Critical services to be given early warning of software vulnerability

News

Critical services to be given early warning of software vulnerability

Bill Goodwin
The government is to issue confidential warnings about software security vulnerabilities to key organisations months before they are made public.

The National Information Security Co-ordination Centre (NISCC), part of the Home Office, will work with private sector security specialists to provide organisations that run critical services, such as health, finance, telecoms and transport, with advice on protecting their systems.

The information will be released before suppliers deliver patches - a process that can take up to nine months.

The move, which steps up work already carried out by the NISCC, follows businesses' concerns that the time taken for hackers to reverse engineer patches to create new hacking tools has fallen from weeks to days.

"If something is really serious, you want to give people as much advanced warning as you can," said Roger Cumming, director of the NISSC in an interview with Computer Weekly.

To succeed, the NISCC will need to tread a fine line between giving organisations enough information to protect their computer systems and disclosing technical details that could be exploited by hackers.

This will be achieved by "stripping away" sensitive information and offering companies advice on which components in their operating systems to turn off, which ports to leave closed, or which software components to disable, said Cumming.

The NISCC plans to build on work earlier this year which helped ISPs and telecoms companies protect their networks from a vulnerability that could disrupt global internet communications before it became public.

The agency entered into a partnership with consultancy NGS Software to advise companies and government on countermeasures to vulnerabilities. Other alliances are expected to follow.

NGS researchers have found 83 serious vulnerabilities in software systems in the past six months, 40% of which could be exploited directly by hackers to gain unauthorised access.

"We aim to give enough information that the organisations concerned can protect themselves, but we will not specify enough detail for someone to be able to hack the exploit. We will err on the side of caution," said NGS director Chris Anley.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy