Sometimes to fix something, you’ve got to break it first. That’s the philosophy of security researchers at IOActive, a Seattle-based firm known for finding critical vulnerabilities in everything from smart cities to satellites and messenger apps. A 20-year veteran of the industry, CEO Jennifer Steffens steers the ship. Her team handles everything from physical intrusions and social engineering to classic technical penetration testing as part of full-stack security assessments. The view of that work has changed drastically in the last two decades. Once feared and fought, red teams are now viewed as essential in the security world.
CyberScoop: One thing you’ve talked about consistently over the years is responsible disclosure. You’ve shared some horror stories about vendors ignoring researchers and you’re not along with those negative experiences. With that dark past in mind, where are we now in 2018 on responsible disclosure, on the relationship between vendors and researchers and how it impacts cybersecurity overall?
Jennifer Steffens: I think we’ve come honestly a long long way in my probably 20 years of doing disclosure. In the early days is very, very difficult to find any vendors that would respond. There was a lot of you know fear around what researchers were bringing to the table and why they were reaching out. Over time, especially depending on the industry, a lot of that fear is kind of subsided. People always like to say when the researchers are knocking on your front door, they’re the typically the good guys. The bad guys don’t want you to fix things. So we’re finding it a lot easier to engage companies, get to the right people and have companies really interested in doing the right thing and making their products more secure.
There’s still a ways to go and we’re big advocates for a more collaborative disclosure policy when you’re dealing with a lot of technology that can have safety implications as well. It’s important to not only notify an individual vendor and work with them to fix things, but also the entire industry and ecosystem. We just did some work in satellite communications around the Black Hat timeframe and had a really good experience working with the aviation ISAC to have a lot more understanding of the potential impact that those vulnerabilities would have in live situations.
CS: What do you think has driven that kind of that change that positive change?
JS: I think it’s more researchers, you know our disclosing things, I think as media has helped us push the responsible disclosure message, bounty programs spinning up and there’s a lot of advocates for understanding that you need to be able to be prepared to receive the information. Companies are embracing the fact that security is important. And you know best to find out that something’s broken through an internal team or researcher then wait for the bad guys to figure it out.
CS: Around this year’s Black Hat and DEF CON, you said you saw positive energy around women in cybersecurity when it came to these two events. Are we trending in the right direction?
JS: We’re trending in the right direction. I think personally I’m seeing more women in the industry. I’m seeing more women in the industry start to participate more. I think they’re getting a stronger voice. We’re also seeing a lot of advocates and support from the industry as a whole. It’s not just going to be the women who can change things, we’re seeing a lot of men in the industry acknowledging some of the concerns and really trying to make significant changes. I was excited at Black Hat and DEF CON this year. We hosted our Women, Wisdom and Wine event, which is something we do globally, just to bring women and non-binary individuals together to have more access to that social network that I think is so important. Our first one had six people in a bedroom where we forgot to buy wine. This year we had over 300 attend, and I was really excited. But I also noticed that from a conversation standpoint people were excited about DEF CON. They were talking about the talks, their work, their jobs. We had a number of students who are there for the first time and eager to do more. In the past, it would take us kind of the first hour or so just hearing all the horror stories. from, you know, being at the conference. It was really nice to see so much energy and so much positive vibe around security in general at the event.
CS: You and your team have been active in the conversation for a long time around topics like grid security and smart cities. What’s your perspective now on the on the state of grid security in America?
Jennifer Steffens: We did our first body of research in the smart meter world back in 2008. We spoke at Black Hat in 2009 on the topic. We have really been trying to drive that conversation for years. We see something that starts to be connected online and get a little nervous about knowing that security probably didn’t have a voice at the table and some of the implications of what a potential hack can be. Over the years, we’ve certainly seen the industry as a whole embrace security. Nothing can change overnight, but we’re seeing a lot of positive traction just in how much vendors, government, utilities, etc. are starting to talk about security and consider it important.