igor - Fotolia
There needs to be more contact between the information security community and technology firms, according to Rapid7.
The company recognises the importance of responsible vulnerability disclosure, but that requires opening up channels of communication with non-security firms, which can be challenging.
Often, the first contact that software and other technology firms have from security researchers concerns a vulnerability disclosure, said Tod Beardsley, security engineering manager at Rapid7.
“But this is often perceived in a negative light because it is like someone in the security community telling them their baby is ugly,” he told Computer Weekly on the sidelines of the DEF CON 23 hacker conference in Las Vegas.
Consequently, security researchers have to manage that first contact very carefully, said Beardsley, and bear in mind that it is an emotional topic to ensure that the resulting relationship is a positive one.
“The goal is to avoid making a company defensive by letting them know there is a serious security risk you would like to work with them to fix,” he said.
Rapid7 is working to promote better relations with technology companies, especially in the light of an exponential growth in the number of de facto technology firms.
“The problem is that many companies do not realise they have become technology companies and have not altered their behaviour accordingly,” said Nicholas Percoco, vice-president, strategic services at Rapid7.
“Typically, these companies are producing things like household appliances, but now that product has a mobile app, an embedded computer and a cloud back-end.”
But few of these firms that have transitioned into technology companies have developed business processes to support this and therefore have no standard way of dealing with vulnerability disclosures from information security researchers.
“This means there is no contact person or mechanism for dealing with vulnerability disclosures and it is consequently difficult for researchers to find the right person to talk to,” said Percoco.
Where this is the case, he said Rapid7 is working with organisations to help them establish a vulnerability intake process and draw up a vulnerability disclosure policy.
“This enables organisations to develop a playbook for vulnerability disclosures and dealing with researchers, just as they have a playbook for responding to other incidents in their environment,” said Percoco.
Beardsley said the reality is that if product developers do not have a personal interest in information security, they are unlikely to give any thought to providing after-sales security support or security updates for any software connected to their product.
“As a result, we have seen things like Fiat Chrysler considering posting security updates to customers before issuing a product recall to fix a security vulnerability in some vehicle entertainment systems because there is no established information security support mechanism,” he said.
For many people and organisations, information is still an afterthought, said Beardsley, and part of the problem is that information security is still not a standard component of all information technology training programmes.
Fortunately, he said, many of the larger, well-established technology firms, such as Microsoft, Google and Samsung, do have established mechanisms for dealing with security researchers, which means vulnerability disclosure is not always a negative experience.
“The biggest issues are with the newer and smaller companies, especially the large number that still see themselves as only toy-makers, appliance-makers and the like and do not realise they have become technology companies,” said Beardsley.
As a result, information security researchers are having the same difficulties they had in engaging with Microsoft around 1995 all over again, he said.
Rapid7 believes awareness and education at the executive level is a good place to start in getting businesses to understand the importance and benefit of good information security and engaging with the security community around vulnerability disclosures.
Percoco said: “We typically hold workshops with client organisations to help boost security understanding and awareness, but we still hear scary things, like a brand name Silicon Valley company putting the same private key on every device and storing those private keys on web-based hosting service GitHub.”
This is often the result of teams of people working on a project without any involvement of information security people, he said, and doing whatever is necessary or whatever works to get the job done as quickly and easily as possible, resulting in risky practices and security oversights.
“As a result of the workshop, this particular company has drawn up several plans for improving the security of the product and we are going back in once they are done to test how effective the new security measures are,” said Percoco.
According to Beardsley, for people who develop products, security testing is typically seen as negative testing. “They do not have a security mindset,” he said. “They are makers, not breakers. They do not think the same way as security researchers.”
Read more about vulnerability disclosure
- Qualys CTO Wolfgang Kandek discussed the hot topic of responsible vulnerability disclosure policies, and the friction between Google and Microsoft, at RSA Conference 2015.
- Swiss research group Modzero disclosed a vulnerability that enabled remote attacks on Xceedium's Xsuite privileged access manager.
- Google's Project Zero has added more leeway to its vulnerability disclosure policy, but industry observers are split on whether 90 days is enough time to fix software flaws.
For this reason, Beardsley is attending more developer conferences than he has in the past. “I can learn tons from developers and they can learn tons from me, while at security conferences we all tend to talk about the same 80% that we all know,” he said.
Rapid7 is also seeking opportunities to talk outside of security conferences, said Beardsley, at conferences such as South by Southwest, where less than 1% of sessions are devoted to information security topics.
Percoco believes security must be driven from the top, but said that, fortunately, this now seems to be the general trend in manufacturing and other business sectors. “Board-level executives are increasingly asking questions about security, whereas this was almost unheard of five or six years ago,” he said.
Security breaches are now relatively common in mainstream news reporting, said Beardsley, so this is now a more commonly known threat.
“It is more top of mind than ever before, and no executives want to experience the kind of damaging breaches that have hit the likes of retailer Target or Sony Pictures Entertainment, which both resulted in resignations by top executives,” he said.
Beardsley and Percoco said that although the security industry has been talking about better alignment with the business for years, this is something that is finally happening.
“We are on the right path,” said Percoco. “In the late 1990s, people were hiring me to do penetration testing, but there was no real requirement to do so. Then, in the 2000s, with increased compliance everyone a pen test checklist, but in the past two years there has been a shift towards security assessments and pen testing because managers are beginning to require it for security reasons.
“Compliance will always cast a dark shadow over security testing, but I am seeing a big uptick in companies asking for security assessments for more business-related reasons rather than it being driven by compliance.”
Percoco said that although there is still a long way to go with many companies that either do nothing about information security or are doing only the bare minimum to meet compliance requirements, the general trend is positive.
Beardsley said this is even true among small businesses, many of which, even though they do not have boards to drive security from the top or dedicated security staff, are using managed services.
“That is where there will be a lot of impact,” he said, “because if you can get service providers to take security seriously – which they are – you end up solving the problem for a lot of businesses. There is nothing wrong with putting all your eggs in one basket and then securing the basket really well.”
Beardsley believes the long-term outlook is positive. “Just as auto manufacturers now compete on safety as well as other features, companies are likely to compete on cyber security in future and the market will naturally gravitate towards products and services that prove to be more secure than their competitors,” he said.
And, said Percoco, a large part of Rapid7’s advisory consulting is the result of companies asking for guidance on how to ensure that planned new products and services are secure by design.
“Companies are also beginning to shift their focus from just blocking attacks to detecting intrusions and ensuring they have an effective, up-to-date and well-rehearsed response plan to implement in the event of a compromise,” he said.
Rapid7 is seeing increased demand for support in this area, particularly through its incident response practice, which was launched earlier this year.
“We measure the relative maturity of companies’ cyber defence plans, make tactical recommendations and help translate cyber risk into business risk for information security professionals to take to the board,” said Percoco.
Many companies need to address the fact that they are not able to detect compromises sooner and respond quickly to limit the impact of a security breach, he said.
Looking to the future, Beardsley predicted that the days of a clear text internet are numbered. “While it is currently normal to be talking to unauthenticated endpoints in the clear, if we just move to a state where everything is encrypted and authenticated, whole classes of problems will go away,” he said.