Security gaps are divided into three phases. Can you name these phases?
1, 2, or 3
Nice try. 1, 2 or 3 is however a quiz show on german television for children.
Blue pill, red pill
Unfortunately no. This is the selection for Neo, the chosen one, offered by Morpheus in the classic blockbuster Matrix.
Black, grey and white risk
Correct! The phases differ as follows:
Black Risk (phase of greatest risk):
A security gap is only known to one specialist. Sometimes the software producer is informed about the vulnerability or the vulnerability is made public. Unpublished security holes are often offered for a fee to companies trading with them or directly to intelligence services. In most cases, this specialist provides an attack that exploits the vulnerability – as proof of its discovery; exploits are used (unauthorised, abusive). Attacks that exploit unpublished security holes are generally not detectable (stealth).
Grey Risk (medium risk phase):
The manufacturer now knows about the security hole but does not publish it. In the Grey Risk phase the circle of people who know about it is much larger than in the Black Risk phase. In this phase the vulnerability can be offered on the ‘market’ for a fee.
White Risk (high risk phase):
The vulnerability is published at a certain point in time (zero day) by a person with knowledge. If an exploit is not published promptly is published, it is usually developed by third parties for attack purposes. For economic reasons, not all security holes are patched (in a timely manner) by the manufacturers; some published security holes have been unpatched for several years.
“Open Source closes security holes faster: The time between publication of a security hole and its fix by the manufacturer is a time of very high vulnerability. Open Source programs offer the advantage that when closing vulnerabilities, it is not necessary to wait for the manufacturer”. (Source: Digitale Souveränität, Friedrichsen and Bisa)