POST
What I found most interesting from the Host Hardening chapter were the four types of fixes used to address program “vulnerabilities”. These vulnerabilities represent security weaknesses opening programs to attacks and often found by vulnerability finders. It was most surprising that vulnerability finders (VF) sell their vulnerabilities they find to hackers (Boyle and Panko, 2012, p. 392), who quickly develop exploit programs taking advantage of the vulnerability. Unfortunately, as in most things, if there is no money to be made doing an activity it is not a surprise that VF sells to hackers. If this is the case, then why do vendors not compensate VF for reporting the vulnerabilities that they have discovered? On reason could be, is what if the “responsible disclosure” of vulnerabilities is actually what a specific subset of attackers uses to set up their attacks (Is there such, 2012). There can also be legal ramifications and the possibility of the accusation of being a malicious hacker yourself when reporting vulnerabilities to vendors (Davis, 2016). The link below makes for some very interesting reading where a college professor reports a “vulnerability” he discovered to a healthcare provider and is accused of being a hacker with the legal ramifications being substantial. Although, the host hardening chapter conveys the many hardening techniques and tools used to increase security I felt that just touching on “vulnerability reporting” illustrates how complex hardening issues can be.
The most difficult concept in the chapter was “cloud computing” which utilizes processing power, applications, data storage and other services (Boyle and Panko, 2012, p.381). I can see that cloud computing is combining the benefits of both the mainframe and client-server architectures but realize that corporations have been slow to adopt external cloud services. The hesitancy from my perspective is the “trust factor” of using a third-party vendor with all of your data. Although, as the text notes the advantages are reduced costs, reliability, disaster recovery, data loss, agility and accessibility to name a few, the biggest concern with cloud “storage” is lost data not hacked data (Ko, n.d.). Even with a strong latitude of advantages corporations have been slow to adopt cloud services for the following reasons.
RESPONSE
Talking about the Host Hardening Chapter, I like the way you have shed light upon some of the hard realities of the computer world. A vulnerability that represents a system’s weakness is not only exploited by hackers, but also the vulnerability finders themselves. It has become a black business where vulnerability finders themselves sell the vulnerabilities to the hackers. However, this point somehow seems justified because when there are no attacks on the systems, there will be no market for the vulnerability finders. It is important for them to remain in the business. One important question raised in the article is that why the vendors don’t compensate the VFs by buying the vulnerabilities themselves to overcome the weaknesses in their products. You discussed two reasons for this question, and both seem reasonable. One is that the vulnerabilities might have been disclosed to somebody and that person would be responsible for the attack then. The second reason is that the vulnerability finders are considered hackers sometimes. There exist certain cases when the vulnerability reporters were accused of being hackers by the vendors. Therefore, they fear reporting them to vendors.
The second concept discussed by you is ‘cloud computing.’ Cloud computing brings all kinds of infrastructures on a single platform. I agree with you that people might be adopting this technology at a slow pace, but it is a growing market. Many businesses are now adopting it as it provides various amounts of benefits such as reliability, reduced costs, data recovery, accessibility and agility and many more. But it also possesses certain threats, including data breach, loss, alteration or even destruction. It is true that the problem with the cloud is not hacked data but actual data loss. However, these security issues are under examination in the cloud computing framework, and the cloud platforms seem determined to come up with the best possible solutions.
+447462439809