Security is always a "nice to have" feature but how does a busy business owner get it done?
It's virtually impossible for one person to do this type of military strength hacking job. The time and effort required is highly non-linear and almost impossible to predict.
It would be cool if the government would tell you if your website was insecure. But they'd prefer to keep the back door in case they need it later. Just kidding CERT has very useful advisories over at cert.govt.nz/it-specialists/advisories/ But they can only do so much.
Bug Bounty Programs != Complete Solution
At first, only the super large software companies like Google and Facebook can afford bug bounty programs, but today 93 companies are listed at bugcrowd.com/programs
Not all companies with websites need super strong security like this. National state level quality network operations. But the citizens of the country would likely hope their government has a plan to protect it's own computers, and also a plan to protect those of important Infosec industries such as banking, finance, healthcare, legal aren't leaking huge quantities of data everywhere.
But it's not a complete solution - its an extreme solution for a super technical area actually - and perhaps not the first solution for medium sized business dabbling in hardening their networks.
False intrusion detection positives are a mega waste of time.
Bruce puts it nicely over at his page on the subject:
Here's an outsourcing idea: get rid of your fleet of delivery trucks, toss your packages out into the street, and offer a reward to anyone who successfully delivers a package. Sound like a good idea, or a recipe for disaster?
The reality is that it comes down to branding: if the brand would be harmed by being the victim of a really big hack or data breach, then it puts more effort in. This works pretty well for infosec products. And for the times when it doesn't, I'm not suggesting forcing anyone to start a bug bounty program.
People would still eat pizza at a joint which has a haxored network, but they might not want to visit a doctor or use a lawyer whos network was wide open, with a file servers leaking everywhere etc.
I'm wondering if it would be possible to have a kind of social welfare for hackers government ministry, which pays kiwi researchers for their efforts pertaining to New Zealand headquartered companies directly, without needing the approval of the target company, who's head is likely in the sand anyhow.
Create an extra information stream for CERT. Banks, lawyers, doctors instant fines for leakage events. I'm looking at ACC, remember they had multiple screwups involving a CMS that could fire out emails in bulk, operated by staff!
Remember NOVAPAY? It's probably riddle with bugs, and ya'll know what that means. No incentive to find the but.
Or perhaps an approved proxy one could "hack all the NZ things" through but still be contactable by the authorities. Recording the traffic to disk temporarily would enable maximal value and help the researcher prove if they succeeded or not to claim the bounty reward.
Sometimes I just want to be sure my own bank is safe. Personally.
When the network admin sees the penetration test coming from a New Zealand based IP address - on a government subnet even - they'd visit the IP address and see a message to say it's all legit. Usually when you are being hacked you can't contact the other side like that. This would be different.
Crowd-sourced security outfit Synack use this method. It's required because sometimes there is a dispute about payout of the bounty to the successful researcher - how do you prove such a thing?
Also I hear in the US researchers found a remote-execution jailbreak for iOS and instead of collecting Apples $200,000, they opted for a way bigger million plus payout motherboard.vice.com/.../somebody-just-won-1-million-bounty-for-hacking-the-iphone
Unauthorised Use of a Computer System
I'd like to be able to scan and probe the entire country to find vulnerable machines, as a pre-sales market research information gathering exercise. To build a list of companies at risk to contact and sell my security services to.
But some parts of that probe maybe deemed unauthorised access - if done here in NZ. It would need to be carried out in another country, and then it would not be investigated further, if I understand the "prosecutorial budget" allocation methods we use here, it would be deemed too hard to bother looking into, unless coming fro a five eyes country, they might find it hard to get at you.
You left your headlights on
For sure, having every doorknob in your house jiggled would be un-nerving to watch, even if its somewhat equivalent to that friendly neighbour telling you your car headlights are still on so you don't flatten your battery: trying to help. But then visiting the probe IP and reading the message would allay fears and maybe boost confidence even. Free network virus check. 🙂
The reason for high standards of evidence in criminal courts and the use of the presumption of innocence, is that it is better to have criminals roaming free due to lack of evidence, than to have innocent people locked up in jail wrongly - just because they looked at your computer the wrong way. You'd need a lot of jails and the economy would suffer. Sound like any country in 2007? Tame Iti is an artistic genius not a terrorist.
HIPAA is the Health Insurance Portability and Accountability Act of 1996 and is United States legislation that provides data privacy and security provisions for safeguarding medical information.
PCI Compliance is the payment card industry code to ensure payment processors use best practices.