The Municipal Information Systems Association of California recommends ways for public-sector employees and private vendors to educate themselves on the latest in cybersecurity. One event, recommended by MISAC, is the Control System Cyber Security Association International’s presentations, like the one held Thursday at Sacramento State.
The CSCSAI event, called “It’s the Little Things,” highlighted the vulnerabilities created by human error.
“This entire talk is built around human error and believe me, some of the biggest companies in the world have made these mistakes,” presenter Ben Sadeghipour said.
Sadeghipour works for HackerOne, a "white hat" hacker platform that brings together independent hackers to help correct security vulnerabilities that could otherwise be exploited. These hackers work similarly to ride-share drivers, using their own time and tools to benefit others. HackerOne also allows for networking among hackers and security teams.
Sadeghipour built most of his career on bug bounties.
“A bug bounty is where you report a vulnerability in good faith to a program, and in return they don’t sue you or they don’t send the feds after you, and instead they pay you,” Sadeghipour said.
Sadeghipour described ways to find bugs within multiple systems, a skill that could be used to help local jurisdictions.
Many large organizations have launched bug bounty programs to find problems they may not otherwise know existed.
“You can’t replace a security team with a bug bounty, but you can replace a pen test, to some extent,” Sadeghipour said. And like hackathons, it is often less expensive to find a vulnerability through a bounty than through a dedicated team.
While private companies are launching more programs, so are governments.
“U.S. governments are the biggest ones,” he said. Sadeghipour said he recently helped organize an event that searched for cyber-vulnerabilities within the U.S. Air Force.
Because so much code is written and files can be left open, as has been seen in AWS breaches recently, companies would rather know when data is accessible to the public.
“A lot of them are friendly because you are just reporting the vulnerability without extracting the data. Most companies have an extensive list of what’s in scope,” Sadeghipour said.
The scope is often explained on a company page describing their bug bounty program.
“We’re trying to make rules as clear as we can, but errors happen, as always,” Sadeghipour said. “My rule would be just ask someone. A lot of times because you’re doing something good for them that’s in their control and it was their mistake, they’ll be nice enough to do anything.
“The only person that I don’t do that is the government, the Air Force, the Army — that’s the one time I’m like, 'The scope is very clear, not going out of scope.'”
