Security vendors: Accept cyber vulnerability and embrace fearĀ
James Thorpe
Share this content
Rob Cowsley, Security Architect, Gallagher makes a case for accepting vulnerability and engaging with hobbyist hackers as part of a responsible vendorās repertoire ā and the unexpected benefits that come with it.
Imagine a hacker reached out to your company with the news that theyād found a cyber vulnerability in your product.
For most security vendors, this is the worst case scenario theyāve sunk untold amounts of time and money to prevent; the gut reaction would be fear. Fear for the fate of the brandās reputation, fear of harm to customers and ā if itās the first time ā fear of the unknown.
And that fear would prevent them from acting on an incredible opportunity. The fact is: A hacker reaching out to a security vendor can be a good sign.
It means theyāve turned down the chance to exploit their discoveries for profit, and with many hours spent quantifying, explaining and verifying their findings to crack the code, many would.
Zero day exploits and hacking contracts can be lucrative, so coming directly to the vendor should be taken as the gesture of goodwill it most likely is.
Thatās because (broadly speaking) these hackers are simply curious.
Their goal isnāt malicious, they just want to connect with other like-minded people who can help them understand the next piece of the puzzle theyāve been tinkering with ā your product and the protections youāve built around it.
And herein lies a golden opportunity for a security vendor to engage with a group who donāt have malicious intentions and engage in hacking simply for the fun of a challenge.
Call them hackers, hobbyists or independent security researchers, but these curious minds have taken an interest in the intricacies of our industryās products ā and building a rapport with them can lead to a mutually beneficial relationship. And I should know, because it happened to us.Ā
Article Chapters
ToggleCan you tell me how to get to Sesame Street?
Several years back, Gallagher Security had an experience with a hacker that led us down a path of creating a better, stronger product.
As part of our product development, Gallagher intertwines key phrases into our code that match the working titles we use before our products are officially named.
At the time, these were characters from Sesame Street and, while I donāt dispute Big Birdās need for some card readers to manage access to his nest, any public mention of him or his friends configuring access controls would be a clear reference to Gallagherās products.
So, when we heard mention of Sesame Street in the hacking community, it got our attention.
Historically, the fear in hacking cuts both ways and many hobbyists worry about the legalities of coming forward with their discoveries.
The hacker who engaged with our product was understandably concerned about reaching out to us directly and chose instead to share their findings for all other like-minded hobbyists to learn from.
It was a wake-up call for our team, but after lengthy internal discussions, we concluded there was more to gain by working with this researcher than in taking punitive measures, so we reached out for collaboration.
And, after assuring them our goal was mutual learning and we werenāt planning to take legal action, we got to work.
Unexpected benefits
As word of how Gallagher was curious and friendly towards hobbyist hackers spread, others reached out wanting to investigate our products.
We made agreements, provided them with support and hardware and regularly caught up during their projects.
When they found cyber vulnerabilities, they worked alongside us to resolve them; in return, often all they wanted was credit for their work.Ā
The hours they put into their research would have been prohibitively expensive at the commercial contractor rates that penetration testing companies charge.
We benefited from thousands of hours of peopleās hobby time in exchange for providing our hardware to play with, recognition and an opportunity to share the joys of discovery with other like-minded souls.
It was an unbelievable win-win.
Working with hobbyist hackers
But, Gallagherās experience didnāt have to unfold like it did.
The hacker in our example wasn’t looking to cause harm, despite the damage publishing their findings could have caused.
Instead, they could have worked with an intermediary, like national Computer Emergency Response Teams (CERTs) or companies like Bugcrowd or HackerOne, who have built a business model around managing these difficult interactions.
These organisations help to bridge the gap between hackers and vendors by relaying information between the two; they often help educate vendors on the intent and culture inherent to this community.
For security vendors anxious about diving into collaboration with the unknown, intermediaries like these can play a valuable role in establishing trust, opening the door to reciprocal benefits.
Take insecure configurations for example.
If a product is widely configured insecurely, vendors want to know the cause. Was it too hard to configure securely? Were the defaults bad?
Or, do these teams need to configure a particular product insecurely to meet some use case that wasnāt originally anticipated?
Hackers can help find where such problems are occurring.
And, with consent from everyone involved, they can also help audit existing sites for the same bad patterns of configuration and reduce the likelihood of insecure configurations for customers, creating a win-win-win situation for vendors and their customers, too.
Thatās because many hobbyist hackers are actually professional security researchers by day, trained in penetration testing and extremely adept at identifying vulnerabilities in systems.
That many spend their free time tinkering with the most interesting puzzles on the market is a testament to their enthusiasm.
What end users need to know about reducing risk
Mitigating risk isnāt exclusively up to a vendor or collaborating hackers ā end users bear responsibility for maintaining their systems to protect against threats.
And, one major source of cyber vulnerability is outdated hardware.
As cyber-risks change and evolve, out-of-support hardware that no longer receives security updates or is unable to use the latest protections leaves end users open to attacks that could have been prevented by an upgrade.
Many hackers who find cyber vulnerabilities are finding them in legacy hardware, further exposing the danger these parts pose to end users and the people, data and assets they aim to protect.Ā
Even something as routine as running regular audits on systems can be an effective tool to safeguard against threats.
Audits can reveal problems like blank passwords on highly privileged accounts or tampering of door sensors, enabling end users to maintain their defences and safeguard against their own worst case scenarios.
In many ways, it takes a village to protect against cyber-threats and end users, vendors and hobbyist hackers can build a more effective defence working together than alone.
Embrace cyber vulnerability
Engaging with hobbyist hackers is worth the effort.
It might initially go against a vendorās instincts, but investing in these relationships can reap profound rewards.
So, talk to hackers. Train them on the subtleties of your industry and help them understand the business end of your products. Even hire one if your budget allows ā and then pass on the benefits to your customers.
Embracing cyber vulnerability and demonstrating commitment to your products is the first step in building partnerships that extend beyond security and stand the test of time because theyāre built on a foundation of shared knowledge and trust.
And that’s something even Oscar the Grouch would agree is worth the risk.Ā Ā Ā