The Community Lifeline: Building a Safer Cybersec Community
The rise of digital ecosystems
Over the last couple of years, cyber attacks have become one of the biggest threats, not only to business but to society at large. As markets grow more global and complex, we rely more and more on technology and are exposed to new threats in the shape of cyber intrusion, manipulation, misuse and other cyber misconduct.
Software and hardware companies worldwide understand they are operating in digital ecosystems, even if their product is an offline to both sell their services and to provide support for them. What many firms aren’t aware of is the rising risk from the software/hardware they are operating with and cyber attacks that may occur when they digitally connect their systems and data. While the answer is not to disconnect from these ecosystems, understanding and patching these products running on their network and end points is what they should start with.
In the old ‘physical’ world in which companies interacted by making phone calls, sending payments through the mail, and conducting meetings in rooms, the risks of a potential breach were much smaller. There are limits to the number of people exposed to your company’s resources, the number of businesses you can partner with, the amount of information you can store and many other factors, all of which are handled mostly offline. By contrast, in the digital world, there are no such limitations. In fact, it is a world of infinite possibility, with an abundance of capital, talent, capabilities, and businesses with which to partner.
The importance of keeping it safe
Cyber security’s core function is to protect the devices we use (smartphones, laptops, tablets and computers), and the services we access — both at home and at work — from theft or damage. Many software and hardware vendors these days are focused on making their product safer and exploit free as preventing unauthorized access to the vast amounts of personal information stored on many of these devices and online is becoming their #1 goal.
Entities such as the SEC and ESMA are also on the lookout to provide new security guidance to for companies and individuals in order to reduce the level of exposure/threat they are open to. The SEC in specific, keeps a watchful eye over market participants by making cyber security a priority of its National Exam Program.
White hat hackers
Bug hunts and vulnerability-reporting programs are the other side of the coin here— utilizing researchers and coders to ensure what the vendors may have missed — will be found on their end. Companies that do not have the technical abilities to create a bug bounty program from scratch can hire firms that help manage the process using their own platform and stay protected while providing work and challenges to a vast community of white hat hackers, researchers and freelancers.
White-hat hackers, often referred to as ethical hackers and deemed to be the good guys, are working with these organizations to strengthen the security of a system or a product. White hat hackers, specializing in ethical hacking tools, techniques, and methodologies to secure an information systems and their eco system in general. They are engaging the targets and trying to compromise them within the prescribed rules of engagement, with their findings being reported to the vendors so that it can be fixed before they are being exploited by malicious actors. Unlike black-hat hackers, ethical hackers exploit security networks and look for backdoors when they are legally permitted to do so or when they aim to do so to keep others safe.
Some of them just won’t join the fight
Although the global community of independent researchers looking for zero day vulnerabilities and exploits is getting bigger every year, some vendors are still not accepting or are on the fence when it comes to information disclosure for their own products and will usually not accept any bugs or findings.
Some vendors have gone a long way to doing this. In 2002, it was reported that only 1 out of 10 companies would accept and not sue researchers who report legitimate findings. In the other 9 out of 10 cases, lawyers were involved. The process of understanding the risks and maturing the entire process throughout the industry was done over the last 15 years or so, and has shifted a lot so that bug bounties where they once were controversial, are now normalized. We believe that the entire software community will eventually be able to respond a lot faster in the future, based off of some of the work that bounty programs are doing now in the process of vulnerability disclosure.
Bridging the gap
At SSD, we help security researchers turn their skills in uncovering security vulnerabilities into a career. Designed by researchers, for researchers, SSD provides the fast response and support needed to get zero-day vulnerabilities and disclosures reported to vendors and to get researchers the compensation they deserve. We help researchers get to the bottom of vulnerabilities affecting major operating systems, software or devices.
As part of our vulnerability disclosure program we have established a community of researchers. We believe in long-term investment in this group and we provide the tools, education and knowledge they need to find more vulnerabilities and advanced attack vectors and discover innovative ways to exploit them.
Even tough sometimes vendors do not respond or ignore our call to action on certain findings, we choose to fully sponsor the research. We then work with the vendor to make sure that they would actually fix the vulnerability that had been discovered, allowing us to protect the customers and community from harm until the effective vendor actually had shipped the patch. We strongly believe that delayed vulnerability disclosure may pose big risks.
We encourage the reporting of zero day vulnerabilities to effective vendors by financially rewarding researchers out there by having them submit them to us whether the vendor will buy these or not. Buying these privately enables us to support and keep our focus on the safety of the global cyber security ecosystem and contribute our share of strengthening the eco-system. Even tough we do not publicly publish the vendors’ unpaid findings, we feel it is critical for our team and independent researchers to ensure their findings are being patched, even if the vendor is keeping it under their radar.
Visit SSD: https://ssd-disclosure.com/
Join the conversation:
