HiddenText Ltd

Security Research Done Badly

/

,

On the face of it, demonstrating an exploit in an automotive system and finding a 0-day in a consumer piece of software and exploiting it are two completely different things, one is a criminal act and one is security research. But equally, there is also a similarity between attacks and “security research” when that research is done badly. Let me re-frame it and see if this echoes with you and your own commercial experiences.

Let us put you, the reader, as the Chief Information Security Officer (CISO) or lead in security for a corporate, any corporate, let’s say a security vendor that sells products globally to protect individuals and other corporations.

Let us also put out there a person who has a grudge against your company or are just out to create a name for themselves.

Your adversary looks through your business operation, maybe the source code to your apps, some trial and error looking, hunting for something. After, hours, weeks, maybe months of digging, they find a vulnerability. This could be a hole in your security or equally, a process you no longer follow e.g. deleting customers data when requested.

At this point, your adversary has options. They can contact you and tell you and give you an opportunity to fix it, go to the criminal underground and sell the information, or, go out to press and release the vulnerability.

In the case of Target, the attacker exploited the data.

The Ashley Madison attackers took the data and as much other documentation as they could before opting to contact them and try to gain financially from what they learned and to take them to task on the dubious morals of the organisation.

In the case of some of the automotive ‘hacks’ recently, most went straight out in the media with no or little consultation and the ‘media roadshow’ went in to full swing.

With recent security vendor attacks such as FireEye, the results were white papered, blogged and presented with again, little or no consultation.

So if you were the CISO and someone was trying to extort you what would be your plan? Do you have a bug bounty programme you can direct someone towards?

If you were the CISO who suddenly found their product exploits laid bare to your peers, how would you respond How do you explain to the Board why you weren’t aware of this hole previously?

I believe the point is this…

At what point does security research go beyond useful and meaningful attempts to help out the wider community, find holes in products, find the breaks in business logic and then allow an organisation a period of time to work on a correction. Has someone gone beyond security research when they publish the exploit they have found and put it in the public domain for any potential attacker to exploit and use?

As security research is a relatively new position in most organisations, do we need some kind of guidance that says, if you do A, B and C, allow timeframes of D, and a reasonable response from the corporate is E then that is security research? The problem is that one size does not fit all and that this kind of guidance would not work in all circumstances. Add in the global nature of the internet and the situation is further compounded.

Done correctly, there is massive value to security research. Products are enhanced and secured, processes get tightened and researchers are given a reason to continue (either financially or through recruitment opportunities). More and more though, there seems to be this push towards ‘show boating’ of exploits to gain PR and exposure for the researcher. Well, if you were the CISO, could your PR team work with the researcher to make this happen?

Some security vendors now have security research as a major element of their organisation. It enables them to keep ahead of the curve by way of knowledge, but also they can raise their position in the industry by this research to the detriment of other corporates. However, no ethical security company releases pen testing documents to show high vulnerabilities?

So why can’t we have the same with security research? Is PR and Media now more important than securing products? Should security research be more bound by ethical guidance?

As a CISO, do you have a plan? Does it work? When did you last see it being used? How did the researcher communicate with you? When you did your post-incidence wash-up, what lessons learned were there? What changes did you make?

Let me know your thoughts  below :

[contact-form][contact-field label=’Name’ type=’name’ required=’1’/][contact-field label=’Email’ type=’email’ required=’1’/][contact-field label=’Twitter Handle’ type=’text’/][contact-field label=’My thoughts are …’ type=’textarea’ required=’1’/][/contact-form]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by