Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
How To Handle Breach Disclosure
FireCompass
Bikash Barai, Co-founder FireCompass
Contents
• Publicly available breach risk information
• What is VDP?
• Standards and Frameworks
• Guidelines
• Best Practi...
Part 1: Publicly Available
Breach Risk Information
Our Experiment On Indexing Breach
Indicators
• Continuous monitoring of internet, deep and dark web to collect
insecure se...
Database Exposure
• # of open databases (Mysql, Mongo,
ES, Redis): 500K
• # Sample Size of Data Exposed: ~ 20
TB
• # of op...
Code Leaks
• Sample Enterprise Code Leaks: 12K
+
• 15% of cases internal employees
leaked credentials, keys and
sensitive ...
Exposed & Open DevOps Tools
SonarQube
Installation, 4816
Docker
Installation, 4761
etcd exposure,
2446
Unauthenticated
Jen...
Open Cloud Resources
• +10K public Elastic Block Store (EBS) snapshots from 3,213 accounts.
• +400 public Relational Datab...
Exposed Network Services
• 80% of large organisations has
• Multiple exposed UAT servers
• Vulnerable WordPress/Zoomla
• T...
Samsung Electronic Billboards
0%
Gas Station Pump Controllers
56%
Automatic License Plate
Readers
0%
Traffic Light Control...
CVEs we discovered..
• CVE-2008-7020 ( link ) McAfee SafeBoot Device Encryption 4
• CVE-2008-6661 ( link ) Multiple intege...
Part 2: How To Handle A
Breach Disclosure
What is Vulnerability Disclosure Policy (VDP)
• Guidelines and defined process for submitting potentially
unknown and harm...
ISO/IEC 29147:2014 - Vulnerability disclosure
• provides guidelines for vendors on how to receive information
about potent...
Other Guidelines
• United States Department of Defense
• Food and Drug Administration
• National Highway Traffic Safety Ad...
Sample Vulnerability Disclosure Program
• SalesForce
• https://trust.salesforce.com/en/security/responsible-disclosure-pol...
Coordinated Vulnerability Disclosure –
Guideline & Sample Template
• Coordinated Vulnerability Disclosure Template - NTIA ...
Building a Program
• Create a VDP page which is easy to access
• Build an effective communications team and process
• Crea...
Communication Strategies
• Respond to researchers (immediately)
• Be Nice – Thank them (at least). Give some goodies if yo...
Thank You
Prochain SlideShare
Chargement dans…5
×

How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Disclosures and more..

65 vues

Publié le

Breaches are at all time high. In this webinar learn the do's and don't of handling breach disclosure. Best practices of how to set up a bounty program . How to respond to responsible disclosures? Do's and Don'ts and learning from the industry.



Key Points To Be Discussed:
-How to build a vulnerability disclosure program?
-What are various types of vulnerability disclosures programs?
-When and when NOT to have a bug bounty program?
-Do's and Don'ts for handling a breach disclosure

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Disclosures and more..

  1. 1. How To Handle Breach Disclosure FireCompass Bikash Barai, Co-founder FireCompass
  2. 2. Contents • Publicly available breach risk information • What is VDP? • Standards and Frameworks • Guidelines • Best Practices
  3. 3. Part 1: Publicly Available Breach Risk Information
  4. 4. Our Experiment On Indexing Breach Indicators • Continuous monitoring of internet, deep and dark web to collect insecure services, sensitive data and leaked credentials. • Real time sampling of exposed data, sensitivity analysis and generate alert on the fly. • Real-time attribution of flaws and sensitive data to the organizations.
  5. 5. Database Exposure • # of open databases (Mysql, Mongo, ES, Redis): 500K • # Sample Size of Data Exposed: ~ 20 TB • # of open databases in India: 5K
  6. 6. Code Leaks • Sample Enterprise Code Leaks: 12K + • 15% of cases internal employees leaked credentials, keys and sensitive information such as private keys, AD passwords, mail server passwords, even Pay slips. • CI/CD tools such as Jenkins, GoCD etc. leads to exposed code and remote code execution.
  7. 7. Exposed & Open DevOps Tools SonarQube Installation, 4816 Docker Installation, 4761 etcd exposure, 2446 Unauthenticated Jenkins, 3021 SonarQube Installation Docker Installation etcd exposure Unauthenticated Jenkins
  8. 8. Open Cloud Resources • +10K public Elastic Block Store (EBS) snapshots from 3,213 accounts. • +400 public Relational Database Service (RDS) snapshots from 200+ accounts. • +700K public Amazon Machine Images (AMIs) from +20K accounts. • +16K public IPs of exposed AWS managed ElasticSearch clusters that could have their contents stolen or data possibly deleted - this means 17% of AWS-managed ElasticSearch servers with public IPs were misconfigured. • More than 500 Million AWS Buckets Indexed hosting Terabytes of Data.
  9. 9. Exposed Network Services • 80% of large organisations has • Multiple exposed UAT servers • Vulnerable WordPress/Zoomla • Telnet/FTP • Open vulnerable routers • 30% of organizations had • Open LDAP • Open RDP • Open SMB/RPC Open VNCs 5147 ‘wormable’ Windows vulnerability 490000 Open SMBs 459223
  10. 10. Samsung Electronic Billboards 0% Gas Station Pump Controllers 56% Automatic License Plate Readers 0% Traffic Light Controllers / Red Light Cameras 0% Railroad Management 2% Door / Lock Access Controllers 3% DICOM Medical X-Ray Machines 18% Siemens Industrial Automation 12% GaugeTech Electricity Meters 1% C4 Max Commercial Vehicle GPS Trackers 8% Samsung Electronic Billboards Gas Station Pump Controllers Automatic License Plate Readers Traffic Light Controllers / Red Light Cameras Railroad Management Door / Lock Access Controllers DICOM Medical X-Ray Machines Siemens Industrial Automation GaugeTech Electricity Meters C4 Max Commercial Vehicle GPS Trackers Open Industrial Control Systems
  11. 11. CVEs we discovered.. • CVE-2008-7020 ( link ) McAfee SafeBoot Device Encryption 4 • CVE-2008-6661 ( link ) Multiple integer overflows in the scanning engine in Bitdefender • CVE-2008-6846 ( link ) Multiple stack-based buffer overflows in avast! • CVE-2008-6903 ( link ) Sophos Anti-Virus • CVE-2008-3893 ( link ) Microsoft Bitlocker • CVE-2008-7020 ( link ) McAfee SafeBoot Device Encryption • CVE-2009-1062 ( link ) Adobe Acrobat Reader
  12. 12. Part 2: How To Handle A Breach Disclosure
  13. 13. What is Vulnerability Disclosure Policy (VDP) • Guidelines and defined process for submitting potentially unknown and harmful security vulnerabilities to organizations. • Brand Promise • Initial Program & Scope: • Assurance • Communication mechanism and process • Preferences and prioritizations.
  14. 14. ISO/IEC 29147:2014 - Vulnerability disclosure • provides guidelines for vendors on how to receive information about potential vulnerabilities in their products or online services, • provides guidelines for vendors on how to disseminate resolution information about vulnerabilities in their products or online services, • provides the information items that should be produced through the implementation of a vendor's vulnerability disclosure process, and • provides examples of content that should be included in the information items. • https://www.iso.org/standard/45170.html
  15. 15. Other Guidelines • United States Department of Defense • Food and Drug Administration • National Highway Traffic Safety Administration • National Telecommunications and Information Administration • National Institute of Standards and Technology • Federal Trade Commission.
  16. 16. Sample Vulnerability Disclosure Program • SalesForce • https://trust.salesforce.com/en/security/responsible-disclosure-policy/ • Cloudflare • https://www.cloudflare.com/disclosure/ • Amazon • https://aws.amazon.com/security/vulnerability-reporting/
  17. 17. Coordinated Vulnerability Disclosure – Guideline & Sample Template • Coordinated Vulnerability Disclosure Template - NTIA Safety Working Group - • Sample – Acme Corp • https://www.ntia.doc.gov/files/ntia/publications/ntia_vuln_disclosure_earl y_stage_template.pdf • CERT Guideline • https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_50 3340.pdf
  18. 18. Building a Program • Create a VDP page which is easy to access • Build an effective communications team and process • Create and follow a written internal process/playbook to handle disclosures • Decide whether you should have a bug – bounty program (You may or may not be ready for it) • Be proactive. (Try to) Know your attack surface before hackers do .
  19. 19. Communication Strategies • Respond to researchers (immediately) • Be Nice – Thank them (at least). Give some goodies if you want. • Don’t be arrogant or defensive (We don’t need more enemies) • Get level headed persons to coordinate with hackers • If research organizations want press release, then try to do it jointly or be part of it to influence the messaging/dates • Internal communication (before public release) for all your stake holders including board/customers etc.
  20. 20. Thank You

×