Bug Bounty Programs : Good for Government

Download Bug Bounty Programs : Good for Government

Post on 19-Oct-2014

1.198 views

Category:

Technology

0 download

DESCRIPTION

Bug bounty program offer numerous benefits to the sponsoring companies. Government organizations as well as private organizations will benefit if they have bug hunters sniffing around on their network.

TRANSCRIPT

Bug Bounty

Bug Bounty PROGRAMS:

GOOD FOR Government

My hands &

Your world

is secured!

Presented at The Hackers Conference, New Delhi

August 25, 2013

Tim

e

ForReal ChangeA Security budget is inversely

proportional to a CxOs feel-good

factor

Is

NOW!Bug Bounty Programs

will attract the best

Security brains for

~ZERO cost!

NO

W

The Bounty Hunter

He hunted humans !

WIL

D W

ES

T T

IME

S

Better than the best gunslinger or tracker

Harrison Ford as

Han Solo in Star Wars

The Bounty Hunter W

ILD

S

PA

CE

A

GE

Better than the

best!

Mercenary Gun

for Hire

Harrison Ford as

Han Solo in Star Wars

INT

ER

NE

T A

GE

Wild

Dangerous

Unknown

Constantly Morphing

Dynamic Surface

Virtual / Intangible

Supports Life

Ethical Helper

Khabri (informer)

Responsible Citizen

Good Samaritan

Honest Person

Black Hats

are among

organizations

and business

men too who

will cheat the

good hacker

of reward and

recognition !

Star Wars Episode IV (1977)

Han Solo (Harrison Ford), to

Princess Leia (Carrie Fisher)

Lucas Films/Courtesy Everett Collection

I'm not in it for

you, princess.

Look, I ain't in this for

your revolution, and

I expect to be well

paid. I'm in it for

the money.

Men Are Nothing

Until They Are

Excited

Govt Dept was target of spear phishing

Malware was put out for analysis to bounty of 25k this was increased to 50k due to increase in scope and tie between two teams

in phase 1

Bounty hunter has to identify the malicious activity and the command centre

Time bound results expected (24 hours)

Maximum information and good presentation to be given weightage

Information was of high quality and the department was able to contain the attack malware and the attacker

Market Value of work done Man hours if assignment was carried out internally: min 100

Value of work if I had quoted: Rs. 5,00,000

Bounteous rewards await the

Government department that starts a

BB program. They are able to identify

(actually) good testers who will

HONESTLY disclose vulnerabilities.

Capability for Security management, protection or response primarily with intelligence agencies

Departments depend on CERT empanelled firms and carry out only one time assessment

Total lack of awareness (or respect for IS) among HoDs and security expertise in Ops team

Most government infrastructure is waiting for a kehar

Someones Death Wish!

Capacity and Capability building sans resources

Lack of skills, awareness and knowledge

Uncertainty about skills / ethics of testers

Big PPP players work (only) on big projects

Attain high level of assurance at low cost

Supporting independent research

Fulfill our national Mission Impossible:

500k IS professionals in 3 yrs

PPP (Public + Professional Participation will work better than the Public, Private

Participation)

Continuous Testing by proven professionals

Critical Infrastructure Protection

Information Sharing

Identify professional friends-in-need

Find vulnerabilities missed by your team

Save BIG money on housekeeping

Best brains in the business work free !!

Success fee based non negotiable.

Potential candidates for hire

Crowd sourced quality control

Use a BB Escrow Service

Start one on your own or crowd-source

Contact hackers in Hall of Fame

Reach out via Social Media

Word of Mouth

Offer Good Bounty

Companies have to be as ethical as the hackers

Admin super geek

Workflow / bug tracking system

Your terms and conditions transparent and in plain simple language

Escalation path (in case one does not agree to the admins decision for payout)

Open playing field for unknowns

Researcher sells in the underground

Revenge attack by unhappy hunter

Rogue hacker steals data

Wrong, slow or improper communication

Dealing with young hot professionals

OOPS!

http://rt.com/news/facebook-post-exploit-hacker-zuckerberg-621/

Technically sound head geek !

Quick Communication Plan

Transparency

Acknowledge and Pamper

Pay Good Money (be the best)

Media Announcements

Wall of Fame

NOW !!

Cost of Web Application Testing using automated open source tools = 50k to 200k

Cost paid by a very aware govt department to a CERT empaneled auditor = 20k to 50k

the audit firm will be foolish to carry out one

manual test!

With this pricing the client can forget getting anyone to even give a jhalak of a commercial tool like Core, IBM, Qualys

Me a big

corporation, or

me a big guy its not good for my image

or reputation

Priority Nature of Bug

1 Remote Code Execution

2 SQLi

3 Authentication Bypass

4 Privilege escalation

5 Circumvention of web app permissions

6 Stored XSS

7 Reflected XSS

8 CSRF

9 Clickjacking

Age: 0 > 25

Started BH: 3 5 years

Amount of money made: Y0 Y2 .. About $ 0 500 (unless

very lucky or good)

Y2 onwards average minimum $ 800 1000 per mo growing to av$ 2 3k

Daily work life: Regular life; average 6 to 8 hours

daily, less on weekends

Bug Hunting: 8 10 hours, more if excited, more on weekends

Sleep: whenever !

Social Acceptability: Y0 Y3 .. BAD, parents gave

up

Y2 onwards great !

Taxable Income: who knows !

Has PAN Number, Bank account

you do not want your anyone from here!

- visiting you

- buying your data

- selling your data

NO Siree !

Facebook Whitehat List https://www.facebook.com/whitehat/thanks/

Twitter Whitehat List https://www.twitter.com/about/security

Google Security Hall of Fame http://www.google.com/about/appsecurity/hall-of-fame/distinction/

PayPal Wall of Fame https://www.paypal.com/webapps/mpp/security-tools/wall-of-fame-honorable-mention

Dropbox "Special Thanks" for Security https://www.dropbox.com/special_thanks

Adobe Security Acknowledgments http://www.adobe.com/support/security/bulletins/securiacknowledgments.html

Apple Security Notifications http://support.apple.com/kb/HT1318

Zendesk Security http://www.zendesk.com/company/responsible-disclosure-policy

Nokia Siemens Networks Hall of Fame http://www.nokiasiemensnetworks.com/about-

Facebook Whitehat List https://www.facebook.com/whitehat/thanks/

Twitter Whitehat List https://www.twitter.com/about/security

Google Security Hall of Fame http://www.google.com/about/appsecurity/hall-of-fame/distinction/

PayPal Wall of Fame https://www.paypal.com/webapps/mpp/security-tools/wall-of-fame-honorable-mention

Dropbox "Special Thanks" for Security https://www.dropbox.com/special_thanks

Adobe Security Acknowledgments http://www.adobe.com/support/security/bulletins/securiacknowledgments.html

Apple Security Notifications http://support.apple.com/kb/HT1318

Zendesk Security http://www.zendesk.com/company/responsible-disclosure-policy

Nokia Siemens Networks Hall of Fame http://www.nokiasiemensnetworks.com/about-

Vignesh Kumar

Amol Naik (25/26)

Riyaz Walikar (24)

Krutarth Shukla

Ajay Singh Negi

Prakhar Prasad (20)

Mahadev Subedi

Aditya Gupta (22)

Subho Halder (22)

Harsh Vardhan Bopanna

Open Security Alliance, Principal and CEO

Jharkhand Police, Cyber Security Advisor

Pyramid Cyber Security & Forensics, Principal Advisor

Indian Honeynet Project, Co Founder

Professional skills and special interest areas

Security Consulting and Advisory services for IS Architecture, Analysis, Optimization.

Government policy, strategy, law enforcement

Technologies: SOC, DLP, IRM, SIEM

Practices: Incident Response, SAM, Forensics, Regulatory guidance..

Community: mentoring, training, citizen outreach, India research..

Opinioned Blogger, occasional columnist, wannabe photographer

Contact Information

E: dinesh@opensecurityalliance.org

T: +91.9769890505

Twitter: @bizsprite

L: http://in.linkedin.com/in/dineshbareja

Facebook: dineshobareja

Acknowledgements & DisclaimerVarious resources on the internet have been referred to contribute to the information presented. Images have been acknowledged where possible. Any company names, brand names, trade marks are mentioned only to facilitate understanding of the message being communicated - no claim is made to establish any sort of relation (exclusive or otherwise) by the author(s), unless otherwise mentioned. Apologies for any infraction, as this will be wholly unintentional, and objections may please be communicated to us for remediation of the erroneous action(s).