We have to continue “learning” from high profile hacks.
As you may have read in the news a “dating” site that attracts extra marital hookups has been hacked by some hackers. The after action report in detail has not been released so nothing really to learn from the hacking itself.
Except the usual – I want to focus on a couple of sentences from the Oracle CSO statements:
Although Oracle VP later stressed the importance of security there were some interesting points she made.
- “We find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers.”
- “I do not need you to analyze the code since we already do that, it’s our job to do that, we are pretty good at it…”
As per Computerworld Image and story as well http://www.computerworld.com/article/2969844/security/oracle-cso-mary-ann-davidson-itbwcw.html
What I found revealing is that Oracle finds 87% of security vulnerabilities. and the bug bounty program finds another 3%.
In what world are 90% of all vulnerabilities enough? If there were 200 vulnerabilities Like on Jul 16 http://oversitesentry.com/time-to-drop-flash-how-about-java/ when 193 Oracle vulnerabilities were released.
.87 * X #of actual vulnerabilities = 193 total vulnerabilities fixed by Oracle
X=193/.87 = 222
Which means CSO Mary Ann Davidson was willing to let us the consumers run with 22 vulnerabilities which would not be found until ???
The bug bounty program is finding approx 6 vulnerabilities.
So let’s say you do want to cover 99.9999% of all vulnerabilities (because I would never say can find ALL) i.e. six sigma.
The Ashley Madison hack proves that data needs to be protected more than “90% is good enough” especially data that is sought after by hackers (example is any data that can be used in extortion or ransom situations)
The key is to cover as many of those last 22 problem vulnerabilities as possible. With a reasonable cost structure.
Doing an outside test on your infrastructure and applications is the most fruitful use of your hard earned resources.
Richard Bejtlich (Chief Security Strategist of FireEye) says in this video http://www.darkreading.com/perimeter/richard-bejtlich-talks-business-security-strategy-us-security-policy/v/d-id/1321783 (also from Dark Reading)
“Don’t collect data that you cannot protect”. He did not say collect data and protect 90% of the data or 90% of the time.
Having a fresh perspective with an outside entity gives some well needed review instead of hiring more bodies to do what others are already doing in your culture and with your technologies and techniques. Remember we are only as good as “our” TTP Tactics Techniques & Procedures. If you hire more people they will be using the same TTP. you need a fresh look to find more vulnerabilities.
Contact Us to discuss this. we will reveal in the next couple of days a new partnership with a webapp Security company to help the world secure their Internet environments better.