Sunday , December 22 2024

Google New Initiative to Reduce the Risk of Zero-Day Vulnerabilities

Charley Snyder, the Head of Security Policy at Google, has posted a new initiative that will eliminate the risk of vulnerabilities and protect security researchers.

In his post, he mentioned, “The security industry has improved in many ways, both in technological advances and collaboration, but many challenges remain, especially within the vulnerability management realm. Today it seems like the community is caught in the same cycle when it comes to security vulnerabilities”.

Eight New ICS Advisories released by CISA

CISA has released eight advisories on vulnerabilities in Industrial Control Systems (ICS). These vulnerabilities affect essential software and hardware in...
Read More
Eight New ICS Advisories released by CISA

Authority Denies
Hacker claim ransomware attack on Indonesia’s state bank BRI

Bank Rakyat Indonesia (BRI), the largest state bank by assets, has assured customers that their data and funds are secure...
Read More
Authority Denies  Hacker claim ransomware attack on Indonesia’s state bank BRI

London-based company “Builder.ai” reportedly exposed 1.2 TB data

Cybersecurity researcher Jeremiah Fowler reported to Website Planet that he found a non-password-protected 1.2 TB dataset containing over 3 million...
Read More
London-based company “Builder.ai” reportedly exposed 1.2 TB data

(CVE-2024-12727, CVE-2024-12728, CVE-2024-12729)
Sophos resolved 3 critical vulnerabilities in Firewall

Sophos has fixed three separate security vulnerabilities in Sophos Firewall.  The vulnerabilities CVE-2024-12727, CVE-2024-12728, and CVE-2024-12729 present major risks, such...
Read More
(CVE-2024-12727, CVE-2024-12728, CVE-2024-12729)  Sophos resolved 3 critical vulnerabilities in Firewall

“Workshop on Cybersecurity Awareness and Needs Analysis” held at BBTA

A time-demanding workshop on "Cybersecurity Awareness and Needs Analysis" was held on Thursday (December 19) at Bangladesh Bank Training Academy...
Read More
“Workshop on Cybersecurity Awareness and Needs Analysis” held at BBTA

CVE-2023-48788
Kaspersky reveals active exploitation of Fortinet Vulnerability

Kaspersky's Global Emergency Response Team (GERT) found that attackers are exploiting a patched SQL injection vulnerability (CVE-2023-48788) in Fortinet FortiClient...
Read More
CVE-2023-48788  Kaspersky reveals active exploitation of Fortinet Vulnerability

U.S. Weighs Ban on Chinese-Made Router TP-Link: WSJ reports

The US government is considering banning a well-known brand of Chinese-made home internet routers TP-Link due to concerns that they...
Read More
U.S. Weighs Ban on Chinese-Made Router TP-Link:  WSJ reports

Daily Security Update Dated: 18.12.2024

Every day a lot of cyberattack happen around the world including ransomware, Malware attack, data breaches, website defacement and so...
Read More
Daily Security Update Dated: 18.12.2024

CISA released best practices to secure Microsoft 365 Cloud environments

CISA has issued Binding Operational Directive (BOD) 25-01, requiring federal civilian agencies to improve the security of their Microsoft 365...
Read More
CISA released best practices to secure Microsoft 365 Cloud environments

Data breach! Ireland fines Meta $264 million, Australia $50m

The Irish Data Protection Commission fined Meta €251 million ($263.6 million) for GDPR violations related to a 2018 data breach...
Read More
Data breach! Ireland fines Meta $264 million, Australia $50m

The post also mentioned that Vulnerability management has become highly challenging as every vulnerability revolves around a cycle of found, patched, and new vulnerabilities.

This is because the patches released by the vendors are not sufficient enough to fix the vulnerability once and for all.

Project Zero is a team inside Google that has been studying software and hardware vulnerabilities and provides a patch and a time for disclosure.

However, this patch cycle has been going around for many years, so Google has devised an idea to stop this loop.

An Unpatched Ecosystem

Google posted that the zero-day vulnerabilities will always become flash news, but the risk remains the same even after they are patched.

These risks include the original equipment manufacturer (OEM) adopting the patch, testing the patch and its pain points, and also includes the end-user updating the fixed patch.

The post also said that over one-third of the vulnerabilities found in 2022 were primarily additional variants of earlier vulnerabilities. Due to these, Google has proposed the following initiatives.

Greater Transparency

This includes the manufacturer and government providing transparency on the exploitation of the vulnerabilities and how they are adopting the patches. This helps to understand whether the current method of approach works or needs additional steps.

Attention to Friction Points

During a vulnerability lifecycle, there must be extreme attention to the difficulties every user faces in running a patch and whether they know the vulnerability’s risks.

Root Cause Addressing

This means that the root cause of every vulnerability must be addressed to the developers, and every development cycle must prioritize modern secure software development practices.

This development practice must also have the potential to seal all exploitation methods of a vulnerability.

Security Researcher Protection

Security Researchers face legal threats from vendors for their contributions whenever their research is not expected or misunderstood. This creates a sense of negligence for valuable security research and vulnerability disclosure.

These credible security researchers must be protected since their research prevents threat actors from exploiting a vulnerability.

Patching the Ecosystem together

Google proposed that stakeholders, users, security researchers, vendors, platform or service developers, governments, and any others who are important in patching a vulnerability must come together in support of patching these exploitable bugs.

Hacking Policy Council

In recent years, new laws support private disclosure of vulnerabilities to the Government under certain conditions.

Due to this, the Hacking Policy Council has been formed by Google, which will help support best practices for vulnerability management with new policies and regulations.

As mentioned, Individual security researchers have been contributing enormously to Security.

These contributions help vendors patch a vulnerability before they get into a data breach by an attacker’s exploitation.

However, they sometimes face legal issues which will remove them from the security research radar.

To protect these individuals from legal issues, Google has introduced the Security Research Legal Defense Fund, which will aid security researchers in having legal representation and improve cybersecurity posture in the Public.

Exploitation Transparency

Google claims that users must also be notified about exploiting a vulnerability which will help users understand a threat actor’s method of attack, which can also lead to better protection.

We believe this transparency should become part of the industry’s standard vulnerability disclosure policies. We have always prioritized transparency when our products are exploited, but starting today we will make this an explicit part of our policy, committing to publicly disclose when we have evidence that vulnerabilities in any of our products have been exploited,” reads the post published by Google.

As posted by Google, these efforts must positively impact downgrading the risk of vulnerabilities. However, the results of this initiative will have to wait until implementation.

Check Also

HSBC

HSBC sued by ASIC: customers allegedly scammed of $23 million

HSBC Bank Australia Limited did not sufficiently safeguard customers from scams that resulted in millions …

Leave a Reply

Your email address will not be published. Required fields are marked *