Digital Security Advice From an Ethical Hacker
Hacking and breaches have become front of mind for most people in the legal profession, following high-profile incidents in 2017 involving major law firms. Security is not a new issue but the implications for reputation and the sensitivity of data has increased pressure on all legal service providers to show they are taking steps to protect their clients.
Jamieson O’Reilly, Ethical Hacker and Founder & CEO of DVULN will be speaking at Legal Innovation & Tech Fest this year and will be telling us more about how law firms and businesses around the world are stepping up to the plate and forging relationships never thought possible to protect and prevent their clients from getting hacked. Jamie connects governments and companies with a vetted team of the world’s best security researchers or ‘white-hat hackers’ to continuously find, exploit and patch flaws that traditional security testing cannot.
In a recent interview Jamie shared some fascinating insights into the world of white-hat hackers.
How did you come to be the founder of a company specialised in security testing by white-hat hackers?
I saw that the existing market of security testing was outdated and not very accurately matched to what cybercriminals were doing to attack organisations. As defenders (industry and government) we are disadvantaged economically, and in some cases technically, by criminals in three main areas – scale, scope and skillset diversity.
- Scale: Criminals can leverage a collective network and launch joint attacks against a single organisation without much investment at all.
- Scope: Criminals can target any of a company’s digital assets in order to test and identify vulnerabilities, regardless of compliance requirements, timelines or budget constraints.
- Skillset diversity: This is not to say that the defensive side has less skills, but criminal groups will specialise in a specific breach area, for example, hacking point-of-sales software. They become very skilled as they immerse and focus completely on that specific area. They are unrestricted regarding the amount of time they can spend researching, reverse-engineering and exploiting things for the purpose of working towards a final goal.
Creating DVULN was a decision I made after seeing many organisations “tick all the right boxes” but still get compromised because hackers exploited the scale, scope and skillset diversity elements. In today’s digital environment, you need to understand how hackers work and start building your tools and resources so that that your data is safe.Recent high-profile hacking incidents have made security breaches a front-of-mind topic for most people in the legal profession. How has this affected the way the legal industry has been working with you?
Traditionally the role lawyers would play during a cyber breach would be quite standardised: a company would get hacked, lawyers would advise on initial actions, public communications and possibly law enforcement collaboration.
In the past getting hacked was an event to be dealt with and moved on from. Criminals have now diversified their post-attack methodologies which means that legal professionals must now have the ability to determine a number of things:
Who hacked us?
Determine whether they are they known bad actors and whether the breach is serious enough to open a dialogue in order to prevent further damage.
How did they hack us?
Determine what legal implications are relevant because of the organisation’s exploited security flaws. Legal professionals also need to determine whether their client was negligent in their security implementation and whether they’d received any warnings about security weaknesses prior to a cyber attack.
What are the hackers’ intentions?
Determine the nature and the intent of hackers before advising clients on how to deal with such events.
Communication is key. Do not assume that all hackers are malicious – they may be security researchers trying to responsibly disclose a security issue without expecting any kind of monetary incentive. Generally, if a hacker has malicious intentions, they will not want to announce their presence. I recommend organisations maintain an open mind when being contacted by hackers in order to determine the intent of the dialogue before threatening with legal action. Having a responsible vulnerability disclosure policy is the first step in being able to screen the intentions of hackers who may contact you or your clients.
What advice can you give companies around the future of securing their digital assets?
Two key pieces of advice would be:
Audit code regularly
If you own, manage or maintain digital assets that are being regularly updated (daily, weekly, monthly) testing these as per the status quo (by running a penetration test once or twice a year) is going to leave you vulnerable. You need a feasible way to audit all code before and after it’s being pushed into production.
Have a front door to your organisation in the form of a responsible vulnerability disclosure policy
Internationally, collaboration between governments, technology providers and security researchers has become an integral part of strong information security practices. As security researchers increasingly discover vulnerabilities in digital assets, participating organisations can benefit from having a framework and process in place, which enables them to work with the researchers who responsibly disclose this information in order to mitigate the risks.
Although I am generally against white-hat hackers testing digital assets without permission, there are times when the reporting of such issues can (and have) prevented those issues being exploited by more nefarious users.
Hackers are going to hack, you cannot stop black OR white-hat hackers from finding security issues within your digital assets. What you can do, is lay down a clear, concise responsible vulnerability disclosure policy that details the ‘rules of engagement’ white-hat hackers must follow if they wish to contribute to your organisation’s security. This way, it becomes very easy for legal teams to determine the intent and nature of a hacker when one contacts a client.
There are two standards (ISO 30111 & 29147) that have been well adopted that detail how organisations should integrate vulnerability disclosure into their security operations.
Some very important clauses to include in your responsible vulnerability disclosure policy include:
- Do you offer incentives? Some companies will offer monetary or other benefits to researchers who report valid security issues. It’s important to state clearly whether or not your organisation will include monetary incentives.
- What is in-scope and what is not? Another very important part of a disclosure policy is making sure that white-hat hackers do not test targets within your organisation unless they have prior permission. Companies should take the time to explicitly list any digital assets (IP Address, domain names etc) that are within scope and allowed to be tested.
Deciding whether an organisation is ready to implement a vulnerability disclosure policy means assessing the organisation’s capabilities in specific areas ranging from processes, engineering and legal.
How can companies benefit from seeking compliance to ISO 30111 & 29147 standards?
Understanding that there is no silver-bullet for security and that all vulnerabilities cannot be eliminated from digital goods and services pre-production, companies must be ready to continually identify and respond to cybersecurity flaws in their infrastructure throughout the IT lifecycle.
The quantity and diversity of vulnerabilities will prevent many organisations from detecting these vulnerabilities without independent expertise or manpower. So, in order to equip companies, ISO 30111 & 29147 ensure that coordinated vulnerability disclosure and the internal handling of such issues can be quickly detected and responded to, leading to mitigations that enhance the security, data privacy, and safety of their systems.
About the Speaker
Jamieson O’Reilly is an ethical hacker and Founder and CEO of DVULN. He connect governments and companies with a vetted team of the world’s best security researchers to continuously find, exploit and patch flaws that traditional security testing cannot.
A security researcher at heart, Jamie has helped hack/secure companies around the world including Adobe, Ebay and RiotGames.