For hackers who exploit vulnerabilities in software, organizations have two options.
They can fight multi-headed hydras. Or you could try to buy them.
So the bug bounty was born.
Things are a little more complicated than that, of course, but since Peiter C. Zatko, better known as the Mudge of the OG L0pht crew, exchanged hoodies for suits and ties, every organization has tried to hire hackers. They have a knack for breaking into systems in the hopes of being able to better defend them.
Since then, a number of companies have emerged to capitalize on the power of the hacker community, providing these people with legitimate salaries and helping their customers stay ahead of the less savvy hackers. The most well-known of these companies are HackerOne and Bugcrowd.
Their business model is basically for hackers to find vulnerabilities in an organization’s software, report them to the company, and then pass it on to a client they hire to run a bug bounty program. They are essentially trusted vulnerability brokers, playing an important role in helping clients improve security.
Because of this trusted position, I was a little surprised when rumors started circulating last month that HackerOne had fired one of its employees for malicious reasons. insider activity.
According to the report, the employee allegedly accessed and stole a vulnerability reported by another researcher and then independently submitted it to the customer for his own financial gain.
Only when one of these customers reported that someone sending an offensive message was approaching him, HackerOne intervened and conducted a swift investigation, directing the suspect to the perpetrator. Check out the story of Ionut Ilascu to be sure to write the full story we know at this point. beep computer.
While insiders appear to have carried out only a handful of these stolen bug reports during their brief tenure, the incident has left HackerOne with considerable embarrassment and could have more of a business impact.
Who are the insider threats and why they pose additional risks
Any organization can be affected by insider threats. A person who is part of an organization and has some level of access to resources within the organization.
It is this tacit trust that makes insiders very dangerous to an organization. Insiders know exactly what is valuable and where to find them, and in most cases they are given at least partial access to get to that data.
This last point is important because it affects the balance between trust and security that every organization must face. Without access to resources, workers cannot perform their duties. However, additional access means that a properly motivated, malicious employee can access more resources and potentially do more damage.
In most cases, insider threats are financially motivated. This can steal money or steal records that can be sold. A well-positioned insider can also help external hackers target your organization.
Or, if an insider is disgruntled and seeks revenge, he may want to harm the organization. A well-placed data leak or simply destroying data can seem attractive if you have an axe.
And these incidents can be damaging, especially when organizations hit by insider incidents trade security and trust as key elements of their business.
The meaning of insider threats inside security companies
For HackerOne, this story has implications from multiple angles.
First of all, HackerOne’s current and future customers are likely to be concerned.
In many ways, this was the best-case scenario, where an insider claimed to have used the vulnerability to obtain an additional bounty. Worse, you can see this person use the vulnerability on his own or sell it to other hackers. If I’m using or considering using the services of a bug bounty company, I’d be questioning my ability to keep my data safe.
There is a second basis for HackerOne to appeal beyond its customers. That’s the hacker/security research community. If the community doesn’t believe HackerOne will handle your submissions properly, they may decide it’s better to work with a competitor like Bugcrowd.
As it is still in its infancy, there are still many litigation issues for data privacy and other issues.
In any case, HackerOne is likely to face further scrutiny as trust and security are key components of its work. If their customer and sourcing base think HackerOne is watching the chicken coop, it could have a negative long-term impact. I hope not though.
Given the potential for serious adverse effects of insider threats, there are a number of steps organizations can take to reduce risk.
3 Tips to Reduce Your Risk of Insider Threats
Internal or external attacks cannot be 100% blocked. However, there are several ways you can work to mitigate the risks and harm that an attack can cause.
- Principle of Least Privilege
Returning to the idea of a balance between access and security, the principle of least privilege asserts that a person should only have access to do work, no more.
In practice, this means allowing users to access only the specific resources they need to perform their normal tasks. If you need additional resources, make sure you actually need them and grant them for a limited time only. When the non-routine operation is complete, that access should be revoked.
The idea here is that even if individuals decide to abuse their access, they are limited in the range of harm they can do.
- Use tools to monitor behavior change
Most of us access and interact with the same set of common apps and resources. We create normal behavioral patterns that can form a baseline of user behavior that can be analyzed and tracked.
By adopting tools that can monitor user behavior and spot anomalous behavior, you are more likely to spot suspicious behavior that could indicate insiders behaving in ways that could harm your organization.
Detecting these suspicious behavioral trends can provide organizations with early warning that illicit data access or leaks must be caught in a timely manner to prevent serious harm.
- monitor for data transfer
Even when employees only have access to data to which they have access, organizations must ensure that they do not engage in unauthorized interactions that could put that information at risk.
An important indicator to watch out for is whether employees use services like WeTransfer to transfer files or other data types to their personal email accounts or to download files to a flash drive.
Although there are many legitimate purposes for an individual to access their work through a personal account such as Gmail, it adds the risk that many organizations may not allow for risk tolerance.
Where does HackerOne go from here?
HackerOne plays an important role in the security community. This insider incident was a knock, but my prediction is that they will learn from this experience and enforce stronger controls to make sure this doesn’t happen again.
If you look at the following steps, you can perform more audits more regularly to see signs that there may be a problem.
Thankfully, we’ve seen quick and decisive action when signs of a malicious insider appear.
At the same time, we can expect companies to refocus on how their employees engage with their teams to develop and maintain a commitment to their mission and team success. Building loyalty to your organization is an important point in reducing the likelihood that insiders will decide to take harmful actions.
With a high level of transparency about the steps the team is taking to improve its internal monitoring process, we hope to quickly restore the trust of our clients and the research community.
With the right tools and practices, you should be able to regain your confidence as a trusted security provider and refocus on helping your customers stay one step ahead of all the hackers still hiding in the dark. side.