“Why not make sure you have a security@… email address?”
This article is intended to be a guide for business leaders who never want to get caught with their pants down when it comes to dealing with hackers, writes Guise Bule, co-founder of WEBGAP, a remote browser isolation cybersecurity startup. It is a guide for those who want to be able to properly deal with hackers/security researchers who find holes in your security. Over the last few years I have seen these interactions botched so badly that they have burst into flames, burning brands in the process.
Dealing With Hackers #01: Don’t Panic
The first thing to remember is not to panic. If a security researcher (white hat hacker) tells you about a hole in your security they found, this is a good thing and infinitely preferable to one of the bad guys finding it and not telling you. You should be pleased that a white hat hacker has taken the time to report the vulnerability to you and remember that they probably stumbled across it rather than ‘hacked you’.
Think of them like Google , but instead of indexing the web content via ports 80 (HTTP) or 443 (HTTPS) like Google, what Shodan does is search the Web for devices that respond to a number of other ports like ports 21 (FTP), 22 (SSH), 23 (Telnet), 25 (SMTP), 443, 3389 (RDP) and 5900 (VNC), allowing searches for webcams, industrial control systems, routers, firewalls, systems CCTV, power grids and your organizations IT infrastructure.
If you put servers and services on the internet and fail to properly secure them, these automated tools will find them and alert the researcher, it’s just a matter of time. If your online stuff is important enough and the vulnerability is serious enough, the researcher will reach out and try to contact you, they are trying to warn you.
If a black-hat security researcher found it first you wouldn’t be contacted, instead you would see your data on the dark net for sale, or the vulnerability exploited for criminal gain. It could also be sold on through established vulnerability markets like Zerodium or 0dayToday to the highest bidder. The bad guys will never warn you.
What Do The Hackers Want?
They want you to fix your security hole. This article intends to lay out some best practices, sensible next steps and common sense guidance for dealing with a ‘hackers found holes in your security’ situation in a proactive, legal and ethical way.
Security researchers come are naturally wary, too many times before have we seen security researchers threatened with legal action, attacked, sued, slurred, accused and arrested when they try to tell organizations about their security vulnerabilities.
When a security researcher contacts you they are trying to tell you that they found some of your stuff online, be it an online database, a data archive, an app, an insecure web server or some sort of online service which contains an obvious and public facing vulnerability that they have stumbled across. They want you to fix it.
They are trying to warn you about it in the hope that you do something about it before somebody who is criminally minded does something about it for you. Most of the time they have to resort to contacting you on social media because it is a legitimate point of contact when no other point of contact exists, that or you have blatantly ignored their emails and failed to acknowledge them.
You have to understand that most of the time your security vulnerability is just another blip that has appeared on the researchers scanner, hardly ever have they ‘hacked’ you and if they did they would not be trying to warn you about it.
Never Ignore The Researcher
Never stick your head in the sand when a researcher contacts you, ignoring them in the hope they will go away is one of the worst things that you can do.
Nobody likes being ignored, especially if they are trying to warn you about a potentially serious vulnerability and there is no profit to be found in ignoring somebody who tells you about yours. If anything you will infuriate a stranger who knows about a potentially valuable and serious vulnerability in your cybersecurity setup.
The bare minimum you need to do is email the researcher saying thank you and inform them that you will look into the vulnerability immediately, this will put them at ease because you have reassured them that you are working on a fix.
If you ignore the researcher and the vulnerability there is a very real risk that they could go public with it, forcing your hand and embarrassing you in front of your audience because you left them no other choice. All the researcher wants is for you to fix your security hole and they will publicly disclose if you ignore them.
Never Threaten The Researcher Legally
Sometimes non cybersecurity conscious organizations will knee jerk and seek legal advice. Lawyers (being lawyers) will immediately and advise their clients to try and silence the researcher with the threat of legal action and it almost always results in negative publicity. Threatening a researcher who tried to warn you about a security hole in your business with legal action is the worst thing you can do and will earn you the vocal condemnation of the infosec space and a negative listing here.
It makes no sense to legally threaten security researchers who act in good faith to disclose a vulnerability when they are not a threat to your business, all you are really doing is informing your customers and partners that you do not understand the legitimate and legal work that researchers are performing. You are also announcing to black hat hackers that you do not follow best practices when it comes to dealing with security vulnerabilities and probably have other holes in your security.
Don’t be like Keeper Security, drone maker DJI, or River City Media and earn the ire and scorn of the infosec space and the media resulting in bad PR. Follow the lead of Dropbox and Tesla and have clear vulnerability disclosure notices promising that you will not prosecute hackers acting in good-faith, this is a best practice approach.
Never Attack The Researcher Or Dismiss The Report
Please do not belittle, mock, or dismiss the security researchers on Twitter, as T-Mobile did shortly before they suffered a catastrophic data breach.
T-Mobile responding like this to a security researcher on social media made them look incompetent, especially when a couple of months later they suffered a huge data breach affecting two million users. It made them look like clowns.
Don’t be like 63Red and engage in public attacks on researchers or Atrient who issued press releases containing a pack of lies attacking the security researchers who were trying to help them fix their atrocious security issues. When you go on the attack it attracts anger from the cybersecurity space and the attention of black hats who know you are probably ripe to criminally exploit using a known vulnerability.
The Helme-Gibbs Scale Of Response
The graphic below was created by security researchers as a guide to the damage you can cause your brand by botching your response to vulnerability disclosures.
As you can see it ranges from a category one with no significant damage because you acknowledged the researcher’s contribution, to category three when you issue legal threats and personal attacks, all the way through to category five which results in a major loss of customers, the global media ridiculing you and affect investments.
This graphic is meant to be a tongue in cheek guide, created by Mike Thompson and Ian Thornton-Trump, based on comments from Scott Helme and Andrew Tierney, but it is still very accurate from what I have seen over the last few years in the cybersecurity space. You want to always be in category one if possible…
Consider Paying Out A Bounty – or Offering Swag
Paying out money to a researcher who found a hole in your security can feel like a shakedown and while I can understand this, I also see how misguided and unhelpful this attitude can be in the real world. Understand that a shakedown from a black hat hacker does not come in the form of a vulnerability disclosure, they prefer to use ransomware, data theft and fraud in order to extract their value. Thinking of a disclosure as a shakedown is a reflection of your own insecurity rather than reality.
Remember that the value of your vulnerability on the black market is much higher than whatever you plan to reward the researcher and that they could have easily sold your vulnerability to people who would use it for criminal financial gain.
If you want to reap the benefits of positive PR, be like Google who gave a teenager $10k for finding a serious vulnerability or any of these companies who regularly pay our bounties to researchers in return for ethical vulnerability disclosures because they recognize the value in researchers finding bugs before cybercriminals do.
If you are a small business who cannot afford a large bounty payment, just tell the researcher and send them a nice letter with a $20 dollar bill in it, the important thing is to acknowledge their work and remember it is usually not about the money for the researcher, they are usually happy to help out. Most researchers are never properly rewarded for their efforts and ethical hackers would never ask you for a bounty before disclosing a vulnerability to you. It’s best practice to reward researchers and if you need them to, they may well sign an NDA in return, effectively buying their silence.
Use Non Disclosure Agreements The Right Way
Few companies want a researcher publicly disclosing their security holes on Twitter, or in a blog post, so make sure you get researchers to sign an NDA. Understand though that the researcher has zero legal obligation to sign an NDA with you if you offer nothing in return, so you are rewarding them with a bounty in return.
Whatever you do, do not try to get a researcher to sign an NDA in order to cover up the vulnerability; it’s just as bad as threatening legal action and it will still leave you vulnerable from the real threats. An NDA does not fix your security or protect you from black hat hackers who will use it for criminal gain if it is left unresolved, The NDA buys the researcher’s silence while you properly resolve the security issue and protect your IT infrastructure, data, customers, employees and shareholders.
Immediately Work To Resolve The Vulnerability
One way or another you have to resolve the vulnerability and plug the hole in your security, because if one researcher found it then it’s only a matter of time before somebody else does. The longer this vulnerability is left unresolved, the more risk you expose your organization to; the real threat to your reputation and the security of your business is a failure to resolve serious vulnerabilities when they are disclosed, and not the security researcher who is trying to warn you about the risk before it gets ugly.
Bring in professional contractors if you have to, but if you have no budget or resources to bring in the expertise you can always consider asking the researcher to help you resolve the problems themselves, usually they will be pleased to help you fix the holes in your security. Remember that these are guys who want to do good.
If you cannot afford to fix the vulnerability by bringing in professionals, or hiring your own security people, you need to trust the researcher and throw them a few dollars to help you fix the problem. Just make sure you do things properly and have the researcher sign a legal penetration testing agreement outlining the scope of the work, this protects you, the work and the security researcher legally.
Make It Easy For Researchers To Contact You In Future
I see security researchers on social media all the time becoming frustrated with companies and brands because they have no clear way to notify the right people and the people they can contact do not understand what the researcher is reporting.
Make sure you have a “security@…” email address, monitored by someone who is at least a little knowledgeable when it comes to infosec: most infosec researchers will gladly take it from there. This is best practice at some of the worlds largest organizations, if you make it easy for researchers to contact you, it shows you care about finding vulnerabilities in your infrastructure and possess cyber awareness.
Spread Around The Good Vibes For Researchers
With the press screaming about data breaches, cyberattacks, cybercriminals and malicious hackers, it is too easy for the technically inexperienced to mistake security researchers acting in good faith as malicious operators or black hat hackers, so spread word of the good guys out there, the white hats fighting the good fight.
Vulnerability research, discovery and disclosure are critical elements in our modern and highly digitized society, so much so that the US National Institute of Standards and Technology recognizes that white hat vulnerability disclosure is a hugely important part of effective cybersecurity in its public Cybersecurity Framework.
White hat public service strengthens the cybersecurity our economy over the long term, so spread around some good vibes for the white hat hackers out there. A vulnerability disclosure is like getting a visit from the tooth fairy, it sucks to miss a tooth but you clearly profit from having a friendly tooth fairy pay you a visit.
*Editor’s note: This guest post from Guise Bule has a slightly different flavour to much of Computer Business Review’s fare, with its inherent sympathy for some of the often misunderstood and non-professional security researchers of the cybersecurity world.
As the founder of Secjuice.com, a non-profit writing club focused on information security, network security, social engineering and open source intelligence (OSINT), Guise tells Computer Business Review: “I work with a group of 100+ emerging writers who are mostly young infosec researchers ,so I am very sympathetic to the trials and tribulations that they face as they go about mastering their craft in the real world.”
“The infosec space faces a unique challenge in that we have to persuade our young not to do something stupid and break the law [as for those with skills the opportunities are tempting when young]. I believe that we need to support and take pride in the security researchers who do act in good faith on a consistent basis when dealing with vulnerability disclosures. That’s what inspired this post.”