TRENDING:

Application Security , Governance & Risk Management , Next-Generation Technologies & Secure Development

Business Case: Bug Hunters Need Better Financial Incentives

TS Lombard's Rafael Narezzi Discusses Exploits, Extortion and GDPR Mathew J. Schwartz (euroinfosec) • November 16, 2017    
Rafael Narezzi, CIO, TS Lombard

Businesses need to find more ways of incentivizing good researchers to find flaws in technology before bad actors discover them, says Rafael Narezzi, CIO of financial services firm TS Lombard.

See Also: JavaScript and Blockchain: Technologies You Can't Ignore

As an example, he points to the "KRACK" attack recently discovered by a Belgian researcher in the WPA2 security protocols used to encrypt many WiFi communications (see WiFi Security Shredded via KRACK Attack). "I'm glad it was the good guys actually who found this flaw," he says, saluting the Ph.D. researcher involved.

But for everyone who finds flaws in the course of finishing an advanced degree, how many other flaws have already been discovered and put to use by individuals with less honorable intentions?

Plea: Better Incentives

To counter the massive profits available to bad actors who find and weaponize such flaws, Narezzi says that large technology firms need to be spending more on incentivizing researchers with good intentions to find these vulnerabilities in their products first. He also expects more organizations to get on the bug-hunting bandwagon when EU regulators begin enforcing the General Data Protection Regulation in May 2018.

Narezzi warns that GDPR could see a new type of scam emerge: cybercrime gangs breaching or claiming to have hacked into an organization, then extorting the victim in exchange for a promise to not disclose the breach to regulators.

In a video interview at Information Security Media Group's recent 2017 London Fraud and Breach Prevention Summit, Narezzi also discusses:

  • The outsize profits to be made from cybercrime;
  • Strategies for incentivizing more security researchers;
  • How GDPR could change the bug-hunting debate.

Narezzi is CIO of TS Lombard in London, which was formed in 2016 by the merger of two leading independent investment research firms: Trusted Sources and Lombard Street Research. Narezzi formerly served as head of IT for Lombard Street Research.

Previous
Report: SEC Plans Breach Reporting Guidance Refresh
Next
Big Breaches Are Bad; Phishing and Keyloggers May Be Worse

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.



Around the Network

Stopping Cloud Workload Attacks
Stopping Cloud Workload Attacks
AI in Healthcare: The Growing Promise - and Potential Risks
AI in Healthcare: The Growing Promise - and Potential Risks
Good Governance: 'It's All Hygiene'
Good Governance: 'It's All Hygiene'
Getting a Tighter Grip on Vendor Security Risk in Healthcare
Getting a Tighter Grip on Vendor Security Risk in Healthcare
Mapping Access - and Attack - Paths in Active Directory
Mapping Access - and Attack - Paths in Active Directory
How Biden's AI Executive Order Will Affect Healthcare
How Biden's AI Executive Order Will Affect Healthcare
Why Hospitals Should Beware of Malicious AI Use
Why Hospitals Should Beware of Malicious AI Use
How State Governments Can Regulate AI and Protect Privacy
How State Governments Can Regulate AI and Protect Privacy
How AI Can Help Speed Up Physician Credentialing Chores
How AI Can Help Speed Up Physician Credentialing Chores
Joe Sullivan on What CISOs Need to Know About the Uber Trial
Joe Sullivan on What CISOs Need to Know About the Uber Trial

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.