Critical services to be given early warning of software vulnerability

The government is to issue confidential warnings about software security vulnerabilities to key organisations months before they...

The government is to issue confidential warnings about software security vulnerabilities to key organisations months before they are made public.

The National Information Security Co-ordination Centre (NISCC), part of the Home Office, will work with private sector security specialists to provide organisations that run critical services, such as health, finance, telecoms and transport, with advice on protecting their systems.

The information will be released before suppliers deliver patches - a process that can take up to nine months.

The move, which steps up work already carried out by the NISCC, follows businesses' concerns that the time taken for hackers to reverse engineer patches to create new hacking tools has fallen from weeks to days.

"If something is really serious, you want to give people as much advanced warning as you can," said Roger Cumming, director of the NISSC in an interview with Computer Weekly.

To succeed, the NISCC will need to tread a fine line between giving organisations enough information to protect their computer systems and disclosing technical details that could be exploited by hackers.

This will be achieved by "stripping away" sensitive information and offering companies advice on which components in their operating systems to turn off, which ports to leave closed, or which software components to disable, said Cumming.

The NISCC plans to build on work earlier this year which helped ISPs and telecoms companies protect their networks from a vulnerability that could disrupt global internet communications before it became public.

The agency entered into a partnership with consultancy NGS Software to advise companies and government on countermeasures to vulnerabilities. Other alliances are expected to follow.

NGS researchers have found 83 serious vulnerabilities in software systems in the past six months, 40% of which could be exploited directly by hackers to gain unauthorised access.

"We aim to give enough information that the organisations concerned can protect themselves, but we will not specify enough detail for someone to be able to hack the exploit. We will err on the side of caution," said NGS director Chris Anley.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.