Page 79 - Cyber Warnings August 2017
P. 79

Reacting to vulnerability disclosure


               How to behave to avoid reputational harm
               by Alex Haynes, Information Security Manager, Cheshire Data Systems Ltd.

               Today, the online security of all companies is a concern. If a security issue or vulnerability is
               discovered in a website, product or piece of software and this makes it into the public domain,
               reputational damage can ensue.

               In many cases, these flaws are pointed out by third parties  – either individuals or companies
               that have either discovered it accidentally or actively researched them. These discoveries have
               to be managed correctly to ensure the vulnerabilities are handed over to the right people, and
               fixed  in  a  timely  fashion.  This  whole  process  is  commonly  referred  to  as  ‘vulnerability
               disclosure’.

               So why should I care about vulnerability disclosure?

               You may work in an organisation that has a relatively mature security posture: It has the right
               technologies in place, it has the right organizational setup with a dedicated security team and
               even has its own cybersecurity budget. Does this imply you’re safe? Not at all.

               Because of the complexity of today’s technology it is impossible to cover every threat vector,
               especially when some are unknown. There are those that think having an annual penetration
               test (or pentest) is enough to cover off any outstanding vulnerabilities in their product, but even
               this is limited. Pentesting merely gives a snapshot of your technical security posture at a single
               point  in  time.  Once  the  pentest  is  over,  and  you  introduce  a  new  build  or  an  update  into  a
               product or website, you potentially introduce new vulnerabilities, and the cycle begins anew.

               Vulnerability  disclosure  programs  fill  this  gap,  where  anyone  is  allowed  and  able  to  report
               vulnerabilities  to  you  at  anytime  and  are  actively  encouraged  to  seek  them  out,  effectively
               demonstrating  your  confidence  in  your  product  and  guaranteeing  a  higher  level  of  security
               through transparency.

               What should I do when someone points out a vulnerability in my product?
               There  are  a  few  key  rules  to  follow  at  different  stages  of  vulnerability  disclosure.  The  most
               important stage is ‘first contact’. This is when a researcher or a company may have discovered
               a  vulnerability  in  one  of  your  products  and  has  contacted  your  company  to  bring  it  to  your
               attention:


               Don’t threaten
               This  cannot  be  overstated.  People  who  point  out  vulnerabilities  in  your  product  are  actually
               doing  you  a  favour,  especially  if  that  vulnerability  can  cause  data  loss.  Unless  they’ve  done
               significant harm to your infrastructure, threatening them (especially legally) is the fastest way for
               the issue to finish in the media and will paint your company as insensitive and opaque, as you
               are effectually trying to ‘silence’ the vulnerabilities. What is worse is that if you attempt this once,
               your company will gain a pariah status as other discovered vulnerabilities won’t be fed back to

                    79   Cyber Warnings E-Magazine – August 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   74   75   76   77   78   79   80   81   82   83   84