Cybersecurity is a constantly evolving field with new threats emerging every day. One critical concept to understand is the “window of exposure.” This window represents the period of time during which a system is at risk of attack due to a security vulnerability. Understanding the window of exposure is essential in ensuring that your systems are secure.
To understand the window of exposure, let’s imagine a scenario where a software company releases a new product. The product has a vulnerability that can be exploited by attackers to gain unauthorized access to the system. When the vulnerability is discovered, the window of exposure opens and the system is at risk.
Image via Sophos News.
The window of exposure has five distinct phases. The first phase is before the vulnerability is discovered, during which the vulnerability exists, but no one can exploit it. For example, a software company may accidentally leave a backdoor in their product—the backdoor exists, but no one knows about it.
The second phase is after the vulnerability is discovered but before it is announced. At this point, only a few people know about the vulnerability, but no one knows how to defend against it. For example, if a security researcher discovers the backdoor, they may keep it to themselves to prevent it from being exploited.
During phase three, the vulnerability is announced, and more people learn about it, increasing the risk. For example, if the security researcher publishes their findings, the software company and attackers will learn about the vulnerability.
Phase four is the most dangerous phase. An automatic attack tool to exploit the vulnerability is published, and the number of people who can exploit the vulnerability grows exponentially. For example, if an attacker creates and distributes a tool to exploit the backdoor, anyone can use it to gain unauthorized access to the system.
Finally, phase five begins when the software company issues a patch that closes the vulnerability, and people install the patch and re-secure their systems, reducing the risk of exploitation.
The goal of any responsible security professional is to reduce the window of exposure as much as possible. There are two basic approaches to this: limiting the amount of vulnerability information available to the public and reducing the window of exposure in time by issuing patches quickly.
Limiting the amount of vulnerability information available to the public might work in theory, but it is impossible to enforce in practice. There is a continuous stream of research in security vulnerabilities, and most of this research results in public announcements. Hackers write new attack exploits all the time, and the exploits quickly end up in the hands of malicious attackers. While some researchers might choose not to publish a vulnerability they discover, public dissemination of vulnerability information is the norm because it is the best way to improve security.
Reducing the window of exposure in time by issuing patches quickly is the other approach. Full-disclosure proponents publish vulnerabilities far and wide to spur vendors to patch faster. In an ideal scenario, the software vendor would release a security patch for the vulnerability before any automated hacking tools are developed to exploit it. However, the creation of such automated exploit tools puts pressure on the vendors to accelerate the release of patches.
Vulnerabilities are inevitable, and the only way to close the window of exposure is to build security systems that are resilient to vulnerabilities. Good security includes not only protection but also detection and response. An internet alarm system that detects attacks in progress, regardless of the vulnerability that was exploited, has the ability to close the window of exposure completely. For example, if an attacker exploits the backdoor in the software company’s product, an internet alarm system can detect the attack and alert the security team, allowing them to respond quickly and prevent further damage.
Image via ResearchGate.
The debate between full disclosure and secrecy in computer security has no solution because there is no one solution. Both sides are missing the point. We must stop thinking of software security as an end state and that fixing the bugs will make the software perfect. Security vulnerabilities are inevitable, and there will always be a window of exposure. The real issue is how to close the window of exposure. Smart security solutions will work regardless of the presence of vulnerabilities.
Real-world examples of the window of exposure in action are plentiful. One notable example is the WannaCry ransomware attack that occurred in May 2017. The attack exploited a vulnerability in Microsoft Windows that had been discovered by the National Security Agency (NSA) but was not reported to Microsoft. The vulnerability was later leaked by a group of hackers calling themselves “The Shadow Brokers.” The WannaCry attack spread rapidly, infecting hundreds of thousands of computers in more than 150 countries. The attack caused widespread disruption, including shutting down hospitals in the UK and affecting the operations of major companies such as FedEx and Renault.
Another example is the Equifax data breach that occurred in 2017. The breach exposed sensitive personal information, including Social Security numbers and birthdates, of over 143 million people. The breach was caused by a vulnerability in the Apache Struts web application framework that Equifax used. Equifax had been notified of the vulnerability and issued a patch, but failed to install the patch in a timely manner, leaving their systems vulnerable to attack.
One more example is the Heartbleed vulnerability that was discovered in the OpenSSL cryptographic software library in April 2014. The vulnerability allowed attackers to read sensitive information from the memory of affected systems, including passwords and private keys. The vulnerability had existed for two years before it was discovered and publicly announced. The window of exposure for the Heartbleed vulnerability was significant, and it took time for vendors to issue patches and for users to install them, leaving many systems vulnerable to attack.
In conclusion, understanding the window of exposure and its phases is critical when securing computer systems. While there is no one solution to computer security, responsible security professionals must focus on reducing the window of exposure as much as possible and building security systems that are resilient to vulnerabilities. By doing so, we can mitigate the risks and protect our systems from attackers.