InfoSec is Not Your Enemy… Legal is
It doesn’t take an IT person to know that access to information and security are fighting in the opposite direction. User experience, usability, and friendly intuitive design are products of easy integration and access to data. Information Security has the goal of making things as secure and reliable as possible. They want to make it harder to access to data and developers/business want to make it easier to access data. But… those do not have to be conflicting directions.
The real problem comes when you start bringing legal teams in to the discussion. InfoSec and Development do not deal in absolutes; they deal in compromise. “You can have X and Y ports open, but a DLP solution must be in place and logs need to feed in to Splunk for monitoring.” Legal on the other hand deals with money and risk. They deal in absolutes. If a company has all of their dirty laundry aired or a breach occurs that puts customers at risk, they have to deal with financial and legal fallout. Their job is to try and remove all risk… there is no compromise.
Blame Article 13
In a world where legal issues are becoming more prevalent, we are going to start seeing a huge uptick in laws and regulations that are going to impair our ability to do business. Article 13 in the EU is a perfect example. Web hosts can now be held liable for content on their sites. So if you post something to Facebook or Twitter saying you want to murder someone… they host can be held as complicit if you do and they took no action. They can also be held liable for libel and defamation cases. The risk just took a HUGE upswing for businesses and the result, by its very nature, is that consumers will pay the price.
Legal departments are there to perform a function and it is a vital function. The biggest problem is that legal departments want to remove all risk… which is impossible. The very fact that you are doing business, means you have risk. The trick is working with them (or convincing them to work with you) on determining a compromise. If website or application has all risk removed, that means the servers where powered off and the drives melted down. There is no way to ensure 100% no risk.
What can I do as an employee?
The main thing you can do as an employee of a company trying to minimize risk, increase security, and increase user adoption and easy of use… is to work with these teams hand-in-hand. Don’t lob requests over the wall and hope they understand why it’s important that a change be made. Work with them so they can understand why things are the way they are and work with them to understand what you need to do in order to reduce the potential for legal or InfoSec related issues. As with all things business, it’s about communication and comprehension. A data use agreement will not absolve you from 100% of liability. A business associate agreement will not prevent you from having any culpability.
What does this mean for ethical hackers?
This is a very tricky spot for ethical hackers. Many look at sites and services they utilize and try to find holes so they can help close them and secure their own data. In a world becoming more litigious and where the risk of jailtime is increasing, this has become a dangerous profession.
Many companies and “experts” in the field will argue that companies are becoming more open to ethical hacking and pen-testing, but the details paint a darker picture. There are strict rules you must follow to keep out of trouble when trying to pen-test a site or server. The biggest one is having prior consent. Oral consent is as good as pixie dust… it means nothing in court and it means nothing to the F.B.I. when they knock down your door. Make sure it is written and archived. Companies may have a consent page on their site… but that can disappear at any moment. If you are relying on a published page for consent, make a backup copy of it. Don’t assume that page will still exist when you go to defend yourself.
One of the other pitfalls of these “bug bounty programs” are their limited scope. If a company says sure, you can hack us, read the details. Most of the time they will have restrictions that prevent you from testing the most critical parts of their service. Sure, you can pen-test the photos section of Facebook, but try a domain hijack and see how quickly you end up in jail.
My BEST advise: If you are trying to penetrate a server or site, do the following:
- Have archived written consent
- Know exactly what is in-scope and what is not
- Know the laws (just because a company says you can, doesn’t mean you will stay out of jail. SaaS and Cloud hosts can still go after you)
- Don’t be stupid.
- And if you are disregarding all ethics… don’t get caught.