Responsible disclosure helps to find security breaches

Our fellow organisation in the Netherlands put cybersecurity on their 2016 agenda too. Very much like CIOforum Belgian Business, the CIO Platform Nederland continuously strives – as an association – to help its members in the right direction. With regard to cybersecurity, the CIO Platform Nederland focuses on three areas: cooperation, guidance and awareness.

On an awareness level for instance, every organisation has the same objectives: to keep employees alert and guide them to the right actions or measures to take. To tackle this generic and common awareness problem, the CIO Platform Nederland decided to help its members with an equally common tactic to use in their organizations.

Gamification to raise awareness

“We decided to develop a security awareness game, so that people become alert and know what to do when they detect unusual situations, contributing to the overall safety level”, says Ronald Verbeek, director CIO Platform Nederland. It resulted in ‘Elevator’, a game where two of your employees collaborate to break into a company and reach for the elevator by exploiting security issues. The game includes topics like clean desk policy, password management, Wi-Fi hotpots security, phishing mails and data leaks.

The game has been operational for a year and proved so successful that CIO Platform Nederland has decided to make it available to non-members as well.

Checklists for secure cloud service

Secondly, the association created checklists and guides for CIOs to use when discussing contracts with vendors. Which clauses do you need to think of when signing for a cloud service? What are the essential terms and conditions for a secure use of cloud services? How to optimize the equal relationship with your vendors? You can find the free publications here.

Responsible disclosure

Last but not least, our Dutch colleagues developed a responsible disclosure implementation guide, allowing organizations to improve their security through third-party collaboration. “Not every hacker wears a black hat. Ethical or white-hat hackers have made it their job to find holes in your network or security strategy and tell you about it. If we communicate about the vulnerabilities that were discovered and how we tackled them, others can take necessary measures too”, says Ronald Verbeek.

You need rules for that kind of communication to take place in a fair and correct way. You need a communications channel where you can give credit to the notifier too. To encourage organizations to adopt responsible disclosure policies the CIO Platform Nederland wrote, together with Rabobank, the Coordinated Vulnerability Disclosure Manifesto. A ready-to-use policy document to implement responsible disclosure within your organization is available from their website for free.

Rabobank implements responsible disclosure

This kind of ledger of ideas and feedback was also put into practice by Rabobank, like many other banks. The bank works with a white-hat hacking community for finding security concerns. This has allowed the company to eliminate SQL injections, cross-site scripting by exception, session cookies, missing headers, and so on.

The bank even allows automated scans, although it has a large penetration test team that should already pick these things up. The cybersecurity team realizes the underground has different skills and another way to look at things. When the bank launched a new banking app for instance, someone discovered a serious issue with SSL Pinning, allowing hackers to do a man in the middle attack.

The bank first set out guidelines for its responsible disclosure programme. Jethro Cornelissen, Manager of the Cyber Security Incident Response Team at Rabobank: “Define and communicate about how you want people to report, what don’t you want them to report, that you want to be able to communicate with them so that they can show you what they have found and how, and be very clear about your rewards programme. We have a fixed reward and one of our rules is that the notifier refrains from media publications.”