John Jackson - Corporate Cybersecurity

John Jackson

This edition first published 2022

© 2022 John Wiley & Sons, Ltd.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.

The right of John Jackson to be identified as the author of this work has been asserted in accordance with law.

Registered Office(s)

John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA

John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, UK

Editorial Office

The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, UK

For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com.

Wiley also publishes its books in a variety of electronic formats and by print-on-demand. Some content that appears in standard print versions of this book may not be available in other formats.

Limit of Liability/Disclaimer of Warranty

While the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

Library of Congress Cataloging-in-Publication Data

Names: Jackson, John (Cybersecurity professional), author.

Title: Corporate cybersecurity : identifying risks and the bug bounty program / John Jackson.

Description: Hoboken, NJ : John Wiley & Sons, 2021. | Includes bibliographical references and index.

Identifiers: LCCN 2021020794 (print) | LCCN 2021020795 (ebook) | ISBN 9781119782520 (hardback) | ISBN 9781119782568 (ebook) | ISBN 9781119782537 (pdf) | ISBN 9781119782544 (epub)

Subjects: LCSH: Business enterprises--Computer networks--Security measures. | Penetration testing (Computer security) | Cyberspace--Security measures.

Classification: LCC HD30.38 .J34 2021 (print) | LCC HD30.38 (ebook) | DDC 658.4/78--dc23

LC record available at https://lccn.loc.gov/2021020794LC ebook record available at https://lccn.loc.gov/2021020795

Cover image: © WhataWin/Shutterstock

Cover design by Wiley

Set in 9.5/12pt STIX Two Text by Integra Software Services Pvt. Ltd, Pondicherry, India

1 Cover

2 Title page Corporate Cybersecurity Identifying Risks and the Bug Bounty Program John Jackson

3 Copyright

4 Foreword

5 Acknowledgements

6 Part 1 Bug Bounty Overview 1 The Evolution of Bug Bounty Programs 1.1 Making History1.2 Conservative Blockers1.3 Increased Threat Actor Activity1.4 Security Researcher Scams1.5 Applications Are a Small Consideration1.6 Enormous Budgetary Requirements1.7 Other Security Tooling as a Priority1.8 Vulnerability Disclosure Programs vs Bug Bounty Programs1.8.1 Vulnerability Disclosure Programs1.8.2 Bug Bounty Programs1.9 Program Managers1.10 The Law1.11 Redefining Security Research1.12 Taking Action1.12.1 Get to Know Security Researchers1.12.2 Fair and Just Resolution1.12.3 Managing Disclosure1.12.4 Corrections1.12.5 Specific Community Involvement

7 Part 2 Evaluating Programs 2 Assessing Current Vulnerability Management Processes 2.1 Who Runs a Bug Bounty Program?2.2 Determining Security Posture2.3 Management2.3.1 Software Engineering Teams2.3.2 Security Departments (Security Operations, Fraud Prevention, Governance/ Risk/Compliance, Edge Controls, Vulnerability Management, Endpoint Detection, and Response)2.3.3 Infrastructure Teams2.3.4 Legal Department2.3.5 Communications Team2.4 Important Questions2.5 Software Engineering2.5.1 Which Processes Are in Place for Secure Coding? Do the Software Engineers Understand the Importance of Mitigating the Risks Associated with Vulnerable Code?2.5.2 How Effective Are Current Communication Processes? Will Vulnerabilities Be Quickly Resolved If Brought to Their Attention?2.5.3 Is the Breadth of Our Enterprise’s Web and Mobile Applications Immense? Which Processes Are Engineers Using for Development in the Software Development Lifecycle?2.6 Security Departments2.6.1 How Does Security Operations Manage Incidents? Will Employee Assistance Be Provided from the Security Operations Team If a Threat Actor Manages to Exploit an Application Vulnerability? Which Tools Do They Have in Place?2.6.2 What Does the Fraud Prevention Team Do to Prevent Malicious Activities? How Many Occurrences Do They See of Issues such as Account Takeover, and Could They Potentially Create Application Vulnerabilities?2.6.3 Are There Any Compliance Practices in Place and, If So, How Do They Affect the Vulnerability Management Process? What Does the Application Security Team Have to Do to Assist in Enterprise Compliance?2.6.4 What Edge Tooling Is in Place to Prevent Attacks? Are Any of the Enterprise Applications at Risk of Being Exploited due to an IoT (Internet of Things) Device?2.6.5 How Often Does Our Vulnerability Management Team Push for Updates? How Does the Vulnerability Management Team Ensure Servers in which Enterprise Applications Reside Are Secure?2.7 Infrastructure Teams2.7.1 What Are Infrastructure Teams Doing to Ensure Best Security Practices Are Enabled? How Long Will It Take the Infrastructure Team to Resolve a Serious Issue When a Server-side Web Application Is Exploited, or During a Subdomain Takeover Vulnerability?2.7.2 Is There Effective Communication between Infrastructure, Vulnerability Management, Security Operations, and Endpoint Detection and Response?2.8 Legal Department2.8.1 How Well Refined is the Relationship between the Application Security Team and the Legal Department?2.8.2 What Criteria Are/Will Be Set Out for the Escalation of Issues?2.8.3 Does the Legal Department Understand the Necessity of Bug Bounty Program Management?2.9 Communications Team2.9.1 Has the Communications Team Dealt with Security Researchers Before? Is the Importance Understood?2.9.2 Was the Communications Team Informed of Bug Bounty Program Expectations?2.10 Engineers2.11 Program Readiness 3 Evaluating Program Operations 3.1 One Size Does Not Fit All3.2 Realistic Program Scenarios3.3 Ad Hoc Program3.4 Note3.5 Applied Knowledge3.5.1 Applied Knowledge #13.5.1.1 Private Programs3.5.2 Applied Knowledge #23.5.2.1 Public Programs3.5.3 Applied Knowledge #33.5.3.1 Hybrid Models3.6 Crowdsourced Platforms3.7 Platform Pricing and Services3.8 Managed Services3.9 Opting Out of Managed Services3.10 On-demand Penetration Tests