 3, 2023 C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y COORDINATED VULNERABILITY DISCLOSURE PROGRESS AND ADVANCES IN THE US 1 Allan Friedman, PhD
TLP:WHITE January 3, 2023  US policy has embraced CVD and the critical role of researchers, and seeks to lower barriers.  Existing laws are interpreted to benefit researchers  US government policy promotes private sector disclosure  The “CVE Numbering Authority” program (CNA) helps organizations work with researchers around the world tl;dr 2
TLP:WHITE January 3, 2023  Computer Fraud and Abuse Act (1986)  prohibits intentionally accessing a computer “without authorization” or in excess of authorization  Recently, primarily used for insider abuse of data  Digital Millenium Copyright Act (1998)  Uses an “anti-circumvention” provision to prevent access to software (Section 1201) Existing laws that affect researchers 3
TLP:WHITE January 3, 2023 Good news! 4
TLP:WHITE January 3, 2023  Department of Justice guidance for prosecutors (2022)  directs that good-faith security research should not be charged  Good Faith: means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm  DMCA “exemptions” have continually expanded  Explicit carve out for security research  Medical devices  Land vehicles (cars)  Open Source Software Progress on protecting researchers 5
TLP:WHITE January 3, 2023 C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y CVE NUMBERING AUTHORITIES (CNA) 6
TLP:WHITE January 3, 2023 7  WHAT is a CNA? o CVE Program o CNA Role in Vulnerability Disclosure  WHO can become a CNA? o Organization Type o Partners by Country o Structure  HOW to become a CNA? o Requirements o Process  WHY become a CNA? The CVE Program CNA Agenda
TLP:WHITE January 3, 2023 What is a CNA? – CVE Program 8 CVE Numbering Authorities (CNA): Organizations authorized to assign and populate CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope Common Vulnerabilities and Exposures (CVE) Program:  CVE-IDs are unique, common identifiers for publicly known cybersecurity vulnerabilities, assigned by CVE Numbering Authorities (CNAs).  The CVE program is managed by MITRE, funded by CISA, and relies on the community (vendors, end users, researchers, and more) to discover and register vulnerabilities.  The CVE Board, which drives the direction of the CVE Program, consists of industry, academic, and government representatives from around the world.  CVE Working Groups develop the program’s policies (approved by the CVE Board) and are open to the community.
TLP:WHITE January 3, 2023 What is a CNA? – CNA Role 9 Vulnerability Discovery Vulnerability Coordination CVE-ID Assignment Vulnerability Disclosure A CNA becomes aware of a vulnerability Coordination with vulnerability stakeholders CVE ID assignment by a CNA Vulnerability and CVE Record released
TLP:WHITE January 3, 2023 Who is a CNA? – Organization Type 10 A CNA can be any organization from around the world from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign. CNA: 224 | CNA-LR: 2 | Root: 3 | Top-Level Root: 2  Vendors and Projects o Currently 198 participants o E.g., Microsoft and Siemens  National and Industry CERTs o Currently 11 participants o E.g., Spain and Japan  Bug Bounty Programs o Currently 7 participants o E.g., Zero Day initiative and HackerOne  Hosted Services o Currently 3 participants o E.g., Ping Identity Corporation and Carrier Global Corporation  Vulnerability Researchers o Currently 43 participants o E.g., AppCheck Ltd. and Automotive Security Research Group (ASRG)
TLP:WHITE January 3, 2023 Who is a CNA? – Partners by Country 11 •Australia: 2 •Austria: 1 •Belgium: 1 •Canada: 5 •Chile: 1 •China: 10 •Colombia: 1 •Czech Republic: 1 •Denmark: 1 •Estonia: 1 •Finland: 3 •France: 3 •Germany: 10 •India: 4 •Ireland: 1 •Israel: 4 •Japan: 9 •Latvia: 1 •Netherlands: 5 •New Zealand: 1 •Norway: 1 •Romania: 1 •Russia: 2 •Singapore: 1 •Slovak Republic: 1 •South Korea: 4 •Spain: 4 •Sweden: 2 •Switzerland: 6 •Taiwan: 7 •Turkey: 3 •UK: 6 •USA: 122 •Vietnam: 1
TLP:WHITE January 3, 2023 12 Who is a CNA? – Structure
TLP:WHITE January 3, 2023 Requirements 1. Have a public vulnerability disclosure policy. o https://vuls.cert.org/confluence/display/CVD 2. Have a public source for new vulnerability disclosures. 3. Agree to the CVE Program Terms of Use. How to Become a CNA? – Requirements 13
TLP:WHITE January 3, 2023 How to Become a CNA? – Process 14 Process
TLP:WHITE January 3, 2023 Why Become a CNA? 15 CNA Control - CVE publication Security - Patch development Stakeholders Confidence - Mature vulnerability practices Communication - Prevention for customers Community Responsibility - Strengthens cyber ecosystem Participation - Vulnerability management
TLP:WHITE January 3, 2023 Misconceptions 16 1. Reporting too many vulnerabilities is bad. 2. Becoming a CNA will require a considerable overhead.
TLP:WHITE January 3, 2023 17

Check these out next

[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” International Panel Discussion (2) by Allan Friedman

Recomendados

Mais conteúdo relacionado

Similar a [cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” International Panel Discussion (2) by Allan Friedman(20)

Mais de CODE BLUE(20)

Último(20)

[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” International Panel Discussion (2) by Allan Friedman