Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/17/2020
10:00 AM
Tom McAndrew
Tom McAndrew
Commentary
100%
0%

Needed: A Cybersecurity Good Samaritan Law

Legislation should protect the good hackers who are helping to keep us safe, not just go after the bad.

The arrest and exoneration of two Coalfire employees caught breaking into an Iowa county courthouse in September 2019 highlight the challenges our legal system faces in addressing the fast pace of cybersecurity in an increasingly connected world. The circumstances show the dire need for collaboration among different teams to raise overall levels of security across both cyber and physical systems.

Coalfire hired these individuals as hackers to test physical security systems. They found the front door of the courthouse in Dallas County, Iowa, unlocked and set off the alarm deliberately to notify law enforcement. They were arrested, charged as criminals, jailed, and now have permanent arrest records — simply for doing their jobs.

The Iowa episode should be a warning sign to the entire security industry and a wake-up call to legislators that better protections are required for the cybersecurity community and the work they do defending our institutions against cybercrime. Today, cybersecurity testers have very little legal protection, and a Cybersecurity Good Samaritan law would protect those who perform critical investigative work to test our cyber defenses around the clock. This law should seek to provide criminal and personal liability protection for conducting cybersecurity engagements when they are:

  1. Working as an employee of a cybersecurity firm or division
  2. Under contract with the entity they are performing work
  3. Have documentation on the scope and approach of the engagement
  4. Are performing reasonable tasks related to the engagement

(Note: This would still allow clients to go after the firms they hire but would protect the individuals from being personally liable.)

"Hacker" brings to mind cybersecurity sleuths who crack codes, steal passwords, compromise devices, install ransomware, and illegally transfer funds. As the US becomes more sophisticated in protecting the digital world, physical systems are becoming a target — one with an attack surface that's relatively easy to penetrate. Gaining physical access is one of the easiest ways to hack into a network. This could include accessing paper records, installing equipment or software on the network, or simply putting in covert backdoor systems.

The concept of combining physical attacks and cyberattacks to test a system is nothing new. The term "red teaming" is used in the industry to describe a method of system testing based on thinking and acting like a bad guy. Red teams help businesses to see how break-ins and business disruptions occur, to test strength and durability of their defenses, to identify where vulnerabilities exist, and to expose weaknesses that could be considered negligent and contributing to a breach. 

The risks of conducting red teaming increase as more bad guys hide themselves in cyberspace. Law enforcement and the legal system have the power to interpret the legality of our work. In the Iowa case, the issue had nothing to do with system defenses or specific laws, but rather it came down to the authority of the state versus the authority of the local county to dictate and enforce. Consequently, the two pen testers took the heat. This nonaccountability is archaic and not keeping pace with the realities of the cyberworld where threats are escalating and system testing — be it ballot boxes or courthouse locks — is becoming the new normal for US businesses and institutions.   

The cybersecurity industry needs to do a better job of identifying and publishing best practices. The National Institute of Standards and Technology (NIST) has developed many best practices that are used as the basis for testing today, including the Common Vulnerability Scoring System (CVSS), Common Vulnerability & Exposures (CVEs), National Vulnerability Database, the adopted Security and Privacy Controls 800-53, the Cyber Security Framework, and the Penetration Testing Execution Standard (PTES).

But when it comes to service order templates and legal language to use as a best practice for red teaming, there is very little out there. The vast majority of penetration-testing companies are small, with fewer than 100 employees and limited legal or financial resources. Contract language should be publicly available and open to input.  

In addition to industry best practices, better legislation is needed to protect cybersecurity professionals working under contract. The physical addresses or virtual addresses (known as IP addresses) that are given to test the scope of work often lack specifics and turn out to be way off the mark. Penetration testers are typically able to push through and get the job done, but increasingly these testers are taking huge risks when an assignment shifts and local authorities (like those in Iowa) are taken off-guard.

We need legislation to protect the good hackers, not just go after the bad. A Cybersecurity Good Samaritan law would allow the good guys to do their jobs and foster more collaboration between private and public sector cyber defenses. This would help to drive positive change across the entire industry as information security and physical security continue to converge.  

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Beyond Burnout: What Is Cybersecurity Doing to Us?"

Tom McAndrew is the CEO of Coalfire, a security risk advisory to public and private sector organizations including government agencies and private businesses. He is recognized on the FCW Federal 100 and by ICS2 as one of the top senior security leaders in North America. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10287
PUBLISHED: 2020-07-15
The IRC5 family with UAS service enabled comes by default with credentials that can be found on publicly available manuals. ABB considers this a well documented functionality that helps customer set up however, out of our research, we found multiple production systems running these exact default cre...
CVE-2020-10288
PUBLISHED: 2020-07-15
IRC5 exposes an ftp server (port 21). Upon attempting to gain access you are challenged with a request of username and password, however you can input whatever you like. As long as the field isn't empty it will be accepted.
CVE-2020-15780
PUBLISHED: 2020-07-15
An issue was discovered in drivers/acpi/acpi_configfs.c in the Linux kernel before 5.7.7. Injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30.
CVE-2019-17639
PUBLISHED: 2020-07-15
In Eclipse OpenJ9 prior to version 0.21 on Power platforms, calling the System.arraycopy method with a length longer than the length of the source or destination array can, in certain specially crafted code patterns, cause the current method to return prematurely with an undefined return value. This...
CVE-2019-20908
PUBLISHED: 2020-07-15
An issue was discovered in drivers/firmware/efi/efi.c in the Linux kernel before 5.4. Incorrect access permissions for the efivar_ssdt ACPI variable could be used by attackers to bypass lockdown or secure boot restrictions, aka CID-1957a85b0032.