Vulnerability research and disclosure – the fine line of fairness

Meeting with founder and president Joshua Pennell and chief technology officer Gunter Ollmann, I began by asking how this company operates as its employees step “in and out” of companies. Pennell explained that clients come to them as they want to work with their people and the typical client – high tech companies and large enterprises, are seeking the best talent.

The way the company works, Pennell said, is that companies approach them when something needs to be done and with companies being hacked “there is no end of work”.

“Companies try to get security and funding would not have been given last year, but then they get hacked and it will be given this year. The board will give it, the CISO will keep his job and get a war chest as the CISO is a figurehead and when a hack happens, they get what they want.”

My meeting with IOactive came a few days after Adobe suffered a hack which affected 2.9 million user credentials and saw illegal access to source code. Pennell said that where IOactive steps in is after the event, “to make sure there are no backdoors in and the checks match up to when the breach happened”.

He said: “For organisations who don’t have security, or for IT departments who are not fully staffed and if you need extra hands for to make things happen, you need people to find out what was missed and start doing the forensics on the incident.”

When working on a project, Ollmann said it depends on the “quality” of what is in place on how long it can take, especially as he said that “most large organisations do not have systems in place” as they are not leveraging programming and often, consultants have to start from scratch, as they have to clear up their issues.

Pennell said that on one job, IOactive was brought in for an initial 48 hours after a “massive” breach, but 18 months later, they were still getting reports about finding data. “They only had the bare minimum; often security it is a tickbox for compliance.”

Ollmann followed by saying that often a project begins by finding out how a company was breached, how far and deep it went and working with organisations to protect more and build up tools to identify issues faster.

“Some cases shouldn’t need to have the organisation focused on incident response more than ten per cent of the time, as the tools are out there, but if you archive everything and then you are breached, then what? Tools are good at facilitating a response, but evolving it into the hearts and minds of enterprises is better, and understanding the risk profile.

“If you don’t follow protection, how can you stand up in a legal front or deal with a certified investigator when there is not enough evidence of what happened or who did it. A blank screen will cause the IT team to rush down and reinstall a desktop, but with 20,000 devices, an organisation will have malware on 50-200 of them, so do you have time to do forensics? No, you just re-image them. With 100,000 staff in a global organisation, it will get down to a speedy process – one organisation I have seen has got that down to 15 minutes.”

Ollmann claimed that if the same five e
ndpoints will always boot up with malware infected, that level of blue screen is what we are seeing with an approach to forensic detection, and how much time is spent by the IT team cleaning it up. “From the highest paid person in IT to the helpdesk, they need to be more effective. In an organisation, the security team is always less than the company needs in terms of resources.”

As the company seems to be constantly moving from one bad incident to another, the company claimed that it often finds itself beginning security set-ups from scratch, while the consultant acts as the “right hand man” to the CISO. With the proposed Cyber Security Directive proposing 24-hour breach notifications, Pennell believed that this was impossible to measure as “no-one knows what has happened after that time, as some can be detected but there are some you never know about, sometimes IT is just there to keep the lights on”.

I asked Ollmann about the concept of the consultant working as a “right hand man to the CISO”, he said that it is very much the case of an outsider walking into the conflict zone and having to gain the team’s trust. He said: “There is often a lot of blame going around, and lots of ‘why didn’t you do this or that’? We are called in as an expert, and a lot is figuring out what happened.

“The blame appropriation is rarely to do with the consultant, but instead we work with the CISO and executive management team on what went wrong, so then we are less a mediator and more on getting things focused, more of a project manager.”

Ollmann claimed that a project can typically last anything from six to nine months, or even up to two years to shore up against attacks. Pennell said that upon the appointment of a new CISO, the budget is allotted and a consultant will be brought into spend it in the right areas and on penetration testing plans.

The company has had a growing presence mainly thanks to its research and well-known staff, which includes “car hacker” Chris Valasek and the late Barnaby Jack, but following Pennell’s lead to be more “edgy” and to offer something different, he said he looks for people who offer a certain calibre of personality and skills. “It is people who can code and aspire to come in; we set a bar and if they hit our level, it raises the level of aspiration,” he said.

Then those people are sent into the wild to sort out a problem, which surely takes a thick skin and a balanced head.