04-09-20 - Excuse Me, Your Vulnerability Is Showing

Excuse Me, Your Vulnerability Is Showing

April 09, 2020

CISO | Security Vendor Relationship Series

This week's episode of Defense in Depth

Responsible Disclosure

Responsible Disclosure

 On this episode of Defense in Depth:

Co-host Allan Alford and guest Tom Merritt, host of Daily Tech News Show, discussed:

  • Manufacturers, software companies, researchers, hackers, and journalists all play a role in responsible disclosure.

  • Vulnerabilities will exist, they will be found, and how companies want to be alerted about those issues and inform their public are key elements in the process of responsible disclosure.

  • While there are CERT guidelines for responsible disclosure, there are no real hard and fast rules. There will always be judgement calls involved. But like the doctor's Hippocratic Oath, the goal is to minimize harm.

  • You can't announce a vulnerability without offering a fix. It's opening the door to the bad guys to come in and cause havoc.

  • There is a long history of how vulnerabilities have been disclosed. It often was a surprise and malicious. The trend of responsible disclosure and bug bounties has given rise to the legitimacy of white hat hackers and the process of exposing vulnerabilities.

  • One listener argued that the term "responsible disclosure" implies a moral judgement. He argued that it should be referred to as "coordinated disclosure."

  • There is still frustration on multiple sides with how responsible disclosure should be handled. Researchers sometimes argue they're not getting recognized or paid. Companies often feel extorted by researchers who want answers on their timelines. And journalists have to weigh the importance and criticality of a vulnerability. Should they let people know about it even if there really isn't a good fix yet.

Thanks to this week's sponsor of Defense in Depth, Qualys.

Qualys

Qualys is a pioneer and leading provider of cloud-based security and compliance solutions.

 

Allan Alford on the requirements for GRC

What makes a CISO Series Video Chat different than all those Zoom calls?

On Tuesday, I announced the relaunch of the CISO Series Video Chat program (info below).Now that we've all been socially distancing, working from home, and engaging in one Zoom call after another, we're getting tired of standard video conferencing. That's why we created the "Hacking" CISO Series Video Chats. CISO Series Video Chats ARE:

  • A focused open discussion on one cybersecurity topic.

  • A conversation led by me, David Spark, acting as moderator, and two industry experts.

  • A really fun opportunity to engage with fellow industry colleagues.

  • An environment where all ideas, creative, critical, and bad, are warmly welcome and applauded. Everyone's involved in the chatroom or part of the video right when the event begins.

CISO Series Video Chats ARE NOT:

  • A boring webinar where one person drones on and on and you tune out in the first five minutes.

  • A tedious lecture where you have to wait for the last 15 minutes to ask a question.

When it's all over, we pull out the best comments from the text chat, and we convert the one hour conversation into a highlights video that we publish the following week.Get involved! We want you to be a part of our chats which regularly go live at 10 AM Pacific on Fridays.Here's the info on our next event:“Hacking Zero Trust: An hour of critical thinking on what it means to always verify access to people, data, and networks.”WHEN: Friday, April 17th, 2020 at 10 AMREGISTER

    The Difference Between Cybersecurity and Risk Management

    Bobby Ford, CISO, Unilever on InfoSec vs. risk management

    If you were to secure a room you would kick everyone out of the room and then you would lock the doors and announce the room was secure. But now, since no one can go in the room and use it, it's not functional. That's why discussions of security must really be about risk management and they need to be about how do we make services people want to use, like the room, functional, explained Bobby Ford, vp, global CISO, Unilever in our conversation at Cybertech in Tel Aviv.

    Ford and I went into a long discussion about risk management and who should own the risk. We generally think the business, but there have been arguments for having security owning risk. See Bobby's reason why you don't want to do that.

    Nina Wyatt, CISO, Sunflower Bank on evaluating vendors

    SUBSCRIBE TO BOTH PODCASTS

    Go ahead and click on any of these links to subscribe to the podcast feed of your favorite podcast catcher.

    If you're already a subscriber, THANK YOU! If you like either or both shows, please tell all your friends on social media and write a review on iTunes.