No Good Deed Goes Unpunished: Why Security Testing Is So Important
In a previous article we shared some insights regarding responsible disclosure and why this is a quick win for your organisation’s internal security. A responsible disclosure is a ‘gentleman’s agreement’ in the security community, which is considered very valuable. By means of responsible disclosures, security researchers are able to disclose found vulnerabilities to the owner of the system or application without any prosecution, provided that certain terms and conditions are followed. The security community is now shocked that a security researcher is being investigated by the German police for disclosing multiple vulnerabilities in a German political party application.
Shooting the messenger
The security researcher discovered multiple vulnerabilities in the application, which caused personal identifiable information of over 18,000 people to be publicly available on the internet. Despite outrage from the researcher and (parts of) the security community, the political party has filed charges and the police have begun investigating the researcher. In response to this, the collective that the security researcher is part of, has decided to no longer disclose any vulnerabilities to the organisation. The security researcher in question made a statement that this is a case of “shooting the messenger”.
Importance of technical research
Luckily, this is one of the few exceptions. Many organisations actually do value responsible disclosures and find them very important. That brings up the next point, namely the importance of technical research. Of course it is great that security researchers can disclose found vulnerabilities, but it would be even better if these vulnerabilities didn’t have to be disclosed, because organisations have already found and eliminated these themselves.
So once again, the importance of performing technical research should be emphasized. Organisations simply cannot rely on security researchers doing this work for them. A great example of this principle is a university in the United States that discovered a data breach involving data of over 350,000 individuals (students and professors) after a penetration test. A penetration test is an assessment during which it is investigated whether a vulnerability can be actively exploited.
Testing your own products
Not only is it important to assess your internal security level (e.g. your company network), but it is also recommended to test the products and/or services you sell to others – whether it’s business to business or business to customer. This is a practice we often see with software suppliers, such as Windows, Android or IOS. Other vendors, for example of routers and switches, have continuously been discovering and patching vulnerabilities. We also know the downside if any vulnerabilities are found by malicious groups, as seen during the Kaseya attack, during which over 1500 companies were victim of an attack. To prevent these supply chain attacks, it is of utmost importance to test products and services for vulnerabilities.
Is your organisation’s security up to standard?
If you need help with setting up a proper security cycle, want to know if your internal control organisation is sufficient or if you want a penetration test performed, do not hesitate to contact our IT security experts. We can help increase and maintain your cyber security; both strategically and operationally.