A Tale Of Ethical Disclosures
In many recent conversations I keep talking to family, friends, colleagues and even people in the socially distanced line at the grocery store, about online ecosystem as an emerging (and vast) attack surface. A family member felt somewhat lucky that he was spared doing it in person, over a long holiday meal. However, the topic is fascinating, and I am truly enthusiastic about the newly found attack surface. So are many hacking groups Cyberpion is tracking closely. Who wouldn’t want to hear about it?
Roaming in the Global Digital Ecosystem
Tracking hacking campaigns is an intriguing job. In the cybersecurity equation, there are, at least, two sides of super-smart people. Crafty, creative, thinking out of many boxes types of personalities. A lot of brain power goes into this cat-and-mouse game they are playing. Our team of analysts are always in the ecosystem playfield looking around and exploring moves and changes.
While I am unable to keep pace with them, based on the quantitative output and number of meaningful findings our online security platforms discovers and records, they must be doing something right. Our customers, big and small, are satisfied with their investment.
Spreading the Word Through Ethical Disclosures
On a daily basis, we uncover vulnerabilities and abuse in the wake of attack campaigns. Without diving into technical depths, I will say that many of the ecosystem attacks, like poker players, have a tell that we can identify. Once we do, we start noticing those tells showing up in the ecosystems of other organizations. I continue to feel that these incidental findings should be of great interest to the affected entities.
When we started our journey, we committed ourselves to approach and disclose these critical findings in good faith. Casting our bread upon the water is our way to help vulnerable and compromised entities strengthen their security posture. In some cases, it turned out to be the beginning of a dialogue, in others it did not go beyond a one-way disclosure. To date, we have hundreds of both under our belt.
Ethical Disclosure, Really?
Ethical disclosures should be a grace to security teams. While skeptical and suspicious by nature, or reality, the value of disclosures is literally priceless. There are many security professionals who believe and act as if disclosures are, often, a waste of time. Disclosures can also be malicious, leveraged as a distraction, misinformation, or a form of denial-of-service attack on the security team. However, ethical disclosure can also be what they are called: ethical (or responsible) disclosures. You do not have to create a bounty program and pay for valuable data. Cyberpion disclosures are always of the latter. Always.
The Disclosure Outliers
We are a little surprised by the fact that some of our disclosures are never responded to after they are fixed by the entity we disclosed them to. We are very surprised when disclosures are completely ignored, and the vulnerability remains untouched. It is usually a matter of minutes to attend to the type of things we share. Those two are unpleasant, potentially risky, but within the realm of what we can understand.
The shocking outliers are those where we provided a disclosure, connected with the team, provided context and details to one, or more, vulnerabilities and shared the path to remediation. And then nothing happens. The issues are not addressed, our follow-up emails (usually trying to offer additional help) are not answered and the enterprise knowingly remains vulnerable; or compromised. We learned that scratching one’s head for a long time is painful, so we stopped.
Incoming Disclosure Responsibility
The experience of how disclosures are handled across Global 5000 companies raises the question of responsibility and accountability.
What should the expectation be of response time and remediation of disclosed vulnerabilities?