The economics of making security a PR issue
“Data breaches, skimming, hacking, ransomware, leaks, crypto-mining, …”
If there is one thing the past decade has taught us, it is buzzwords designed to create panic, excitement and peek the readers’ interest. At times it has been about uncovering a security flaw impacting major organizations, other times to draw attention to unfilled job vacancies in the industry.
What’s interesting is, contrary to the noise generated by the media about cybersecurity which paints a rather suspenseful picture of the subject right out of a Hollywood scene, most real-world security jobs are often clerical and monotonous — like any other job. Much like 99% of the times, the TSA will likely not find a bomb in that suitcase or a security threat bypassing the metal detector, neither will a cybersecurity professional.
The problem with turning security into a PR issue is, it effectively becomes a way for organizations to be minimally compliant in order to feel and appear more secure than they really are. The other problem with security by press release can be Managers diverting resources towards researching and mitigating security flaws which may appear very serious, thanks to their amplified press coverage, only to realize the “flaws” are rather benign. In doing so, the IT and Security departments of various organizations may be slacking when it comes to patching underreported but critically serious vulnerabilities.
In early 2018, I demonstrated how Georgia Tech was hackable because of a backdoor and that the multi-factor authentication solution university likely spent considerable resources implementing would have had no impact whatsoever, given the severity of the flaw. For over a year the flaw, when reported privately, was left unpatched and the legacy system remained open for anyone to fiddle with. A public disclosure of the flaw however, lead to a speedy remediation within 48 hours. That is exactly what I mean by making security a PR issue.
Recently, renowned security expert Kevin Mitnick demonstrated an example of how multi-factor authentication could be bypassed, which would by far apply to many more organizations and their critical systems. Organizations that would have spent the time, money, and resources to implement the “overpopularized” 2-factor authentication solution likely felt a great sense of accomplishment momentarily. Having jumped on the security bandwagon finally, they might have been under the false pretense they are secure, and that this would look great for publicity. This kind of mindset effectively took away the focus from critical underlying issues such as, possibility of any backdoors, or latent flaws in the implementation of the 2-factor solution itself. It could have also taken focus away from more severe, lesser-known flaws that may having been privately reported by security researchers, pro-bono, as a lot of us do. After all, as the saying goes “Security is only as strong as your weakest link.”
Threats will come in from novel, innocuous and unpredictable places without warning. For example, according to a report, 14% of all open source modules in the npm repository are either compromised or outright malicious. Some of these software packages mimic the names of legitimate packages in order to take advantage of an unsuspecting user. For example, even a skilled developer looking to install “Python” may confuse it with “python-dev,” and install the latter. Little would they know that “python-dev” was actually a malicious package published to a credible open source repository disguised under a misleading alias. In this case even strongest security controls may not prevent a system compromise due to the developer’s mistake.
The buzz permeates the intellectual and analytical membranes of the open source community too. One would assume that the open source cult of expert developers and researchers would closely scrutinize and denounce treating security as a PR issue. But if you recently heard about the jQuery File Uploader plugin vulnerability, you would know this isn’t always the case. Even though only in very specific instances this vulnerability could be exploited, the media hype made the issue appear way more pressing than it was. The plugin naturally received misplaced blame for mistakes of the IT professionals responsible for hardening server configurations and vetting sample code properly. An ideally configured server environment implementing server-side security would typically never be impacted by lack of validations on the client-side.
It’s easy to wash your hands off and pass responsibility to another party, but that is exactly the problem with security-by-press. Organizations wait to evaluate their internal security controls and efforts thoroughly until there is no choice left. Within many organizations, cybersecurity budgets are limited and while occasional penetration testing and “compliance assessments” may help, such measures are used largely to check a box and to feel more secure.
A proposed solution?
The laughable thing to do here would be regulation: more boxes to check, merely for remaining minimally compliant. Appointing a Data Protection Officer (DPO), as dictated by GDPR may create a job opening or two but it will not make security problems disappear. Organizations need to stop treating cybersecurity like an “optics” or a legal compliance problem at every level. Luckily, this does not have to always translate into a heavy upfront financial investment in the security infrastructure or recklessly hiring security professionals. The key is to not be complacent when it comes to security and a willingness to be aware.
For smaller organizations with limited security budgets, crowdsourcing security can work wonders. Setting up a responsible disclosure bounty program on BugCrowd or HackerOne provides an excellent solution to discovering unique security flaws impacting your business. It’s a win-win scenario as bug bounty programs attract the brightest ethical hackers and security researchers who often report most revealing, unusual and critical vulnerabilities in exchange for a nominal “bounty” award — set by you in advance. In the long run, paying a small cash bounty, an Amazon gift card, or even publicly thanking the hacker on your company’s website is no hassle, compared to paying a steep price later should your organization suffer a security compromise. At the same time, a bug bounty program must be developed with an obvious regard for production systems; the need for their availability during business hours. We do not want our crowdsourced warriors to DDoS a customer-facing web service.
Unsolicited vulnerability reports
At the bare minimum, as we have repeatedly learned: take private vulnerability reports seriously and don’t delay patching. These unsolicited reports often come from ethical hackers and researchers as a courtesy, without any expectation of a reward. Typically, their only intention is for you to address the reported flaw for your organization’s sake. In many cases they are either ignored or acknowledged but long forgotten until something absolutely warrants action, such as negative publicity. Should a breach ever occur, procrastination or even slight negligence is all it takes to destroy years of brand reputation, public trust and to attract hefty financial losses from lawsuits.
In-house hacking days
For a technology company with either sufficiently large security budget or a fair share of its workforce comprising security professionals, hosting monthly or biweekly events like “white-hat hacking days” can be an amazing exercise. It gives an opportunity to your in-house security team to test the security of internal systems and for non-technical employees to watch and learn.
Security awareness training
In addition to all these efforts, holding in-house security awareness seminars and training efforts for employees — technical and non-technical alike, are essential to tackle phishing attacks. Without them, your employees could trivially be social-engineered and end up being the weakest link of your security infrastructure. Carefully designed simulated phishing exercises are often very useful in getting unsuspecting employees familiarized with the risks and types of phishing attacks, and practically so.
At the end of the day, not every organization may have the massive resources it takes to forge an army of cybersecurity defenders or implement security controls but that may not even be necessary. Time and time again we have learned it is the large organizations getting breached purely due to their complacent attitudes towards security, not capped budgets. Taking small steps at every level to reinforce a general willingness to be vigilant about security and keeping your workforce so, can yield promising results.
Note: This article links to one of the posts: A Lesson in Why “Security by Press Release” Is Detrimental that I had co-authored for the Sonatype blog in my capacity as a Senior Security Researcher.
© 2019. Akshay ‘Ax’ Sharma. All Rights Reserved.