Our current cyber environment is the product of the decisions we have made as cybersecurity professionals. As cybersecurity professionals that we are, our main job is not only to protect and secure the data and the assets that create such data but to oversee the profession and to influence people and society on the cybersecurity awareness as a profession.
As professionals, our goal should be to create the urgency of how critical our job is. Cybersecurity wouldn’t exist, in part, if it wasn’t because of the vulnerabilities that are being discovered and documented. These discoveries are possible thanks to the people that work as cybersecurity researchers.
Like any other science derived profession, cybersecurity requires someone to do research on a subject, especially when it is about vulnerabilities on any system, and someone to maintain systems updated against such vulnerabilities. Let’s keep the focus on the research side, specifically in vulnerabilities research.
Roles of a Security Researcher Engineer
A security research engineer is a person who is trained, educated and experienced in testing any software system with one goal in mind and that is to detect its vulnerabilities.
In my post “How To Setup Your Own Cybersecurity Lab” I indicate that one important stepstone to become experienced in cybersecurity is to understand the basics of what makes a system, what can break this system and how this system works.
I don’t know of any other engineering specialization that works on how to break a system. The security research engineer has a different mindset from other engineers. Their focus is in knowing how a system can break.
I mentioned above that as professionals our goal should be to create the urgency of how critical our job is and one way to do this is by creating awareness of what a security research engineer can do. In management’s term, we need to create awareness of the value of this specialty by showing how it has contributed and keeps contributing to software vendors.
The way a software vendor can appreciate the value that provides a security research engineer is by providing updates for their software system, thanks to the vulnerabilities detected by security research engineers. Most of these software updates can be created and ready to be deployed, right before it gets public and to be exploited by cybercriminals.
These vulnerabilities are then documented into what is known the Common Vulnerabilities and Exposures database or CVE.
(Note aside: Please, stop saying that hackers are criminals. They aren’t. There are some of them that are, which is different.)
What should be the right approach
After explaining the importance of what a security researcher engineer does, we need to focus our attention on how a security researcher engineer should approach someone regarding a vulnerability in the open.
The most common type of security research is for applications and systems that are web-based. This is because they are in the open for everyone to see and it can be seen by some as an opportunity to verify how vulnerable a system is.
The other day I was looking into a website like any other regular reader and found that in the footer there was a default setting still available that granted access to the backend administration of such website. There was no “Contact Us” section or support email for the administrator. I assume that the “Whois” info is not updated, because no one has responded to my finding. What I did was to submit the communication anonymously. Yes, the default setting is still there in the open. I did what I thought was right.
Situations like this are getting researchers in trouble, even though my intentions are clearly to help, not to exploit anything or anyone. There have been cases where researchers have identified themselves to the affected companies, just to let these companies know to fix a specific vulnerability, and instead of a thank you note, these researchers are getting sued.
The way I do the approach to companies victims of threats is by sending anonymous communications via emails. If you still want to help a company, then this is your best way without getting sued.
If you want to sell your services, then this is more difficult. Even if you have proof that you found the vulnerability, you also need the proof to let them know that you have the integrity and reputation to show with the fact that you didn’t do anything unlawful. An unlawful act would be to access the company’s systems without their permission and this is where sometimes we get in trouble, because how to prove something without acting on it?
This is why I prefer to report things anonymously and forget about the profit. I see this more as a civic duty, like when we see someone’s house open and we call the owner to let them know so that they can close it.
What these companies are doing is wrong
I can understand that these companies are legally bound to report and respond to their stakeholders and that also they have to protect their assets by any means necessary. Reacting to a lawsuit in response to a vulnerability discovered by a security researcher really shows the level of ignorance that these people who work for such companies have.
It shows that the companies that respond with a lawsuit are using the wrong method to protect their assets. Rather than protecting their assets in a reactive way with lawsuits they should protect their assets using preventive methods such as hiring and listening to security researchers.
It seems that these companies prefer to have their vulnerabilities out in the open and not see who is really threatening them. In some cases, these companies already are victims when data is already flowing out via an Advanced Persistent Threat (APT) already present, but these companies not knowing who to blame, they blame the honest researchers that approach to warn them.
Call it a civic duty, or call it White Hat ethics. We feel responsible for helping those in need of cybersecurity guidance, and yet we get slapped in the face for it.
My Message to Companies Victims of Cybersecurity Threats
Security researchers engineers are here to stay and we can only get stronger. We are the best protection any company could have for detecting vulnerabilities. These are the professionals trained and experienced to do the job required to detect the vulnerabilities in ANY system and software.
Remember that your company and you as an employee have the fiduciary responsibility by law to protect your company’s assets by any means necessary and you have two ways of doing this.
One is by being reactive and patch every problem with band-aids such as lawsuits, which will drain your capital and budget expenses because you wish to slap someone’s face publicly to send the wrong message.
Or two, by being PROACTIVE. Hire a security researcher who will be loyal and the best choice to protect your most important asset, which happens to be your data and information. They can detect threats and risks on time.
For your information, because I’m sure you don’t know this, all security researchers are armed with the same tools that cybercriminals use to do harm. This allows security researchers to detect the same vulnerabilities a cybercriminal detects, and to deter on the spot any incoming threat.
A security researcher performs assessments to minimize risks, by eliminating the vulnerabilities your system might have because trust me when I say, ALL SYSTEMS has vulnerabilities. Just because you happened to get yours from a reputable vendor or from someone with good reviews, doesn’t mean that you are invincible.
Software and system vendors perform their own quality check and tests for the product they sold you, but they do this under their environment. By putting this same software and system under your environment creates new threats and vulnerabilities unique to your system.
Maybe your servers still have open ports that shouldn’t be open, or your system access has the wrong settings for your access roles authorization or any other variable you have no clue about.
The only way to find out is by having a preventive system in place and a security researcher is a must for this role.
You can either hire or contract a security researcher to prevent unauthorized personnel from accessing your system by exploiting your current vulnerabilities, which we all know you have but aren’t allowed to tell you because of what I already said…
…or let the world be a witness of data pouring out your server to an unauthorized server, just because you decided to slap someone publicly on the face, to send the wrong message.
Is up to you.
Security Researcher Engineer
by Edgar Vera, MS Cybersecurity