Priyanka Aash, profile picture
Uploaded byPriyanka Aash
305 views

How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Disclosures and more..

The document outlines best practices and guidelines for handling breach disclosures, emphasizing the importance of vulnerability disclosure policies (VDP) and real-time monitoring of sensitive data exposures. Key findings include significant data vulnerabilities from open databases, code leaks, and misconfigured cloud resources. It also provides resources and templates for creating effective VDPs and communication strategies in the event of a data breach.

Technology
Related topics:
Information Security

Embed presentation

Download to read offline
How To Handle Breach Disclosure FireCompass Bikash Barai, Co-founder FireCompass
Contents • Publicly available breach risk information • What is VDP? • Standards and Frameworks • Guidelines • Best Practices
Part 1: Publicly Available Breach Risk Information
Our Experiment On Indexing Breach Indicators • Continuous monitoring of internet, deep and dark web to collect insecure services, sensitive data and leaked credentials. • Real time sampling of exposed data, sensitivity analysis and generate alert on the fly. • Real-time attribution of flaws and sensitive data to the organizations.
Database Exposure • # of open databases (Mysql, Mongo, ES, Redis): 500K • # Sample Size of Data Exposed: ~ 20 TB • # of open databases in India: 5K
Code Leaks • Sample Enterprise Code Leaks: 12K + • 15% of cases internal employees leaked credentials, keys and sensitive information such as private keys, AD passwords, mail server passwords, even Pay slips. • CI/CD tools such as Jenkins, GoCD etc. leads to exposed code and remote code execution.
Exposed & Open DevOps Tools SonarQube Installation, 4816 Docker Installation, 4761 etcd exposure, 2446 Unauthenticated Jenkins, 3021 SonarQube Installation Docker Installation etcd exposure Unauthenticated Jenkins
Open Cloud Resources • +10K public Elastic Block Store (EBS) snapshots from 3,213 accounts. • +400 public Relational Database Service (RDS) snapshots from 200+ accounts. • +700K public Amazon Machine Images (AMIs) from +20K accounts. • +16K public IPs of exposed AWS managed ElasticSearch clusters that could have their contents stolen or data possibly deleted - this means 17% of AWS-managed ElasticSearch servers with public IPs were misconfigured. • More than 500 Million AWS Buckets Indexed hosting Terabytes of Data.
Exposed Network Services • 80% of large organisations has • Multiple exposed UAT servers • Vulnerable WordPress/Zoomla • Telnet/FTP • Open vulnerable routers • 30% of organizations had • Open LDAP • Open RDP • Open SMB/RPC Open VNCs 5147 ‘wormable’ Windows vulnerability 490000 Open SMBs 459223
Samsung Electronic Billboards 0% Gas Station Pump Controllers 56% Automatic License Plate Readers 0% Traffic Light Controllers / Red Light Cameras 0% Railroad Management 2% Door / Lock Access Controllers 3% DICOM Medical X-Ray Machines 18% Siemens Industrial Automation 12% GaugeTech Electricity Meters 1% C4 Max Commercial Vehicle GPS Trackers 8% Samsung Electronic Billboards Gas Station Pump Controllers Automatic License Plate Readers Traffic Light Controllers / Red Light Cameras Railroad Management Door / Lock Access Controllers DICOM Medical X-Ray Machines Siemens Industrial Automation GaugeTech Electricity Meters C4 Max Commercial Vehicle GPS Trackers Open Industrial Control Systems
CVEs we discovered.. • CVE-2008-7020 ( link ) McAfee SafeBoot Device Encryption 4 • CVE-2008-6661 ( link ) Multiple integer overflows in the scanning engine in Bitdefender • CVE-2008-6846 ( link ) Multiple stack-based buffer overflows in avast! • CVE-2008-6903 ( link ) Sophos Anti-Virus • CVE-2008-3893 ( link ) Microsoft Bitlocker • CVE-2008-7020 ( link ) McAfee SafeBoot Device Encryption • CVE-2009-1062 ( link ) Adobe Acrobat Reader
Part 2: How To Handle A Breach Disclosure
What is Vulnerability Disclosure Policy (VDP) • Guidelines and defined process for submitting potentially unknown and harmful security vulnerabilities to organizations. • Brand Promise • Initial Program & Scope: • Assurance • Communication mechanism and process • Preferences and prioritizations.
ISO/IEC 29147:2014 - Vulnerability disclosure • provides guidelines for vendors on how to receive information about potential vulnerabilities in their products or online services, • provides guidelines for vendors on how to disseminate resolution information about vulnerabilities in their products or online services, • provides the information items that should be produced through the implementation of a vendor's vulnerability disclosure process, and • provides examples of content that should be included in the information items. • https://www.iso.org/standard/45170.html
Other Guidelines • United States Department of Defense • Food and Drug Administration • National Highway Traffic Safety Administration • National Telecommunications and Information Administration • National Institute of Standards and Technology • Federal Trade Commission.
Sample Vulnerability Disclosure Program • SalesForce • https://trust.salesforce.com/en/security/responsible-disclosure-policy/ • Cloudflare • https://www.cloudflare.com/disclosure/ • Amazon • https://aws.amazon.com/security/vulnerability-reporting/
Coordinated Vulnerability Disclosure – Guideline & Sample Template • Coordinated Vulnerability Disclosure Template - NTIA Safety Working Group - • Sample – Acme Corp • https://www.ntia.doc.gov/files/ntia/publications/ntia_vuln_disclosure_earl y_stage_template.pdf • CERT Guideline • https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_50 3340.pdf
Building a Program • Create a VDP page which is easy to access • Build an effective communications team and process • Create and follow a written internal process/playbook to handle disclosures • Decide whether you should have a bug – bounty program (You may or may not be ready for it) • Be proactive. (Try to) Know your attack surface before hackers do .
Communication Strategies • Respond to researchers (immediately) • Be Nice – Thank them (at least). Give some goodies if you want. • Don’t be arrogant or defensive (We don’t need more enemies) • Get level headed persons to coordinate with hackers • If research organizations want press release, then try to do it jointly or be part of it to influence the messaging/dates • Internal communication (before public release) for all your stake holders including board/customers etc.
Thank You

More Related Content

PDF
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
byNorth Texas Chapter of the ISSA
 
PPTX
Evento 15 aprile
byLan & Wan Solutions
 
PPTX
160415 lan and-wan-ctap
byLan & Wan Solutions
 
PDF
Securing the Enterprise with Application Aware Acceptable Use Policy
byAllot Communications
 
PPTX
ATP
byLan & Wan Solutions
 
PDF
Brochure swascan ENG
bySWASCAN
 
PPSX
CTAP
byLan & Wan Solutions
 
PDF
The Anatomy of Comment Spam
byImperva
 
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
byNorth Texas Chapter of the ISSA
 
Evento 15 aprile
byLan & Wan Solutions
 
160415 lan and-wan-ctap
byLan & Wan Solutions
 
Securing the Enterprise with Application Aware Acceptable Use Policy
byAllot Communications
 
ATP
byLan & Wan Solutions
 
Brochure swascan ENG
bySWASCAN
 
CTAP
byLan & Wan Solutions
 
The Anatomy of Comment Spam
byImperva
 

What's hot

PPT
Juniper idp overview
byMohamed Al-Natour
 
PPTX
Hide and seek - Attack Surface Management and continuous assessment.
byEoin Keary
 
PPTX
Swascan Cyber Security Testing Platform
byPierguido Iezzi
 
PPTX
Making the Case for Stronger Endpoint Data Visibility
bydianadvo
 
PPTX
The road towards better automotive cybersecurity
byRogue Wave Software
 
PDF
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
byRapid7
 
PPTX
CYBER THREAT ASSESSMENT
byLan & Wan Solutions
 
PPTX
The cyber house of horrors - securing the expanding attack surface
byJason Bloomberg
 
PPTX
Forti web
byLan & Wan Solutions
 
PDF
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
byITCamp
 
PPTX
Outpost24 webinar: best practice for external attack surface management
byOutpost24
 
PPTX
How can you deliver a secure product
byMichael Furman
 
PPTX
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
byOutpost24
 
PDF
Protect Your Infrastructure: Basics of Cloud Security | Fpwebinar
byFpweb
 
DOC
Deepika_Resume
byDeepika Siveraj
 
PDF
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
byOutpost24
 
PPTX
Basics of Security Testing
byKarthikeyanRajendran27
 
PPTX
The Internet of Everything is Here
byLancope, Inc.
 
PDF
Akila srinivasan microsoft-bug_bounty-(publish)
byPacSecJP
 
PDF
BAI Security - Brochure - Compromise Assessment
byPrahlad Reddy
 
Juniper idp overview
byMohamed Al-Natour
 
Hide and seek - Attack Surface Management and continuous assessment.
byEoin Keary
 
Swascan Cyber Security Testing Platform
byPierguido Iezzi
 
Making the Case for Stronger Endpoint Data Visibility
bydianadvo
 
The road towards better automotive cybersecurity
byRogue Wave Software
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
byRapid7
 
CYBER THREAT ASSESSMENT
byLan & Wan Solutions
 
The cyber house of horrors - securing the expanding attack surface
byJason Bloomberg
 
Forti web
byLan & Wan Solutions
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
byITCamp
 
Outpost24 webinar: best practice for external attack surface management
byOutpost24
 
How can you deliver a secure product
byMichael Furman
 
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
byOutpost24
 
Protect Your Infrastructure: Basics of Cloud Security | Fpwebinar
byFpweb
 
Deepika_Resume
byDeepika Siveraj
 
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
byOutpost24
 
Basics of Security Testing
byKarthikeyanRajendran27
 
The Internet of Everything is Here
byLancope, Inc.
 
Akila srinivasan microsoft-bug_bounty-(publish)
byPacSecJP
 
BAI Security - Brochure - Compromise Assessment
byPrahlad Reddy
 

Similar to How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Disclosures and more..

PDF
4th ICANN APAC-TWNIC Engagement Forum and 39th TWNIC OPM:APNIC Vulnerability ...
byAPNIC
 
PDF
Enumerating your shadow it attack surface
byPriyanka Aash
 
DOCX
Globally.docx
byGermanERuizCorrales
 
PPTX
VAPT - Vulnerability Assessment & Penetration Testing
byNetpluz Asia Pte Ltd
 
PDF
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
byOpenNebula Project
 
PPTX
Vulnerability_Management.pptx
byShriya Rai
 
PPTX
Vapt life cycle
bypenetration Tester
 
PDF
Voices of Vulnerability Disclosure Policy
byHackerOne
 
PDF
Stu w21 a
bySelectedPresentations
 
PPT
M Kamens Iia Financial Services Presentation At Disney
bykamensm02
 
PPTX
HIPAA 101 Compliance Threat Landscape & Best Practices
byHostway|HOSTING
 
PPT
Bank World 2008 Kamens 04 29 08
bykamensm02
 
PPTX
Vulnerability Management
byjustinkallhoff
 
PPTX
How to Perform Continuous Vulnerability Management
byIvanti
 
PDF
KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...
byCasey Ellis
 
PDF
Vulnerability Management – Opportunities and Challenges!
byOutpost24
 
DOCX
Riordan Network VulnerabilitiesVulnerabilityThreatProbabil.docx
byjoellemurphey
 
PDF
Best Practices to Cybersecurity Vulnerability Management,.pdf
byTuan Yang
 
PPTX
AppSecEU2016-Amol-Sarwate-2016-State-of-Vulnerability-Exploits.pptx
byEthioTelecom_Getahun Biratu
 
PPTX
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
bylior mazor
 
4th ICANN APAC-TWNIC Engagement Forum and 39th TWNIC OPM:APNIC Vulnerability ...
byAPNIC
 
Enumerating your shadow it attack surface
byPriyanka Aash
 
Globally.docx
byGermanERuizCorrales
 
VAPT - Vulnerability Assessment & Penetration Testing
byNetpluz Asia Pte Ltd
 
OpenNebulaConf2015 1.14 Are Today’s FOSS Security Practices Robust Enough in ...
byOpenNebula Project
 
Vulnerability_Management.pptx
byShriya Rai
 
Vapt life cycle
bypenetration Tester
 
Voices of Vulnerability Disclosure Policy
byHackerOne
 
Stu w21 a
bySelectedPresentations
 
M Kamens Iia Financial Services Presentation At Disney
bykamensm02
 
HIPAA 101 Compliance Threat Landscape & Best Practices
byHostway|HOSTING
 
Bank World 2008 Kamens 04 29 08
bykamensm02
 
Vulnerability Management
byjustinkallhoff
 
How to Perform Continuous Vulnerability Management
byIvanti
 
KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...
byCasey Ellis
 
Vulnerability Management – Opportunities and Challenges!
byOutpost24
 
Riordan Network VulnerabilitiesVulnerabilityThreatProbabil.docx
byjoellemurphey
 
Best Practices to Cybersecurity Vulnerability Management,.pdf
byTuan Yang
 
AppSecEU2016-Amol-Sarwate-2016-State-of-Vulnerability-Exploits.pptx
byEthioTelecom_Getahun Biratu
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
bylior mazor
 

More from Priyanka Aash

PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
PDF
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 

Recently uploaded

PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
PDF
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PDF
December Patch Tuesday
byIvanti
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
PDF
Cybersecurity: Safeguarding Digital Assets
byYasir Naveed Riaz
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
software-security-intro in information security.ppt
byismaeelsahib032
 
December Patch Tuesday
byIvanti
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
Cybersecurity: Safeguarding Digital Assets
byYasir Naveed Riaz
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
cybercrime in Information security .pptx
byismaeelsahib032
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 

How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Disclosures and more..

  • 1.
    How To HandleBreach Disclosure FireCompass Bikash Barai, Co-founder FireCompass
  • 2.
    Contents • Publicly availablebreach risk information • What is VDP? • Standards and Frameworks • Guidelines • Best Practices
  • 3.
    Part 1: PubliclyAvailable Breach Risk Information
  • 4.
    Our Experiment OnIndexing Breach Indicators • Continuous monitoring of internet, deep and dark web to collect insecure services, sensitive data and leaked credentials. • Real time sampling of exposed data, sensitivity analysis and generate alert on the fly. • Real-time attribution of flaws and sensitive data to the organizations.
  • 5.
    Database Exposure • #of open databases (Mysql, Mongo, ES, Redis): 500K • # Sample Size of Data Exposed: ~ 20 TB • # of open databases in India: 5K
  • 6.
    Code Leaks • SampleEnterprise Code Leaks: 12K + • 15% of cases internal employees leaked credentials, keys and sensitive information such as private keys, AD passwords, mail server passwords, even Pay slips. • CI/CD tools such as Jenkins, GoCD etc. leads to exposed code and remote code execution.
  • 7.
    Exposed & OpenDevOps Tools SonarQube Installation, 4816 Docker Installation, 4761 etcd exposure, 2446 Unauthenticated Jenkins, 3021 SonarQube Installation Docker Installation etcd exposure Unauthenticated Jenkins
  • 8.
    Open Cloud Resources •+10K public Elastic Block Store (EBS) snapshots from 3,213 accounts. • +400 public Relational Database Service (RDS) snapshots from 200+ accounts. • +700K public Amazon Machine Images (AMIs) from +20K accounts. • +16K public IPs of exposed AWS managed ElasticSearch clusters that could have their contents stolen or data possibly deleted - this means 17% of AWS-managed ElasticSearch servers with public IPs were misconfigured. • More than 500 Million AWS Buckets Indexed hosting Terabytes of Data.
  • 9.
    Exposed Network Services •80% of large organisations has • Multiple exposed UAT servers • Vulnerable WordPress/Zoomla • Telnet/FTP • Open vulnerable routers • 30% of organizations had • Open LDAP • Open RDP • Open SMB/RPC Open VNCs 5147 ‘wormable’ Windows vulnerability 490000 Open SMBs 459223
  • 10.
    Samsung Electronic Billboards 0% GasStation Pump Controllers 56% Automatic License Plate Readers 0% Traffic Light Controllers / Red Light Cameras 0% Railroad Management 2% Door / Lock Access Controllers 3% DICOM Medical X-Ray Machines 18% Siemens Industrial Automation 12% GaugeTech Electricity Meters 1% C4 Max Commercial Vehicle GPS Trackers 8% Samsung Electronic Billboards Gas Station Pump Controllers Automatic License Plate Readers Traffic Light Controllers / Red Light Cameras Railroad Management Door / Lock Access Controllers DICOM Medical X-Ray Machines Siemens Industrial Automation GaugeTech Electricity Meters C4 Max Commercial Vehicle GPS Trackers Open Industrial Control Systems
  • 11.
    CVEs we discovered.. •CVE-2008-7020 ( link ) McAfee SafeBoot Device Encryption 4 • CVE-2008-6661 ( link ) Multiple integer overflows in the scanning engine in Bitdefender • CVE-2008-6846 ( link ) Multiple stack-based buffer overflows in avast! • CVE-2008-6903 ( link ) Sophos Anti-Virus • CVE-2008-3893 ( link ) Microsoft Bitlocker • CVE-2008-7020 ( link ) McAfee SafeBoot Device Encryption • CVE-2009-1062 ( link ) Adobe Acrobat Reader
  • 12.
    Part 2: HowTo Handle A Breach Disclosure
  • 13.
    What is VulnerabilityDisclosure Policy (VDP) • Guidelines and defined process for submitting potentially unknown and harmful security vulnerabilities to organizations. • Brand Promise • Initial Program & Scope: • Assurance • Communication mechanism and process • Preferences and prioritizations.
  • 14.
    ISO/IEC 29147:2014 -Vulnerability disclosure • provides guidelines for vendors on how to receive information about potential vulnerabilities in their products or online services, • provides guidelines for vendors on how to disseminate resolution information about vulnerabilities in their products or online services, • provides the information items that should be produced through the implementation of a vendor's vulnerability disclosure process, and • provides examples of content that should be included in the information items. • https://www.iso.org/standard/45170.html
  • 15.
    Other Guidelines • UnitedStates Department of Defense • Food and Drug Administration • National Highway Traffic Safety Administration • National Telecommunications and Information Administration • National Institute of Standards and Technology • Federal Trade Commission.
  • 16.
    Sample Vulnerability DisclosureProgram • SalesForce • https://trust.salesforce.com/en/security/responsible-disclosure-policy/ • Cloudflare • https://www.cloudflare.com/disclosure/ • Amazon • https://aws.amazon.com/security/vulnerability-reporting/
  • 17.
    Coordinated Vulnerability Disclosure– Guideline & Sample Template • Coordinated Vulnerability Disclosure Template - NTIA Safety Working Group - • Sample – Acme Corp • https://www.ntia.doc.gov/files/ntia/publications/ntia_vuln_disclosure_earl y_stage_template.pdf • CERT Guideline • https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_50 3340.pdf
  • 18.
    Building a Program •Create a VDP page which is easy to access • Build an effective communications team and process • Create and follow a written internal process/playbook to handle disclosures • Decide whether you should have a bug – bounty program (You may or may not be ready for it) • Be proactive. (Try to) Know your attack surface before hackers do .
  • 19.
    Communication Strategies • Respondto researchers (immediately) • Be Nice – Thank them (at least). Give some goodies if you want. • Don’t be arrogant or defensive (We don’t need more enemies) • Get level headed persons to coordinate with hackers • If research organizations want press release, then try to do it jointly or be part of it to influence the messaging/dates • Internal communication (before public release) for all your stake holders including board/customers etc.
  • 20.