Mobilizing the Cyber Security Crowd

05/03/2023Data Privacy Asia 2015: 25 – 27 August 2015 1

MOBILIZING THE CYBERSECURITY CROWDBuilding the ecosystem for smart people to work for you

05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 2

[email protected]

sg.linkedin.com/in/weichieh

@weichieh

Wei Chieh LimHive Master We mobilize a crowdsourced team of

global cyber security experts to deliver security assessments.

Engaging the Swarm means you pay only for exploitable and validated vulnerabilities, and never for the time spent.

Get Real Global Expertise. Pay Only for Results.


SOLVING THE EQUATION

•Risk = ƒ (Threat, Vulnerability, Impact)

•What do you have control over?


SOFTWARE VULNERABILITIES UNAVOIDABLE

t

Q Exponential increase> Application complexity> Vulnerabilities interplay

R1.1

R1.2

R1.3

R2.0

R2.1

R2.2

Exposure


DIFFERENT VULNERABILITY CURVES

t

QVulnerability curve depends on:> Secure development

process> Developer’s training and

awareness> Knowledge management

of lessons learnt

Application complexity Security vulnerabilities


NO SECURITY ASSESSMENTS

t

Q

Exposure


USING APPLICATION VULNERABILITY SCAN

t

Q

Exposure

False positives = Wasted resources

Discovered vulnerabilities = Reduce Exposure

> Limited impact on the curve gradient

> Depends on capability of the tool, user and process


IS ANNUAL PENETRATION TESTING ENOUGH?

t

Q

Exposure

Discovered vulnerabilities = Change curve300+

days

Annual Penetration

Testing

> Still a long exposure period

> Depends on tester’s time, motivation and capabilities


DOING IT A LOT MORE OFTEN

t

Q

Discovered vulnerabilities = Flatten curve

Exposure

“Continuous”?> Test Early, Test

Often, Test Forward?> Constraint by Budget

(staff, services spend)


WIDENING SHORTFALL INFOSEC PROS

1.5 million

shortfall by

2020

strainon current workforc

e

risk of ineffective & inefficient programmes

Source: The 2015 (ISC)2 Global Information Security Workforce Study, Frost & Sullivan


Outsource?


Outsource?


Outsource?


JOY’S LAW

Joy’s Law: “No matter who you are, most of the smartest people work for someone else.”

Bill JoyCo-Founder, Sun Microsystems


MOST OF THE SMARTEST PEOPLE WORK… FOR THEMSELVES?

Build an ecosystem for smart people to work towards your goals, instead of relying solely on your employees or your vendors

CrowdsourcingAccess diverse, independent and decentralized global expertise to enhance cybersecurity programmes


HOW DO WE FIND VULNERABILITIES?

SecurityIncidents

(discovered, reported)

BugReports

(customer issues, researcher reports)

SecurityAssessment

(vulnerability scanning, penetration testing, secure code

review)

ThreatIntelligence(data feeds, analytics, vulnerability markets)

Proactive(intelligence led)

Reactive(event driven)


PROBLEMS WITH THE TRADITIONAL (“COMPLIANCE APPROACH”) MODEL?

engage

Low cost vicious cycle

Live with mediocrit

y

$

Difficulty in selecting the right

vendor

Sophisticated testers a dying

breed

False sense of security

Efficacy gap with real world threats

Issues not always fixed

Reports not always useful

test report


HOW DO WE REALISE THE FULL BENEFITS?

Pay only for results – Vendor selection irrelevant, budget not based on work done

Self-motivated testers – “natural selection”, monetary returns, recognition and reputation of expertise

Curated real expertise – Authentic, validated and current

Low cost vicious cycle

Live with mediocrity

$Difficulty in selecting

the right vendor

Sophisticated testers a dying breed

False sense of security

Efficacy gap with real world threats

Issues not always fixed

Reports not always useful


CROWDSOURCED NETWORK OF EXPERTISE

Small team of

“experts”

Proven network of

experts

Long testing period

Shorter testing period

Limited focus on

fixes

Detailed fixes and root cause

Crowdsourced network of expertise

engage test report

engage test report


ANONYMITY: FEAR OF THE FACELESS CROWD

Order to the Chaos

IdentityValidatio

n

Background

Screening

Activity Monitorin

g


AUTHENTICITY: DOUBT IN THE CROWD’S CAPABILITIES

No. of bugs##Rep. Points##Awards $$

Reputation System

> Curates and authenticates real expertise

> Based on proven successes and authenticated evidence

> Compete and accumulate scores based on bugs discovered


ACCOUNTABILITY: UNCERTAIN ABOUT THE CROWD’S LIABILITIES

Confidentiality Agreement

Rules of Engagement

Liabilities & Indemnities

Contract


SAMPLE PUBLIC BUG BOUNTY PROGRAMS

US$500 – ?(US$3M since 2011, 321 bugs in 2014)US$100 – 20,000

US$100 – 20,000

US$500 – 3,000

US$500 – 3,000

US$500 – ?

US$100 – 5,000

US$100 – 5,000

US$100 – 10,000(~1,000 in 2014)US$250 – ?

Miles 50K – 1M


SAMPLE MANAGED BUG BOUNTY PROGRAMS

US$25 – 10,000(50 bugs)

US$50 – 500(48 bugs)

US$300 – ?(158 bugs)

US$140 – ?(179 bugs)

US$100 – 5,000(89 bugs)

US$100 – ?(24 bugs)

US$?(159 bugs)

US$216 – ?(76 bugs)

US$100 – ?(271 bugs)


ES



05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 28Source: @fjvva

05/03/2023Data Privacy Asia 2015: Your Business Imperative - 25 – 27 August 2015 29Source: #oraclefanfic

05/03/2023Data Privacy Asia 2015: 25 – 27 August 2015 30

EXPERIENCE WITH BUG BOUNTY PROGRAMSFrustration, Anger, Lost, Luck, Excitement


ABOUT HERMAN STEVENS

> Sixties: took countless radios and TVs apart to study their internals from the age of 5

> Seventies: programming TI-58 calculator

> Eighties: ZX Spectrum and Amiga computer

> Nineties: º BBS, Fidonet, Usenetº Installed Slackware

Linux from 24 disks

> Developer (Y2K problems, Cobol, Assembler, Natural, C, Java)

> Security Product Trainer (one of the first WAFs, digital signature product to bypass the US export regulations on crypto)

> Security Consultant> Payment Card Industry

Auditor> Application Security

Consultant

> SwarmMaster at Swarmnetics

> Owner/Director Astyran (application security consultancy)

> Ethical hackerº Synackº Cobalt.io (former

Crowdcurity)º Bugcrowd

> Still likes to break things

Before written history Seems like ages ago Current Day


WHY DID I JOIN?Usually work for a consultancy firm as sub contractor> Work that I also like to do is done by other

consultants> I get the do work when the consultancy

company does not has the experience º Often very similar work (financial

industry, payment processers, …)º Often very similar applications (millions

of lines of Java) º Not very challenging after a while

> No visibility in how good you are (Non-disclosure arrangements)

Bug Bounties offered me> Lots of exciting new technology, keep

myself up-to-date> Visibility in what I can do> Some monetary awards


I KNOW WHAT I DID LAST WEEKEND


COMPANY OR PROVIDER MANAGEDBUG BOUNTY PROGRAM?

> Manages own programs (usually public)

> May not have quality reviewers as most are developers with limited security background needed to assess the validity or criticality of a reported bug (“customer is always right … even when he is wrong”)

> May have vague reward structure with slow response due to volume of reports

Company-Managed Provider-Managed> Act as “trusted” party between

researcher and company> Contracts with company and has

agreement with researchers> Has expert reviewers, less room for

discussion> Takes care of payments and rewards> Has reputation system for ranking of

researchers


COMPARISON OF BUG BOUNTY PROVIDERS

> 1,600 researchers

> 12,000 researchers

> 251 researchers (limited # programs)

> 1,200 researchers (formerly CrowdCurity)

> 55 researchers> Background checks> Stringent assessment

(80% don’t make the cut)

> Requires signed agreement

> 20 researchers> Background checks> Prove authenticated

expertise (e.g. other platform rankings)

> Requires signed agreement

Free for All (no apparent checks)


MISTAKE – NOT READING THE FINE PRINT> Started with Bugcrowd> Bugcrowd has “sprints” (usually two weeks)> Researchers are paid for 1st, 2nd and 3rd

position (based on # of bugs, no difference between high/medium/low)

> Rest of money divided under researchers not in top-3 but with vulnerabilities not found by top-3

I joined, found one high rated item (Stored Cross-Site-

Scripting) and stopped there (did not read the rules)

37

FRUSTRATION – DUPLICATESDuplicates (other researcher was faster) are not awarded

38

EXCITEMENT – GETTING INVITED

Higher awards, less or no competitors> Award per bug found (different

award for high/medium/low)> Fixed amount for your time> Interesting applications (usually

very strict NDA)

Sample Assessment> Target: U.S. application for keeping records

and notes about medication, visits and family situation

> Users: Hospital staff, caretakers, doctors> Goal: Break the 2FA (if new browser used,

no access to application)> Result: Got only user-id and password, not

the 2FA token


EXCITEMENT – GETTING INVITEDMistake 1 – Design> Login page did not check for the

browser, but redirected to the last page visited

> Found out that “/patients/” existed

Mistake 2 – Design> 2FA was based on browser-check> Brute-force “/patients/” with

different User-Agent HTTP headers

Mistake 3 – Implementation> Browser check included check on HTTP

Accept Header> Modifying header to Accept: */* bypassed

the 2FA

Mistake 4 – Implementation> Allowed for any page to be downloaded as

PDF> Modifying header to Accept: application/pdf

bypassed authentication (and 2FA)


Eliminate All Vulnerabilities

www.swarmnetics.com @swarmnetics

Technology

Mobilizing the Cyber Security Crowd