ETSI Supports CVD Processes
August 22, 2022
Story
Historically, large companies like Microsoft, Google, and AWS have conducted independent, in-house security research on their own products and the software components within them. If vulnerabilities are found, and significant enough, this research often becomes a Coordinated Vulnerability Disclosure (CVD).
CVDs are a standards-based model in which a vulnerability is revealed to the public after responsible parties have been permitted adequate time to patch or remedy it. The benefit of this practice to industry is obvious, as it not only informs partners and end users of potential security holes, but it usually also offers a mechanism for addressing them before they become more widely publicized.
The problem, according to Alex Leadbeater, Chair of ETSI’s cybersecurity group, TC Cyber, only 20% of companies have a suitable CVD practice in place.
Unfortunately, the 80% of companies without a sufficient CVD practice tend to be smaller organizations who either don’t believe they need one or don’t know how to start on creating one. The latter is largely due to the fact that a CVD triage process will look different from organization to organization.
Best Practices for CVD Triage and Response
ETSI has begun work on a new standard designed to help organizations develop and implement internal CVD practices of their own. EN 303 645 is available now to help companies deal with cyber threats facing today’s information and communications technology (ICT) systems and applications.
The EN 303 645 establishes a baseline across the global market to raise the security bar for all consumer IoT devices from near-zero to a good level. It strives to cover every major, at scale, attack involving consumer IoT seen today in a comprehensively pragmatic approach that is accessible to SMEs. The EN 303 645 contains outcome-focused provisions for future proofing the necessary flexibility of all consumer IoT.
The EN 303 645 standard highlights 13 high-level cyber security best practices that support most CVD triage processes that look like this:
- Reach out to the researcher who discovered the vulnerability letting them know that the organization has understood and values the CVD submission
- Give a timeline as to when the vulnerability will be handled (Gives author a time where the findings may be made public)
- Assess the impact of the CVD at hand-depending if it is external components or internal components will need to be identified
- Alert users of the vulnerability and what patch is available.
ETSI’s advice and guidance is publicly available throughout the market and has simplified the CVD disclosure process for smaller companies.
Respond to and Manage CVDs on Your Own
ETSI’s technical report has everything a company would need to create their own CVD scheme. ETSI is also equipped to provide companies with one-on-one advice from experts like Leadbeater.
Leadbeater further explains that a company has an ethical binding contract to notify the vendor and suppliers of the CVD, giving the researcher proper recognition.
EN 303 645’s approach to cybersecurity is also being used as something of a benchmark for ETSI’s upcoming vertical standard for consumer mobile device security.