To avoid that and promote collaboration, HackerOne recommended encouraging third parties to report vulnerabilities, setting up regular security briefing sessions with company brass, and translating security risk into risk to the business.
SECURITY THROUGH OBSCURITY SOFTWARE
Sixty-seven percent said they'd rather accept software vulnerabilities than work with hackers, while 50% of hackers admitted they hadn't disclosed a bug because of a previous negative experience or the lack of a channel to report it.Ī lack of trust makes everyone a potential cyber enemy, the report maintained. The report also revealed a lot of distrust between organizations and third-party researchers. To create greater transparency, the report recommended building a culture of openness, avoiding assigning blame when incidents happen, providing third-party researchers with a clear process for reporting vulnerabilities, and taking an open approach to stakeholders should a breach occur. Not admitting weaknesses and asking for help fixing them can cause significant damage to a brand should a "secret" vulnerability be exploited, the report explained. Distrust between organizations and third-party researchersĪccording to survey data gathered for the report from 800 security leaders, 64% maintain a culture of security through obscurity. To demonstrate a company is adhering to best practices, the report recommended it commit to the four tenants of corporate security responsibility: transparency, collaboration, innovation, and differentiation. Demonstrating secure best practices is now a competitive differentiator. Organizations are increasingly scrutinizing the practices of their suppliers, basing procurement decisions on security credentials and switching suppliers should the company have experienced a security incident, the report noted. Let’s use other phrases to communicate the concept.HackerOne, a bug bounty platform provider, offered a blueprint for greater corporate security responsibility and called for a shift from secrecy to transparency when dealing with vulnerabilities in a report released Thursday. This fallacy has become such a cliche that we should no longer use it. Thus you cleverness made things worse, not better.
At the same time, the worm runs automated Shodan scripts and masscan, and thus was able to nearly instantaneously discover the non-standard ports. The (hypothetical) reason is that your organization immediately put a filter for port 22 on the firewalls, scanned the network for all SSH servers, and patched the ones they found. Instead, you find that the all your systems running SSH on the standard port of 22 remain uninfected, and that the only infections were of systems running SSH on port 7837.
This is exactly the sort of thing you were protecting against with your obscurity. Then an 0day is discovered, and a worm infecting SSH spreads throughout the Internet. The above discussion mentions running SSH on a non-standard port, such as 7837 instead of 22, as a hypothetical example. Instead, people have persevered in believing that obscurity is good, and that this entire conversation is only about specific types of obscurity being bad. The entire point of the fallacy is to counteract people’s instinct to suppress information. Obscurity has problems, always, even if it’s just an additional layer in your “defense in depth”. It’s the very opposite of what you suppose to understand.
0 kommentar(er)
