Zero Day Initiative changes disclosure policy and forces manufacturers to do better

Trend Micro, one of the world’s leading cybersecurity companies, has warned that a growing number of missing or defective patches could cost organizations more than $400,000 per update.

At Black Hat USA 2022, one of the world’s premier cybersecurity events, Trend Micro Zero Day Initiative (ZDI) executives provided information about policy changes specifically designed to address the decline in both patch quality and manufacturers’ communications with customers. to grab.

Brian Gorenc, Senior Director of Vulnerability Research and Head of ZDI, He shared his thoughts at the event: “Since 2005, ZDI has disclosed more than 10,000 security vulnerabilities to manufacturers. However, we’ve never been more concerned about the status of industry-wide security patches. “Manufacturers that don’t release enough patches with confusing recommendations are wasting their customers’ time, money and unnecessary risk.”

ZDI has identified three main issues caused by manufacturers releasing incorrect or incomplete patches:

• Companies no longer have a clear picture of the real risks to their networks due to poor manufacturer practices.
• Companies must spend time and money on additional work on previously applied patches due to missing and incorrect updates.
• A failed patch carries more risk than no patch because a fix is ​​assumed to have been created even though there is no fix.

These scenarios would require additional, corrective updates to fix a single vulnerability, significantly increasing patch costs, wasting company resources, and creating new risks.

In addition, the growing reluctance among manufacturers to provide clear and reliable patch information makes it difficult for people defending networks to accurately assess the risk they are at.

Therefore, ZDI is changing its disclosure policy for ineffective patches to deliver industry-wide improvements. Going forward, the default timeline of 120 days will be shortened for bugs believed to be due to a bypassed security patch, as follows:

• 30 days for the most critical cases where the abuse is expected to be severe
• 60 days for critical and very serious bugs where the patch provides some protection
• 90 days for other severity levels not expected to be utilized in the near future

Even when designed well, patches can inadvertently increase risks by alerting threat actors to the underlying vulnerability. The number of organizations preparing and releasing patches before the exploits begin is quite small. The risk of breach is greatly increased when patches are incomplete or incorrectly prepared.

Although the cost of patches varies by organization, Trend Micro has developed a formula to determine the cost of defective patches: Total Cost = f(T,HR,S,PF). T is the time spent on patch management; HR, personnel costs required for patching; S is the number of applications to be patched and PF is the frequency of patches every 2-3 weeks for some applications.

It’s not uncommon for medium and large businesses to charge upwards of six figures per month for a patch. Regardless of the formula used to calculate patch spend, applying multiple updates to the same vulnerability not only wastes time, but also increases the financial burden on businesses and exposes them to various risks.

To help companies better understand and mitigate these risks, Trend Micro recommends the following:

• Develop rigorous programs to detect and manage assets
• Choose the most financially viable and reliable manufacturers whenever possible
• Conduct advanced risk assessments by monitoring patch revisions and closely following changes in the threat landscape

*ZDI is the world’s largest vendor-independent bug bounty program, detecting approximately 64 percent of all vulnerabilities disclosed in 2021.

Source: (BYZHA) – Beyaz News Agency