Application Security , Risk Management , Technology

Business Case: Bug Hunters Need Better Financial Incentives

TS Lombard's Rafael Narezzi Discusses Exploits, Extortion and GDPR
Rafael Narezzi, CIO, TS Lombard

Businesses need to find more ways of incentivizing good researchers to find flaws in technology before bad actors discover them, says Rafael Narezzi, CIO of financial services firm TS Lombard.

See Also: How to Scale Your Vendor Risk Management Program

As an example, he points to the "KRACK" attack recently discovered by a Belgian researcher in the WPA2 security protocols used to encrypt many WiFi communications (see WiFi Security Shredded via KRACK Attack). "I'm glad it was the good guys actually who found this flaw," he says, saluting the Ph.D. researcher involved.

But for everyone who finds flaws in the course of finishing an advanced degree, how many other flaws have already been discovered and put to use by individuals with less honorable intentions?

Plea: Better Incentives

To counter the massive profits available to bad actors who find and weaponize such flaws, Narezzi says that large technology firms need to be spending more on incentivizing researchers with good intentions to find these vulnerabilities in their products first. He also expects more organizations to get on the bug-hunting bandwagon when EU regulators begin enforcing the General Data Protection Regulation in May 2018.

Narezzi warns that GDPR could see a new type of scam emerge: cybercrime gangs breaching or claiming to have hacked into an organization, then extorting the victim in exchange for a promise to not disclose the breach to regulators.

In a video interview at Information Security Media Group's recent 2017 London Fraud and Breach Prevention Summit, Narezzi also discusses:

  • The outsize profits to be made from cybercrime;
  • Strategies for incentivizing more security researchers;
  • How GDPR could change the bug-hunting debate.

Narezzi is CIO of TS Lombard in London, which was formed in 2016 by the merger of two leading independent investment research firms: Trusted Sources and Lombard Street Research. Narezzi formerly served as head of IT for Lombard Street Research.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network