Red Teams | How SCADA highlights the futility of finding security vulnerabilities

Home About Rules Books Guide FAQ Ask

About: What are Red Teams? We're sort of like the special forces units of the security industry—highly skilled teams hired to break into the clients' own networks and premises. We find the security flaws so they can be patched before someone with more malicious plans gets in.
The goal of Red Team operations is to continuously challenge the plans, defensive measures and concepts of the organization. These exercises result in a better understanding of possible adversaries and help to improve counter measures against them and future threats.

About FAQ

How SCADA highlights the futility of finding security vulnerabilities | Zero Day

Many (but not all) researchers seek out vulnerabilities in an attempt to reduce risk. However, they ignore the threat component. And that means that, in order for risk to be reduced, any reduction in vulnerability level must be greater than the increase in the threat levels. Even though most vulnerabilities are never exploited, there are a number of examples from the past that show that more incidents occur after a disclosure event. Given the SCADA situation at hand, it is unlikely that the vulnerability level will be reduced to offset the increase in threat, and therefore more incidents are likely.

It is a very valid point. I agree with the full vulnerability disclosures, however you also need to take into account whether disclosing it without control will affect the safety of people, the security of systems beyond the software vulnerable and the overall picture.

Go read the entire post. Some very valid points.

page 1 of 1