A podcast all about the world of Cybersecurity, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security Professionals need to know, or refresh the memories of the seasoned veterans.
2021-042- Fred Jennings, VDP, Vuln Equity, And 0day disclosure - p1
https://twitter.com/Esquiring - Fred Jennings
Vulnerabilities Equity program (VEP), vuln disclosure program (VDP), and what is the best way for disclosure of 0day? (‘proper’ is different and dependent)
This show was inspired by this Tweet thread from @k8em0 and @_MG_
Legal Safe Harbor? Copy-left for security researchers…?
What is a VEP? Not a new concept (2014)
Context: Was written when Heartbleed came out.
About transparency, but within reason
From the blogpost:
“We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed. While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability:
How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
Does the vulnerability, if left unpatched, impose significant risk?
How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
How likely is it that we would know if someone else was exploiting it?
How badly do we need the intelligence we think we can get from exploiting the vulnerability?
Are there other ways we can get it?
Could we utilize the vulnerability for a short period of time before we disclose it?
How likely is it that someone else will discover the vulnerability?
Can the vulnerability be patched or otherwise mitigated?”
Gov orgs involved in VEP: https://en.wikipedia.org/wiki/Vulnerabilities_Equities_Process
Assessing the Vulnerabilities Equities Process, Three Years After the VEP Charter
Companies have VEP (every time they issue a patch), but they aren’t always transparent about it. Embargoes a plenty. https://www.redhat.com/en/blog/security-embargoes-red-hat
https://xenproject.org/developers/security-policy/ (creates a caste system of ‘haves and not-haves’... important vs. not important) bad guys will target people not on the inside.
0day benefit from non-transparent VEP. https://www.randori.com/blog/why-zero-days-are-essential-to-security/
Randori had 365day… https://twitter.com/_MG_/status/1459024603263557633
Preferred patch 8.1.17, issued october 2020
VEP does not always have to be 0day… can be solutions to issues: https://www.techdirt.com/articles/20210922/17095747614/fbi-sat-ransomware-decryption-key-weeks-as-victims-lost-millions-dollars.shtml
“The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials.
The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs.
In a perfect world, what does disclosure look like?
Communication (easy, secure, detailed… pick 1)
Separating wheat from chaff - ‘lol, i got root, pay me plz’
Fear of NDAs and gag clauses
Do people expect to be paid?
Setup of a ‘cheap’ program? What if you don’t have a budget to pay out (or more accurately, mgmt won’t pay out)? People won’t disclose? Should you pay? Use a 3rd party?
Blumira Sponsor #3 - Emily Eubanks, more actionable events, incident response help, and more
Discuss IT turnover and actionable events
Powershell logging and best practice
Incident response assistance
MFA best practices
0day disclosure, Randori, FBI email server pwnage
0day disclosure by Randori
FBI LEEP system pwned
Sweden's parents rebel over poor App design, US government forcing patching of systems, and Vuln chaining
Sweden's parents make their own UI for a bad school app
CISA is setting hard deadlines for patching
Vuln chaining, why 3 CVSS 4 vulns cause more impact than 1 CVSS10
Hacker's health art session report
Minimum Viable vendor security sheet, Federal logging requirements, and more!
Blumira interview recap
Google/Salesforce/okta's miminum viable security checklist
Ms. Berlin's painting with "Hacker's Health" November 5th
SPONSOR-Blumira's Nato Riley on Log Classification, Security Maturity,
classify logs by importance
what if your devices don't supply logs?
Empowering, insightful and actionable! 🙌
Whether you’re well established as an innovator in infosec, or just getting started in the industry - this is a must-listen podcast for you! Bryan and the BDS team do an incredible job leading conversations that cover a huge breadth of topics related to the ins and outs of navigating the shifting landscape of data security - with leaders who’ve actually experienced success themselves. Highly recommend listening and subscribing!
Topics are practical and varied. I also appreciate the fact that they are all involved in the security community which adds weight to their discussions.