It’s not just the zero days. Sure, they’re important, but security teams shouldn’t fixate on them to the exclusion of known problems.
Google calls for improved industry practices.
Google released a new whitepaper in its blog, The Keyword, focusing on the need for companies producing technology to be proactive on their security measures. Specifically it calls out the trend to focus on zero-day exploits instead of patching existing security vulnerabilities. It lists four areas that companies can improve in: “looking beyond zero days, Normalizing transparency, supporting researchers, and escaping the doom loop”
Fix the known problems first then move to the zero days.
Google explains in its whitepaper that companies need to fix existing problems before moving to patch new problems exposed by zero day exploits. They explain, “The industry tends to focus on patching zero-days, rather than staying current on security updates as a whole. This practice can leave users open to harm and potential known vulnerability exploitation.” Google points out that since patching can be easier said than done, “The industry should invest in making testing and applying patches easier for customers.” Google recommends companies produce a timeline to explain when patches will come out, and that such timelines should be adopted as an industry norm.
Transparency creates a more robust cyber immune system.
Increasing transparency is crucially important, Google suggests, because more scrutiny will make products more secure before they’re released into the wild. “Vendor transparency about their vulnerabilities allows the development of ecosystem-wide mitigations and a shared view of attack trends.” This closely echoes Jen Easterly, the Director of CISA, who called for “radical transparency” at a CrowdStrike event on Tuesday, adding that she would like to see companies “laser focused on safe software” prior to launch. Google also calls upon governments to include themselves in this transparency effort, saying, “The U.S. Vulnerability Equities Process represented a positive step forward, but more data on outcomes could help further its mission. Other countries should follow the U.S.’s lead here but also improve upon it, such as by sharing the number of vulnerabilities disclosed versus those withheld from disclosure or sharing more information about exploitation in general.”
Legal Frameworks should protect research, not punish it.
Google expressed concerns about regulations requiring security researchers to disclose vulnerabilities to the government before informing the affected parties. It also argued the importance of research being protected by an effective legal framework. “Legal frameworks that do not acknowledge the difference between research for defensive purposes versus malicious activities risk significantly chilling the former, which has become an essential component of the ecosystem.” Google cites the US Department of Justice’s revision in its enforcement of the Computer Fraud and Abuse Act as a good example:“The policy for the first time directs that good-faith security research should not be charged.”
Cyber Security fundamentals are still important.
Finally, Google suggests that companies focus on the root causes of vulnerabilities to help eliminate whole classes of threats. “For example, 15 of the 40 (37.5%) zero-days exploited in the wild which Project Zero analyzed in 2022 were variants of previously known bugs. This issue comes down to either a) a failure to understand the root cause of a given flaw, or b) a failure to prioritize truly fixing it.” This loops back to Google’s first recommendation: fix the known flaws to mitigate future damage arriving from that vector.