Alternative Approach to Tackling Vulnerabilities

Security Vulnerabilities Leave End-Users Exposed, But Perhaps There’s Another Way…

I recently read an article on software vulnerabilities and the belief these issues will always be present.  This theory makes sense, as society’s dependence on technology and software continues to increase, the likelihood of security gaps existing increases as well.  Although, as long as these security gaps are addressed timely, there should be no need for major concern.

However, reports suggest 25% of known vulnerabilities do not have a fix.  Considering these are known vulnerabilities — meaning hackers are aware of them as well, this statistic is highly worrisome.  Also, since there is not a fix, the likelihood of the security gap being exploited for malicious activity is quite high.

A new study conducted by New York University believes there is an alternative way of addressing security gaps.  By addressing them, I mean “diverting hackers to other things”.  Basically, these researchers are suggesting developers fill software with vulnerability look-alikes.  Meaning, when the hacker scans the program for vulnerabilities, they will see a plethora of them.  Theoretically, the hackers would then try to exploit these “vulnerabilities”, wasting their most important resource, time.  At this time, researchers have confirmed, there is not a way to identify the fake security gaps and the real ones.  Although, once the hackers realize they have been dupped, I’m sure it won’t take long before they find a way to differentiate the two.

Now this “fix”, seems more like a band-aid than anything, but I want your opinion.  Do you think it’s a good idea?  Drop your comments below.

3,452 total views, 3 views today

(Visited 2,473 times, 1 visits today)

14 thoughts on “Alternative Approach to Tackling Vulnerabilities

  1. I personally think that a way of truly tracking an accurate location of the hacker needs to be developed. Then they get a swat team visit who has orders to leave no one alive. I few such hits when the hackers may fear eminent death could result might actually be a deterrence. I think that punishment for all crimes should be severe enough to act as a deterrence to others.

  2. Agree with counterpunching the hacker but there needs to be a layer (or layers) of defence to be penetrated first. A very simple thick skin covering tender complex systems underneath. A school or business doesn’t have just one defence of fire, but many defences, many layers of defence, and automatic countermeasures.

  3. I think it is a waste of time and bandwidth and not just the time of the hackers. VPN filter exploited the obvious vulnerability of upgrade-able firmware.

  4. I agree with Gregg McGlynn. Turn the vulnerabilities into offensive weapons so that when exploited, they infect the hackers system. If nothing else, they would move on to easier targets so their systems wouldn’t keep getting zapped.

  5. Doing so will enlarge the codebase and thus enlarge the amount of errors
    and vulnerabilities in this codebase and by that the attack surface.

    Take the simply stated ““diverting hackers to other things” The “diverting”
    might be easy, the “other things” is anything but that.

    The effort put in this tactic can be better put in writing better, smaller and
    comprehensible code.

  6. These sound like camouflage…making something look like it is something else. Those fake vulnerabilities could then divert the hacker to an offensive site which would attack the hacker’s server as well as locate them.

  7. Make vulnerabilities into mouse traps. And don’t just check what’s coming in. Tight rein on what’s going out, whatever the vulnerability it has to send something back to the knucklehead hacker’s that have nothing better to do. Don’t just lace it with a poison pill, put a hacker total meltdown in it. Make the reward of hacking in the unavoidable tsunami. Try thinking about destroying them instead of being destroyed by them. Thanks.

  8. what’s the effort of doing such fake vulnerabilities compared to the effort of fixing the real ones, or if not fixable (at present state of the art), to put some “watch dogs” nearby to control and minimize vulnerability impact.

    And by the end of the day, after some fake vulnerabilities, te real one will be found and attacked…

    Decoys are not a solution in it self, usually are used only to gain time or opportunity to do the real thing.

  9. It may only be a band-aid, but how many times do we use those strips when we have a “boo boo”? This is an alternative that is better than just leaving yourself unprotected (just like the band-aid keeps out the “bad stuff” from getting into an open cut).

  10. I do not see why most important company and government networks keep ALL sensitive data secure on an IntrAnetwork and only allow internet access thru secure firewalls. Large, country wide network systems could use dedicated fiber across the country. There are sufficent unused fibers available to use 10 gig and 40 gig data rates and fiber is only hackable if someone working on the systems taps into it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.