Security weaknesses must be shared openly: Facebook CSO
By Edwin Yapp October 18, 2013
- Knowledge sharing crucial in IT security today; organisations, community must trust each other
- Crowdsourcing the way, IT security no longer just the purview of experts, techies
THE long held-belief that it is better for information technology (IT) security vulnerabilities to be kept under wraps and not shared between organisations and the security community is flawed, as such a practice could be detrimental to the industry as a whole, according to Facebook’s security head.
Speaking on the second and final day of the HITB Security Conference (HITBSecConf KL) held at the Intercontinental Hotel in Kuala Lumpur on Oct 17, Joe Sullivan, chief security officer (CSO) at Facebook, said today’s security landscape has changed dramatically compared with 15 years ago, when the Internet was still nascent.
“A long time ago when I was a prosecutor, I would go around asking companies to let me know when their companies’ security is compromised, so that I could go after those responsible, but they never called,” Sullivan (pic) said in his keynote address.
“The culture 15 years ago was that no one [would] call when they had a problem, and no one would admit it when they found vulnerabilities or even when they had fixed the problems. And if someone contacted the company and reported a vulnerability, the company would think that it was being extorted.”
The former Assistant US Attorney for the Computer Hacking and IP (Intellectual Proeprty) Unit at the US Department of Justice, said companies such as Facebook have begun changing the dialogue in the last 15 years so much so that people in general are now not afraid to talk about security as a work in progress.
Sullivan said that when it comes to the reality of the Internet in today’s world, security is not going to get any better unless the community [companies and people] talk about the vulnerabilities they experience, expose them and discuss them openly.
“I remember when we started our [bounty rewards] programme [where Facebook rewards researchers who find vulnerabilities], someone said, ‘If we’re going to pay them, it would be a great time to ask them to sign a non-disclosure [agreement] before doing so.’
“This approach of ‘Let’s fix the problem, gag that person and not tell anyone about it’ is exactly the wrong approach. You want people to talk about vulnerabilities [they discover] in the right context so that we all can learn about them and fix them. We can’t be afraid to talk about them and we can’t be afraid and keep security [issues] hidden.
Asked what was the biggest driving force behind this cultural change, Sullivan pointed to the fact that a lot more of the world is on the Internet.
“In the past, you did not have ubiquitous online banking and smartphone with apps,” he said on the sidelines of the HITBSecConf KL. “As we all moved to these services online, we’ve all come to understand the nature of the Internet – the open, borderless opportunities, and the costs that come with it.”
Sullivan also said that as security breaches happened, organisations that had been compromised were forced to talk about data breaches and also had to notify users.
“They started to ask themselves, ‘Should the first time they speak about security be also the first time they reveal that they had a security issue? No, it shouldn’t,” he said, adding that all should understand that security is still a work in progress.
Getting ordinary folks into security
Earlier in his keynote address, entitled ‘Bringing social to security,’ Sullivan outlined how IT security – long thought to be the exclusive domain of geeks, nerds and hardcore programmers – should instead be everyone’s business', regardless of their background or technical know-how.
The 44-year-old lawyer-turned-security chief noted that security in today’s world cannot be “put in a corner” and that security teams within an organisation can’t be the only ones working on security.
“The nature of the Internet being what it is means that we have to get the whole organisation working with us, getting them all to be a part of the security team.”
But to advance this kind of culture, Sullivan acknowledged that more must be done to get the participation of non-technical people because it’s common to find IT security personnel having friction with the former -- security guys would create barriers for people to get things done.
Conceding that security is not something that every non-technical employee comes to his or her company thinking about, Sullivan said, “This is one of the questions [I face] as the CSO of Facebook: How do I change that culture inside my company, and make people own security for themselves and not think about it as a barrier to their success?”
To this end, Sullivan said Facebook has in the past few years come up with various innovative ways to encourage the participation of non-technical personnel in security. The results of these activities, he claimed, were largely positive.
Some of these were: 'Hacktober,' (Hack October) a security awareness month organised by Facebook, wherein ordinary staff participated in simulated security games with reward schemes attached to them; creating Facebook pages where staff could give feedback and report any security issues they may find, regardless how trivial; and ‘Red Teaming,’ a process by which Facebook’s security team is alerted to the possibility of simulated attacks but without them actually knowing when these attacks will be conducted.
Asked whether he thought these activities would work in traditional enterprises, especially those who are more corporate and traditional like banks, Sullivan acknowledged that what worked inside Facebook isn’t necessarily going to work in another company.
That said, Sullivan noted that he has seen other companies launch programmes such as the Hack October in a more conservative environment and it has worked in such cases.
“It would vary in different environments but I’ve talked to security people at other companies and they agreed that they need to target their programme specifically to their environment.
“But the fundamental point is the same, as you need to move security from the passive consumption of a lecture or a video to empowering people so that they feel they are a part of the solution and that it’s part of their job.
The fomer federal prosecutor also said regardless of the kind of organisation, management should still care about the brand and the people who interact with that brand.
“So it’s important for you as security personnel, when you go back to your own organisations, that you become responsible for helping your organisation’s own security.
“And the best way to do that is to bring social to security – a means to engage everyone involved in security and get them to participate with you in making the company secure.”