November 25

Branded Vulnerabilities

Today starts a new chapter for me, partly because last week I finally completed my Bachelor’s of Science in Cybersecurity and partly because I just started my Master’s in the same.  As part of one of my current courses, and from what I understand, many of the courses I will be taking over the next 18 months, I am to keep up a weekly blog.  This is good news for all of you that want some good reading, for the next 18 months (at least) I will be showering the world of security with my thoughts on security.  Enough about why I am writing my blog and onto the topic at hand, vulnerabilities with brand names.

In the last year we have seen a cascade of vulnerabilities announced that have spread their brand all over the media, well beyond the typical security and techie sites.  I think it is safe to say that this problem started with “Heartbleed”  in April of 2014.  This was, at the time, an anomaly it was a rather serious vulnerability but it was “released” with a logo and a website devoted to it.  I can’t remember a vulnerability being branded like this before and it sparked a trend that is starting to have a detrimental effect on those of us that actually work in IT security.  Since “Heartbleed” there has been Poodle, Unicorn, Shellshock to name a few.

The problem is that, while Heartbleed was pretty bad and it did help that the executives, and their wives, and our grandmothers all heard about it, it helped us in the industry to get the resources and visibility it needed.  But now these “less serious” vulnerabilities, like Unicorn for example, come out with a brand, get on CNN and suddenly something that professionals have decided are a medium risk at best, are suddenly becoming “drop everything and fix this NOW!” type issues.  Someone in the executive suite has seen the constantly repeating clips on CNN and now we have to drop more important things to “fix” the Poodle issue, or whatever the latest newsworthy vulnerability is.

So, in short, if you are good enough to discover a new vulnerability, please let us in the industry know before you give it a brand name and send a press release to CNN.


Check back next week for more.

John Nye