2011 05 11 ISA Cyber Jeopardy Game Before a Capitol Hill Crowd
Mobilizing the Cyber Security Crowd
-
Upload
wei-chieh-lim -
Category
Technology
-
view
215 -
download
2
Transcript of Mobilizing the Cyber Security Crowd
05/03/2023Data Privacy Asia 2015: 25 – 27 August 2015 1
MOBILIZING THE CYBERSECURITY CROWDBuilding the ecosystem for smart people to work for you
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 2
sg.linkedin.com/in/weichieh
@weichieh
Wei Chieh LimHive Master We mobilize a crowdsourced team of
global cyber security experts to deliver security assessments.
Engaging the Swarm means you pay only for exploitable and validated vulnerabilities, and never for the time spent.
Get Real Global Expertise. Pay Only for Results.
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 3
SOLVING THE EQUATION
•Risk = ƒ (Threat, Vulnerability, Impact)
•What do you have control over?
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 4
SOFTWARE VULNERABILITIES UNAVOIDABLE
t
Q Exponential increase> Application complexity> Vulnerabilities interplay
R1.1
R1.2
R1.3
R2.0
R2.1
R2.2
Exposure
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 5
DIFFERENT VULNERABILITY CURVES
t
QVulnerability curve depends on:> Secure development
process> Developer’s training and
awareness> Knowledge management
of lessons learnt
Application complexity Security vulnerabilities
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 6
NO SECURITY ASSESSMENTS
t
Q
Exposure
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 7
USING APPLICATION VULNERABILITY SCAN
t
Q
Exposure
False positives = Wasted resources
Discovered vulnerabilities = Reduce Exposure
> Limited impact on the curve gradient
> Depends on capability of the tool, user and process
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 8
IS ANNUAL PENETRATION TESTING ENOUGH?
t
Q
Exposure
Discovered vulnerabilities = Change curve300+
days
Annual Penetration
Testing
> Still a long exposure period
> Depends on tester’s time, motivation and capabilities
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 9
DOING IT A LOT MORE OFTEN
t
Q
Discovered vulnerabilities = Flatten curve
Exposure
“Continuous”?> Test Early, Test
Often, Test Forward?> Constraint by Budget
(staff, services spend)
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 10
WIDENING SHORTFALL INFOSEC PROS
1.5 million
shortfall by
2020
strainon current workforc
e
risk of ineffective & inefficient programmes
Source: The 2015 (ISC)2 Global Information Security Workforce Study, Frost & Sullivan
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 11
Outsource?
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 12
Outsource?
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 13
Outsource?
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 14
JOY’S LAW
Joy’s Law: “No matter who you are, most of the smartest people work for someone else.”
Bill JoyCo-Founder, Sun Microsystems
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 15
MOST OF THE SMARTEST PEOPLE WORK… FOR THEMSELVES?
Build an ecosystem for smart people to work towards your goals, instead of relying solely on your employees or your vendors
CrowdsourcingAccess diverse, independent and decentralized global expertise to enhance cybersecurity programmes
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 16
HOW DO WE FIND VULNERABILITIES?
SecurityIncidents
(discovered, reported)
BugReports
(customer issues, researcher reports)
SecurityAssessment
(vulnerability scanning, penetration testing, secure code
review)
ThreatIntelligence(data feeds, analytics, vulnerability markets)
Proactive(intelligence led)
Reactive(event driven)
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 17
PROBLEMS WITH THE TRADITIONAL (“COMPLIANCE APPROACH”) MODEL?
engage
Low cost vicious cycle
Live with mediocrit
y
$
Difficulty in selecting the right
vendor
Sophisticated testers a dying
breed
False sense of security
Efficacy gap with real world threats
Issues not always fixed
Reports not always useful
test report
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 18
HOW DO WE REALISE THE FULL BENEFITS?
Pay only for results – Vendor selection irrelevant, budget not based on work done
Self-motivated testers – “natural selection”, monetary returns, recognition and reputation of expertise
Curated real expertise – Authentic, validated and current
Low cost vicious cycle
Live with mediocrity
$Difficulty in selecting
the right vendor
Sophisticated testers a dying breed
False sense of security
Efficacy gap with real world threats
Issues not always fixed
Reports not always useful
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 19
CROWDSOURCED NETWORK OF EXPERTISE
Small team of
“experts”
Proven network of
experts
Long testing period
Shorter testing period
Limited focus on
fixes
Detailed fixes and root cause
Crowdsourced network of expertise
engage test report
engage test report
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 20
ANONYMITY: FEAR OF THE FACELESS CROWD
Order to the Chaos
IdentityValidatio
n
Background
Screening
Activity Monitorin
g
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 21
AUTHENTICITY: DOUBT IN THE CROWD’S CAPABILITIES
No. of bugs##Rep. Points##Awards $$
Reputation System
> Curates and authenticates real expertise
> Based on proven successes and authenticated evidence
> Compete and accumulate scores based on bugs discovered
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 22
ACCOUNTABILITY: UNCERTAIN ABOUT THE CROWD’S LIABILITIES
Confidentiality Agreement
Rules of Engagement
Liabilities & Indemnities
Contract
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 23
SAMPLE PUBLIC BUG BOUNTY PROGRAMS
US$500 – ?(US$3M since 2011, 321 bugs in 2014)US$100 – 20,000
US$100 – 20,000
US$500 – 3,000
US$500 – 3,000
US$500 – ?
US$100 – 5,000
US$100 – 5,000
US$100 – 10,000(~1,000 in 2014)US$250 – ?
Miles 50K – 1M
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 24
SAMPLE MANAGED BUG BOUNTY PROGRAMS
US$25 – 10,000(50 bugs)
US$50 – 500(48 bugs)
US$300 – ?(158 bugs)
US$140 – ?(179 bugs)
US$100 – 5,000(89 bugs)
US$100 – ?(24 bugs)
US$?(159 bugs)
US$216 – ?(76 bugs)
US$100 – ?(271 bugs)
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 25
ES
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 26
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 27
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 28Source: @fjvva
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 29Source: #oraclefanfic
05/03/2023Data Privacy Asia 2015: 25 – 27 August 2015 30
EXPERIENCE WITH BUG BOUNTY PROGRAMSFrustration, Anger, Lost, Luck, Excitement
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 31
ABOUT HERMAN STEVENS
> Sixties: took countless radios and TVs apart to study their internals from the age of 5
> Seventies: programming TI-58 calculator
> Eighties: ZX Spectrum and Amiga computer
> Nineties: º BBS, Fidonet, Usenetº Installed Slackware
Linux from 24 disks
> Developer (Y2K problems, Cobol, Assembler, Natural, C, Java)
> Security Product Trainer (one of the first WAFs, digital signature product to bypass the US export regulations on crypto)
> Security Consultant> Payment Card Industry
Auditor> Application Security
Consultant
> SwarmMaster at Swarmnetics
> Owner/Director Astyran (application security consultancy)
> Ethical hackerº Synackº Cobalt.io (former
Crowdcurity)º Bugcrowd
> Still likes to break things
Before written history Seems like ages ago Current Day
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 32
WHY DID I JOIN?Usually work for a consultancy firm as sub contractor> Work that I also like to do is done by other
consultants> I get the do work when the consultancy
company does not has the experience º Often very similar work (financial
industry, payment processers, …)º Often very similar applications (millions
of lines of Java) º Not very challenging after a while
> No visibility in how good you are (Non-disclosure arrangements)
Bug Bounties offered me> Lots of exciting new technology, keep
myself up-to-date> Visibility in what I can do> Some monetary awards
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 33
I KNOW WHAT I DID LAST WEEKEND
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 34
COMPANY OR PROVIDER MANAGEDBUG BOUNTY PROGRAM?
> Manages own programs (usually public)
> May not have quality reviewers as most are developers with limited security background needed to assess the validity or criticality of a reported bug (“customer is always right … even when he is wrong”)
> May have vague reward structure with slow response due to volume of reports
Company-Managed Provider-Managed> Act as “trusted” party between
researcher and company> Contracts with company and has
agreement with researchers> Has expert reviewers, less room for
discussion> Takes care of payments and rewards> Has reputation system for ranking of
researchers
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 35
COMPARISON OF BUG BOUNTY PROVIDERS
> 1,600 researchers
> 12,000 researchers
> 251 researchers (limited # programs)
> 1,200 researchers (formerly CrowdCurity)
> 55 researchers> Background checks> Stringent assessment
(80% don’t make the cut)
> Requires signed agreement
> 20 researchers> Background checks> Prove authenticated
expertise (e.g. other platform rankings)
> Requires signed agreement
Free for All (no apparent checks)
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 36
MISTAKE – NOT READING THE FINE PRINT> Started with Bugcrowd> Bugcrowd has “sprints” (usually two weeks)> Researchers are paid for 1st, 2nd and 3rd
position (based on # of bugs, no difference between high/medium/low)
> Rest of money divided under researchers not in top-3 but with vulnerabilities not found by top-3
I joined, found one high rated item (Stored Cross-Site-
Scripting) and stopped there (did not read the rules)
37
FRUSTRATION – DUPLICATESDuplicates (other researcher was faster) are not awarded
38
EXCITEMENT – GETTING INVITED
Higher awards, less or no competitors> Award per bug found (different
award for high/medium/low)> Fixed amount for your time> Interesting applications (usually
very strict NDA)
Sample Assessment> Target: U.S. application for keeping records
and notes about medication, visits and family situation
> Users: Hospital staff, caretakers, doctors> Goal: Break the 2FA (if new browser used,
no access to application)> Result: Got only user-id and password, not
the 2FA token
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 39
EXCITEMENT – GETTING INVITEDMistake 1 – Design> Login page did not check for the
browser, but redirected to the last page visited
> Found out that “/patients/” existed
Mistake 2 – Design> 2FA was based on browser-check> Brute-force “/patients/” with
different User-Agent HTTP headers
Mistake 3 – Implementation> Browser check included check on HTTP
Accept Header> Modifying header to Accept: */* bypassed
the 2FA
Mistake 4 – Implementation> Allowed for any page to be downloaded as
PDF> Modifying header to Accept: application/pdf
bypassed authentication (and 2FA)
05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 40
Eliminate All Vulnerabilities
www.swarmnetics.com @swarmnetics