Page 80 - Cyber Warnings August 2017
P. 80

you,  making  your  products  over  time  less  secure.  Naturally,  if  this  occurs,  your  reputation
               suffers in sync.

               Don’t ignore
               Ignoring or ‘playing dead’ in first contact is also a grave error. Like threats, vulnerabilities that
               are  ignored  often  go  into  ‘full  disclosure’,  meaning  they  are  released  publicly  to  point  out  a
               vulnerability  in  your  product.  Security  researchers  are  especially  aware  of  this  process  and
               won’t hesitate to do this after chasing you up a few times. Engaging here with the counter-party
               will buy you time to fix the vulnerability.

               Offer a secure transfer method

               Vulnerabilities are sensitive and can cause damage if they fall into the wrong hands. Don’t just
               ask  them  to  send  the  details  of  the  vulnerability  via  e-mail.  If  your  company  has  a  secure
               transfer platform, this is when you should use it. Alternatively, encrypt the transmission using
               GPG  keys.  If  you  really  have  nothing,  go  for  a  password-protected  zip  and  exchange  the
               password out of band (like a phone call).

               Fixing the vulnerability
               Once you have the details of the vulnerability in hand you need to decide how serious it is, and
               when you’ll fix it. Unofficially, security researchers go by the rule of 90 days, which means from
               the date of disclosure, if your company hasn’t fixed the vulnerability within 3 months then they’ll
               disclose it publicly. This isn’t a hard and fast rule and I’ve personally experienced vulnerabilities
               disclosed to vendors that have taken close to a year to fix. Engaging directly will buy you time
               since some companies may only have a few developers on hand, and have different priorities.
               This however, can’t be used as an excuse forever. If security is important to you, you’ll make it a
               priority. The important thing here is to be realistic with your timescales. Don’t tell them it will be
               fixed in a week if you know it will take a month. All that will do is antagonize and will propel the
               vulnerability into full disclosure for everyone to see.

               Once it’s fixed
               So  this  is  the  part  where  if  you  have  no  formal  vulnerability  disclosure  program  you  actually
               want  to  reward the  individual for  pointing  out the  vulnerability.  After  all,  they  spent  their time
               discovering a vulnerability in your product and taking the effort to contact you about it. They’ve
               saved you from embarrassing media coverage and depending on the severity, from data loss
               and ensuing financial damage.













                    80   Cyber Warnings E-Magazine – August 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   75   76   77   78   79   80   81   82   83   84   85