John Pescatore - SANS Director of Emerging Security Trends
Don’t Forget About Being Prepared for Old-Fashioned DDoS Attacks!
Facebook represents a macrocosm of the security problems facing enterprises. These two news items focus on two tough problems:
- Supply chain security: Facebook has a complex supply chain consisting of thousands of third-party applications that sell services through the Facebook platform. Facebook has had security and privacy issues, most noticeably the Cambridge Analytica 2016 exposure of data of 50 million Facebook users. Since then Facebook has created a robust program to drive higher levels of security and privacy into that supply chain, including the use of managed bug bounty programs and the requirement of annual penetration testing of application code. I call this the app store approach (similar to what the Apple App Store and Google Play do) “active testing to augment contractual agreements and continuous monitoring.”
- Data privacy: Most Facebook revenue comes from selling targeted advertising, which takes advantage of Facebook’s visibility into users’ data and their use of those Facebook applications. However, consumer demand and regulations, such as GDPR, are pushing online services to honor opt-in models for data exposure vs. relying on access to sensitive information unless users opt out.
User data and all those third-party apps are the crown jewels of Facebook’s revenue stream. Security and privacy are key to enabling profits to continue. It took the negative business impact of the Cambridge Analytica scandal to convince Facebook to raise the bar in supply chain security, and Facebook has an opportunity to be more proactive around enhanced data security now. These are good business case studies to use in demonstrating the value of building security into all products and services.
Facebook's Third-Party Vulnerability Disclosure Policy
(September 3 and 4, 2020)
Facebook now has a vulnerability disclosure policy that lays out how the company will disclose security flaws it finds in third-party products. According to the policy, third-party companies will have 21 days to acknowledge Facebook's initial report and then 90 days to remediate the issue. If the company misses either of the deadlines, Facebook may disclose the flaw publicly. Facebook also notes that if there are mitigating circumstances--a flaw that is being actively exploited, for example--the disclosure timeline may differ.
[Ullrich] It looks like 3 months/90 days is becoming the standard for vulnerability disclosures. This can be hard to meet for some complex bugs but should be doable for most vulnerabilities.
[Pescatore] Facebook has done a good job in recent years of essentially implementing an "app store" to drive higher levels of security into third-party apps. Facebook has a managed bug bounty program that has some coverage of third-party apps in addition to Facebook's own software and sites. Third-party apps that access user data must undergo yearly pen testing and code review by qualified assessors. The "disinformation" problem on the content side of Facebook brings in an entirely different set of problems, but on the code security side Facebook seems to be doing the right things.
Read more in:
The Register: Facebook to blab bugs it finds if it thinks code owners aren't fixing fast enough
SC Magazine: Facebook announces new details on how it will disclose bugs found in third-party products
Threatpost: Facebook Debuts Third-Party Vulnerability Disclosure Policy
Facebook: Facebook's Vulnerability Disclosure Policy
Irish Data Protection Commission Will Order Facebook to Stop Sending EU User Data to US
(September 9 and 10, 2020)
Facebook has received a preliminary order to stop sending European Union (EU) user data to the U.S. Facebook has until mid-September to respond to the order from the Irish Data Protection Commission (DPC). The order grew out of a July 2020 ruling from the Court of Justice of the European Union (CJEU) that invalidated Privacy Shield, the current EU-US data transfer agreement because the protections it offered against U.S. surveillance laws were found to be inadequate to protect the rights of EU data subjects. The CJEU ruling left in place Standard Contractual Clauses (SCC), which provide for data transfers between EU and non-EU countries. The Irish DPC believes that the SCC provisions are not sufficient and is therefore asking Facebook to stop data transfers. (Please note that the Wall Street Journal story is behind a paywall.)
[Pescatore] Facebook's CEO needs to learn from Bill Gates' 2002 "Security is Job 1" direction change at Microsoft and, more recently, from Zoom CEO Eric Yuan's similar (but much faster!) epiphany and subsequent security focus in April of this year. The increasing demand for privacy and data rights is coming from consumers, not just regulatory bodies. Getting data protection and stronger user authentication built into products and services meets that demand while greatly raising the bar against attackers.
[Honan] This has major ramifications for all companies transferring personal data of EU data subjects to the U.S., and potentially for the transferring of personal data of EU data subjects to the United Kingdom in the event of a no deal Brexit. The core of the issue is that the EU does not believe that U.S. privacy laws and mechanisms are robust enough to protect the privacy rights of EU data subjects against U.S. surveillance laws and abuse of that personal data by U.S. corporates. Privacy comes at a price that for too long has been borne by the individual. This move sends a clear message to governments and companies that they, too, have a responsibility to protect the privacy of individuals.