Sign up for our weekly newsletter!
REGISTER NOW |
||
|
||
Take White Hats Seriously to Staunch the Flow of Zero-Days![]() When it comes to the rising zero-day threat, IT-security organizations may have no one to blame but themselves and their poor attitudes toward data stewardship. Zero-day vulnerabilities and the exploits thereof are trending upward. Earlier this month, for instance, both Microsoft and Apple had to issue patches on multiple respective zero-day vulnerabilities that were reportedly already being actively exploited in the wild. Meanwhile, digital-transformation technologies like IoT and AI are only exacerbating the problem. But if you're a white-hat researcher who finds and responsibly reports a zero-day vulnerability, good luck getting the company to acknowledge it. The question for disclosure closureLast month, 14-year-old Grant Thompson accidentally discovered a bug in Apple's Group FaceTime feature in iOS 12.1 and MacOS Mojave. The flaw allowed a caller to turn someone else's iPhone into a listening device without the other party having to answer a call. Thompson's mother -- an attorney -- emailed Apple, posted several times to social media, and faxed Apple a letter on her law firm's letterhead. It was not until her posts went viral and major news outlets picked up the story that Apple began to address the issue on January 30, about a week and a half after the fact. Thompson and his mother aren't the first to endure such endemic vulnerability-disclosure absurdism. Some yet more notorious examples:
At best, companies' dismissive behavior and responses (or non-responses, as the case may be) to vulnerability disclosures not only disincentivizes researchers from doing the research and making the disclosures to these companies. At worst, it may turn a hacker's hat from white to gray or even black, according to Chris Richter, an advisor to cybersecurity startups. After all, if an IT-security team won't listen, the NSA or a dark-web forum might. "That is a huge business on the dark web -- finding zero-day vulnerabilities, not revealing them to the vendor, and selling them to the highest bidder," says Richter. "[Or] they shop it to foreign governments that want to make use of it." An iPhone vulnerability, for example, can literally fetch millions of dollars -- and Richter points out that gray- and black-market bounties are rising. RTFDisclosureThere's only so much that can be done about bad corporate culture; sometimes this escalates to wilful ignorance. IT-security departments know that their knowledge of a possible data compromise may trigger a variety of time-sensitive compliance requirements, intense political pressure, and/or the possibility of fines and other unfavorable enforcement actions -- even if they competently handle their incident response (particularly these days if GDPR applies). (See: GDPR Fines: Some Bark, Little Bite.) Even when communications-service providers (CSPs) detect another company's breach and so alert it, the response may be a curt "Thank you for letting us know; don't ever call us again." (See: Four Enterprise Security Lessons From Maury.) But for companies like Apple and Panera, the solution begins with making it easy to send disclosures to a properly trained and empowered human who will read and act on them. Katie Moussouris, CEO of Luta Security, reports finding that only 6% of the Forbes Global 2000 offers dedicated security-reporting channels. "Make this process obviously distinct from the 'Hi I think my account is hacked' customer-support process," urges Houlihan. "You do not need to offer a bug bounty or a reward. Just offering a way to allow people to easily contact you with confidence would go a long way." Related posts:
— Joe Stanganelli is managing director at research and consulting firm Blackwood King LC. In addition to being an attorney and consultant, he has spent several years analyzing and writing about business and technology trends. Follow him on Twitter at @JoeStanganelli.
|
The threat of escalation attacks and forged administration levels has plagued Kerberos authentication systems for years. Data-analytics startup Qomplx claims to do the math that solves the problem.
As employees live their lives across an increasingly IoT-enabled landscape (with devices often installed discreetly and with hidden functionalities), enterprise security is threatened by outside factors it cannot control.
With NIST celebrating the five-year anniversary of its widely adopted and recommended Cybersecurity Framework just last month, a look back over the years illustrates how far the Framework has come.
Radio silence after reports of a headline-snagging ransomware payment in Jackson County, Ga., presents a possible case study in the pros and cons of paying ransomware attackers.
Since last year, endpoint-protection firms have been among the biggest movers and shakers in the cybersecurity realm – with the endpoint-security market seeing more than a typical share of acquisitions and strategic partnerships. Joe Stanganelli takes a look at why this might be happening.
Information Resources
upcoming Webinars
ARCHIVED
Top Tips for Blocking pwned [email protected]$$wOrds in Your Organization
Tuesday, October 29, 2019
12 p.m. New York/ 4:00 p.m. London Podcasts
Podcast: Infrastructure Hunting – Stopping Bad Actors in Their Tracks
Being able to effectively build a threat intelligence ecosystem or threat-hunting identification response requires both user and systems sophistication and capabilities. Security, orchestration, automation and response (SOAR) is a new technology designed to provide organizations a single comprehensive platform they can use to implement an intelligence driven security strategy.
Podcast: Digital Transformation, SD-WAN & Optimal Security
Dan Reis chats to Cybera's Josh Flynn about how to achieve digital transformation without sacrificing security. ![]() like us on facebook
|
|
![]() |
||
![]() |
Security Now
About Us
Contact Us
Help
Register
Events
Supporting Partners
Twitter
Facebook
RSS
Copyright © 2019 Light Reading, part of Informa Tech, a division of Informa PLC. All rights reserved. Privacy Policy | Cookie Policy | Terms of Use in partnership with
|