Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Monday, 27 June, 2022
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Vulnerability research and disclosure – the fine line of fairness

by The Gurus
September 7, 2020
in Opinions & Analysis
Share on FacebookShare on Twitter

I recently visited the new London office of security consultancy IOactive, a company with interesting working environments.

Meeting with founder and president Joshua Pennell and chief technology officer Gunter Ollmann, I began by asking how this company operates as its employees step “in and out” of companies. Pennell explained that clients come to them as they want to work with their people and the typical client – high tech companies and large enterprises, are seeking the best talent.
The way the company works, Pennell said, is that companies approach them when something needs to be done and with companies being hacked “there is no end of work”.
“Companies try to get security and funding would not have been given last year, but then they get hacked and it will be given this year. The board will give it, the CISO will keep his job and get a war chest as the CISO is a figurehead and when a hack happens, they get what they want.”
My meeting with IOactive came a few days after Adobe suffered a hack which affected 2.9 million user credentials and saw illegal access to source code. Pennell said that where IOactive steps in is after the event, “to make sure there are no backdoors in and the checks match up to when the breach happened”.
He said: “For organisations who don’t have security, or for IT departments who are not fully staffed and if you need extra hands for to make things happen, you need people to find out what was missed and start doing the forensics on the incident.”
When working on a project, Ollmann said it depends on the “quality” of what is in place on how long it can take, especially as he said that “most large organisations do not have systems in place” as they are not leveraging programming and often, consultants have to start from scratch, as they have to clear up their issues.
Pennell said that on one job, IOactive was brought in for an initial 48 hours after a “massive” breach, but 18 months later, they were still getting reports about finding data. “They only had the bare minimum; often security it is a tickbox for compliance.”
Ollmann followed by saying that often a project begins by finding out how a company was breached, how far and deep it went and working with organisations to protect more and build up tools to identify issues faster.
“Some cases shouldn’t need to have the organisation focused on incident response more than ten per cent of the time, as the tools are out there, but if you archive everything and then you are breached, then what? Tools are good at facilitating a response, but evolving it into the hearts and minds of enterprises is better, and understanding the risk profile.
“If you don’t follow protection, how can you stand up in a legal front or deal with a certified investigator when there is not enough evidence of what happened or who did it. A blank screen will cause the IT team to rush down and reinstall a desktop, but with 20,000 devices, an organisation will have malware on 50-200 of them, so do you have time to do forensics? No, you just re-image them. With 100,000 staff in a global organisation, it will get down to a speedy process – one organisation I have seen has got that down to 15 minutes.”
Ollmann claimed that if the same five e
ndpoints will always boot up with malware infected, that level of blue screen is what we are seeing with an approach to forensic detection, and how much time is spent by the IT team cleaning it up. “From the highest paid person in IT to the helpdesk, they need to be more effective. In an organisation, the security team is always less than the company needs in terms of resources.”
As the company seems to be constantly moving from one bad incident to another, the company claimed that it often finds itself beginning security set-ups from scratch, while the consultant acts as the “right hand man” to the CISO. With the proposed Cyber Security Directive proposing 24-hour breach notifications, Pennell believed that this was impossible to measure as “no-one knows what has happened after that time, as some can be detected but there are some you never know about, sometimes IT is just there to keep the lights on”.
I asked Ollmann about the concept of the consultant working as a “right hand man to the CISO”, he said that it is very much the case of an outsider walking into the conflict zone and having to gain the team’s trust. He said: “There is often a lot of blame going around, and lots of ‘why didn’t you do this or that’? We are called in as an expert, and a lot is figuring out what happened.
“The blame appropriation is rarely to do with the consultant, but instead we work with the CISO and executive management team on what went wrong, so then we are less a mediator and more on getting things focused, more of a project manager.”
Ollmann claimed that a project can typically last anything from six to nine months, or even up to two years to shore up against attacks. Pennell said that upon the appointment of a new CISO, the budget is allotted and a consultant will be brought into spend it in the right areas and on penetration testing plans.
The company has had a growing presence mainly thanks to its research and well-known staff, which includes “car hacker” Chris Valasek and the late Barnaby Jack, but following Pennell’s lead to be more “edgy” and to offer something different, he said he looks for people who offer a certain calibre of personality and skills. “It is people who can code and aspire to come in; we set a bar and if they hit our level, it raises the level of aspiration,” he said.
Then those people are sent into the wild to sort out a problem, which surely takes a thick skin and a balanced head.
FacebookTweetLinkedIn
ShareTweetShare
Previous Post

Daily news digest – 24th September 2013

Next Post

Has online anonymity disappeared forever?

Recent News

Jim Dolce

A conversation with Jim Dolce, CEO of Lookout

June 24, 2022
Picture of the US capitol building

Biden signs cyber bills into law

June 23, 2022
Person using blue laptop next to coffee cup

Microsoft Office 365 Feature Could Help Ransomware Attackers Infiltrate Cloud Files

June 23, 2022
Lines of Code

Chinese Hackers Distributing SMS Bomber Tool with Malware Hidden Inside

June 23, 2022

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information