By: Amit Yoran, Chairman and CEO, Tenable (TENB)
A lack of transparency in cybersecurity puts us all at risk. With more than 25 years in cybersecurity and a reputation for posting/speaking candidly, I think this issue is too important to stay silent on. I can only imagine how many security professionals and researchers get silenced by lawyers or otherwise don’t have the platform to have their voice heard.
As you might imagine, Tenable is prolific in vulnerability research and during the course of a year we may work with over a hundred software vendors to identify and address new vulnerabilities. In March, we discovered two vulnerabilities (one of which we consider critical) in Microsoft’s Azure platform (You can read more about the specifics of each vulnerability and our notification process here).
Both of these vulnerabilities were exploitable by anyone using the Azure Synapse service. After evaluating the situation, Microsoft decided to silently patch one of the problems, downplaying the risk. It was only after being told that we were going to go public, that their story changed…89 days after the initial vulnerability notification…when they privately acknowledged the severity of the security issue. To date, Microsoft customers have not been notified.
This is a repeated pattern of behavior. Several security companies have written about their vulnerability notification interactions with Microsoft, and Microsoft’s dismissive attitude about the risk that vulnerabilities present to their customers. Orca Security, Wiz, Positive Security and Fortinet published prime examples, with the latter covering the security disaster known as “Follina”.
For an IT infrastructure provider or a cloud service provider that is not being transparent, the stakes are raised exponentially. Without timely and detailed disclosures, customers have no idea if they were, or are, vulnerable to attack…or if they fell victim to attack prior to a vulnerability being patched. And not notifying customers denies them the opportunity to look for evidence that they were or were not compromised, a grossly irresponsible policy.
FireEye/Mandiant provided an exemplary model for responsible disclosure when the company disclosed their breach, even prior to the forensic evidence resulting in the SolarWinds revelations of 2020.
The answer can’t just be asking vendors to do better. Holding a cloud or technology provider to a standard of care and transparency is essential. Independent audit and assessment of IT infrastructure and cloud service providers should be mandatory.
The fox is guarding the henhouse. Trust but verify. The simple lessons we have been taught since elementary school remain applicable in cyber.