coordinated vulnerability disclosure · • ryan gillis – vice president, cybersecurity strategy...
TRANSCRIPT
![Page 1: Coordinated Vulnerability Disclosure · • Ryan Gillis – Vice President, Cybersecurity Strategy and Global Policy at Palo Alto Networks CVD good practices of organisations, manifesto](https://reader033.vdocuments.net/reader033/viewer/2022041418/5e1d4327e05a2e76d509b5d4/html5/thumbnails/1.jpg)
Coordinated
Vulnerability
Disclosure
![Page 2: Coordinated Vulnerability Disclosure · • Ryan Gillis – Vice President, Cybersecurity Strategy and Global Policy at Palo Alto Networks CVD good practices of organisations, manifesto](https://reader033.vdocuments.net/reader033/viewer/2022041418/5e1d4327e05a2e76d509b5d4/html5/thumbnails/2.jpg)
Overview CVD Workshop
Speakers:
• Hans de Vries – Head of National Cyber Security Centre of the
Netherlands
CVD good practices, dutch approach
• Joshua Corman – I am The Cavalry
CVD from the researcher’s perspective
• Ryan Gillis – Vice President, Cybersecurity Strategy and Global Policy at
Palo Alto Networks
CVD good practices of organisations, manifesto
• Szilvia Tóth – Ministry of Foreign Affairs of Hungary
& Mihaela Popescu – Ministry of Foreign Affairs of Romania
Expert meetings in this initiative & a look ahead
![Page 3: Coordinated Vulnerability Disclosure · • Ryan Gillis – Vice President, Cybersecurity Strategy and Global Policy at Palo Alto Networks CVD good practices of organisations, manifesto](https://reader033.vdocuments.net/reader033/viewer/2022041418/5e1d4327e05a2e76d509b5d4/html5/thumbnails/3.jpg)
Coordinated Vulnerability Disclosure The Dutch Approach
Hans de Vries (NCSC-NL)
Washington, June 1st 2016
![Page 4: Coordinated Vulnerability Disclosure · • Ryan Gillis – Vice President, Cybersecurity Strategy and Global Policy at Palo Alto Networks CVD good practices of organisations, manifesto](https://reader033.vdocuments.net/reader033/viewer/2022041418/5e1d4327e05a2e76d509b5d4/html5/thumbnails/4.jpg)
Agenda
• Guiding Principles NCSC-NL
• The Dutch Approach
• Our experiences
• Looking to the present and future
Coordinated Vulnerability Disclosure | June 1st, 2016
![Page 5: Coordinated Vulnerability Disclosure · • Ryan Gillis – Vice President, Cybersecurity Strategy and Global Policy at Palo Alto Networks CVD good practices of organisations, manifesto](https://reader033.vdocuments.net/reader033/viewer/2022041418/5e1d4327e05a2e76d509b5d4/html5/thumbnails/5.jpg)
Guiding Principles NCSC-NL
• Multi stakeholder approach
• Connecting and strengthening initiatives
• Public – Private Partnerships
• Individual responsibility
• Self-regulation where possible
• Proportionate measures and regulation
• Shared responsibilities between departments
• International cooperation
Coordinated Vulnerability Disclosure | June 1st, 2016
![Page 6: Coordinated Vulnerability Disclosure · • Ryan Gillis – Vice President, Cybersecurity Strategy and Global Policy at Palo Alto Networks CVD good practices of organisations, manifesto](https://reader033.vdocuments.net/reader033/viewer/2022041418/5e1d4327e05a2e76d509b5d4/html5/thumbnails/6.jpg)
Corporate website
Login
Password
![Page 7: Coordinated Vulnerability Disclosure · • Ryan Gillis – Vice President, Cybersecurity Strategy and Global Policy at Palo Alto Networks CVD good practices of organisations, manifesto](https://reader033.vdocuments.net/reader033/viewer/2022041418/5e1d4327e05a2e76d509b5d4/html5/thumbnails/7.jpg)
The Dutch approach
• Provide guidelines with focus on good cooperation between vulnerability researcher and organisation and clear expectations
• If all goes well, only role of the government is facilitator and promoter
Coordinated Vulnerability Disclosure | June 1st, 2016
![Page 8: Coordinated Vulnerability Disclosure · • Ryan Gillis – Vice President, Cybersecurity Strategy and Global Policy at Palo Alto Networks CVD good practices of organisations, manifesto](https://reader033.vdocuments.net/reader033/viewer/2022041418/5e1d4327e05a2e76d509b5d4/html5/thumbnails/8.jpg)
Guidelines, no law
• The Ministry of Security and Justice and Public Prosecution Service support and advocate guidelines
• Public Prosecution Service ultimately still has the discretion to prosecute, for instance when a reporter goes ‘too far’ despite of agreed terms, of course this also holds true for organisations
• Policy is an agreement between organisation and reporter
• Reporter and organisation agree to adhere to published policy, organisation promises not to file a complaint with the Police
• Jurisprudence/Case law: Guidelines cited by judge in several criminal cases
Coordinated Vulnerability Disclosure | June 1st, 2016
![Page 9: Coordinated Vulnerability Disclosure · • Ryan Gillis – Vice President, Cybersecurity Strategy and Global Policy at Palo Alto Networks CVD good practices of organisations, manifesto](https://reader033.vdocuments.net/reader033/viewer/2022041418/5e1d4327e05a2e76d509b5d4/html5/thumbnails/9.jpg)
Our experiences
• Many organisations have published a policy
• Good comments from both reporters and organisations
• Many good quality reports
• Mostly website vulnerabilities, but also 0-days
• Reporters getting hired instead of arrested
• Organisations put fixing found vulnerabilties in supplier contracts
• Organisations take opportunity to improve software development, testing and incideng handling procedures
Coordinated Vulnerability Disclosure | June 1st, 2016
![Page 10: Coordinated Vulnerability Disclosure · • Ryan Gillis – Vice President, Cybersecurity Strategy and Global Policy at Palo Alto Networks CVD good practices of organisations, manifesto](https://reader033.vdocuments.net/reader033/viewer/2022041418/5e1d4327e05a2e76d509b5d4/html5/thumbnails/10.jpg)
Coordinated Vulnerability Disclosure | June 1st, 2016
![Page 11: Coordinated Vulnerability Disclosure · • Ryan Gillis – Vice President, Cybersecurity Strategy and Global Policy at Palo Alto Networks CVD good practices of organisations, manifesto](https://reader033.vdocuments.net/reader033/viewer/2022041418/5e1d4327e05a2e76d509b5d4/html5/thumbnails/11.jpg)
So why listen to someone who owned you?
• Find vulnerabilities in your systems
• Show people that you care about their information
• Involve community in keeping your organisation secure
• Have reporters disclose responsibly
• Make the world a better and safer place!
A win-win situation!
Coordinated Vulnerability Disclosure | June 1st, 2016
![Page 12: Coordinated Vulnerability Disclosure · • Ryan Gillis – Vice President, Cybersecurity Strategy and Global Policy at Palo Alto Networks CVD good practices of organisations, manifesto](https://reader033.vdocuments.net/reader033/viewer/2022041418/5e1d4327e05a2e76d509b5d4/html5/thumbnails/12.jpg)
Looking to the present and future
• Adoption by international companies makes other organisations also see the advantages of CVD and its positive reputation effects
• Who is liable ? Organisation using the software, the reporter or the company that made the software?
• Several private companies help to further develop CVD and promote the principles
• Security vs safety, CVD in this respect has a lot of challenges, like how to disclose vulnerabilities in critical infrastructure, medical equipment and automotive
• We need more good international examples!
Coordinated Vulnerability Disclosure | June 1st, 2016
![Page 13: Coordinated Vulnerability Disclosure · • Ryan Gillis – Vice President, Cybersecurity Strategy and Global Policy at Palo Alto Networks CVD good practices of organisations, manifesto](https://reader033.vdocuments.net/reader033/viewer/2022041418/5e1d4327e05a2e76d509b5d4/html5/thumbnails/13.jpg)
Coordinated Vulnerability Disclosure Manifesto
New signatories welcome!
Coordinated Vulnerability Disclosure | June 1st, 2016
![Page 14: Coordinated Vulnerability Disclosure · • Ryan Gillis – Vice President, Cybersecurity Strategy and Global Policy at Palo Alto Networks CVD good practices of organisations, manifesto](https://reader033.vdocuments.net/reader033/viewer/2022041418/5e1d4327e05a2e76d509b5d4/html5/thumbnails/14.jpg)
Coordinated Vulnerability Disclosure | June 1st, 2016
![Page 15: Coordinated Vulnerability Disclosure · • Ryan Gillis – Vice President, Cybersecurity Strategy and Global Policy at Palo Alto Networks CVD good practices of organisations, manifesto](https://reader033.vdocuments.net/reader033/viewer/2022041418/5e1d4327e05a2e76d509b5d4/html5/thumbnails/15.jpg)
![Page 16: Coordinated Vulnerability Disclosure · • Ryan Gillis – Vice President, Cybersecurity Strategy and Global Policy at Palo Alto Networks CVD good practices of organisations, manifesto](https://reader033.vdocuments.net/reader033/viewer/2022041418/5e1d4327e05a2e76d509b5d4/html5/thumbnails/16.jpg)
Speakers