Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Fuzzing Analysis Shows ICS, IoT Industries Most at Risk of Zero Days

    By
    ROBERT LEMOS
    -
    August 10, 2017
    Share
    Facebook
    Twitter
    Linkedin
      zero-day flaws

      Industrial control systems and the Internet-of-Things are the industries most likely to have unknown vulnerabilities in their products, because their development processes are the least mature, according to data from more than 4.8 billion automated tests conducted by clients of security-services firm Synopsys.

      The data comes from fuzz testing, or fuzzing, an automated process that systematically sends data to devices and systems with the goal of causing errors in a targeted network protocol. Overall, the testing of more than 250 protocols saw the first failure within 1.4 hours on average.

      Yet, the time to first failure (TTFF) was highly protocol dependent. One niche technology used by Internet of Things (IoT) and industrial control system (ICS) manufacturers failed within 6.6 seconds.

      Because the software defects were found during testing, companies were able to fix the issues. Yet, the data shows that IoT and ICS developers are more likely to have errors in their protocols and code, an indication that their processes are less technically mature. The trend presumably extends to companies that are not regularly using fuzz testing to find issues and will therefore likely have vulnerabilities in their code, Jonathan Knudsen, security strategist with Synopsys, told eWEEK.

      “If you think about ICS, IoT and even healthcare systems, they are used to running on some factory floor or closed environment, so everyone is focused on functionality,” he said. “And then the internet happened and we started putting everything on the global network—exposing these things to the internet means we see a lot of flaws and a lot more threats.” The data suggests that certain industries are less mature and adopt less vetted—likely, newer—protocols.

      For example, the Session Initiation Protocol (SIP) for internet messaging, telephony and video conferencing, however, is less mature. The SIP User Agent Server (UAS) protocol had a 0.3 percent failure rate among more than 100 million tests. 

      While that rate seems low, it means that the tested software failed more 320,000 test cases. By comparison, the address resolution protocol (ARP) is a mature standard and no flaws were found in more than 340,000 tests.

      Fuzz testing only identified likely software issues and typically is unable to determine whether the issues are exploitable. In many cases, the software defects may not truly be a vulnerability. Companies, however, should fix them anyway, Knudsen said.

      “The first question is what are the dangerous ones?” he said. “And what we found over the years is just fix everything. Determining exploitability is hard, and it is time consuming. Even if you don’t think a bug is exploitable, some teenager might find, down the road, a way to exploit it.”

      Overall, as companies mature, they will broaden the focus of their development efforts from creating purely functional code to creating software that has no known defects, Knudsen said.

      “The short game is all about functionality, but the long game is about worrying about whether your product has a security flaw and that could cause reputation damage,” he said. “As with all industries, as they mature, they are becoming more concerned about how they write their software, and that reduces their overall cost and greatly reduces their risk. “

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×