Bug Bounties, the Uber Breach, and Ransom Demands, with Katie Moussouris
06/05/23 • 33 min
In this episode we’re excited to host Katie Moussouris, the founder and CEO of Luta Security, a company that helps organizations implement and manage bug bounty programs. Prior to starting Luta Security, Katie worked with companies including ATstake, Symantec, and HackerOne. She’s a hacker, an advocate for gender and economic equality, a cybersecurity fellow at New America and the National Security Institute, and an advisor to the US government.
With extensive experience in bug bounty programs, our guest shares her perspective on common mistakes in bug bounty and vulnerability disclosure programs:
“You want to be able to hire and recruit people who will be able to prevent and also spot and fix those bugs while the software is being developed. If you weigh too heavily on the reward side of things and reward only the bugs that remain, after all of those secure development processes, you've actually set yourself up for a perverse incentive and you're going to gut your own hiring practices”.
The discussion goes to explore solutions to combat ransomware and what organizations should do in case of an attack: “I don't think putting that much of a burden on the victims is really going to result in what you want, which is to shine more of a light on who needs help and who needs to warn their users that there was a material breach like that. So I would say it's about requiring notification upon payment of ransomware that we should focus, at least on the victim’s side”.
All this and much more is discussed in this episode of The Cyber Insider podcast by Emsisoft, the award-winning cybersecurity company delivering top-notch security solutions for over 20 years.
Be sure to tune in and subscribe to The Cyber Insider to get your monthly inside scoop on cybersecurity.
Hosts:
Luke Connolly – partner manager at Emsisoft
Brett Callow – threat analyst at Emsisoft
Intro/outro music: “Intro funk” by Lowtone.
In this episode we’re excited to host Katie Moussouris, the founder and CEO of Luta Security, a company that helps organizations implement and manage bug bounty programs. Prior to starting Luta Security, Katie worked with companies including ATstake, Symantec, and HackerOne. She’s a hacker, an advocate for gender and economic equality, a cybersecurity fellow at New America and the National Security Institute, and an advisor to the US government.
With extensive experience in bug bounty programs, our guest shares her perspective on common mistakes in bug bounty and vulnerability disclosure programs:
“You want to be able to hire and recruit people who will be able to prevent and also spot and fix those bugs while the software is being developed. If you weigh too heavily on the reward side of things and reward only the bugs that remain, after all of those secure development processes, you've actually set yourself up for a perverse incentive and you're going to gut your own hiring practices”.
The discussion goes to explore solutions to combat ransomware and what organizations should do in case of an attack: “I don't think putting that much of a burden on the victims is really going to result in what you want, which is to shine more of a light on who needs help and who needs to warn their users that there was a material breach like that. So I would say it's about requiring notification upon payment of ransomware that we should focus, at least on the victim’s side”.
All this and much more is discussed in this episode of The Cyber Insider podcast by Emsisoft, the award-winning cybersecurity company delivering top-notch security solutions for over 20 years.
Be sure to tune in and subscribe to The Cyber Insider to get your monthly inside scoop on cybersecurity.
Hosts:
Luke Connolly – partner manager at Emsisoft
Brett Callow – threat analyst at Emsisoft
Intro/outro music: “Intro funk” by Lowtone.
Previous Episode
Crisis Communications and Incident Response in Cybersecurity, with Meredith Griffanti
Our guest in this month’s episode of the Cyber Insider is Meredith Griffanti, the Global Head of Cybersecurity & Data Privacy Communications at FTI Consulting. Ms. Griffanti has worked on some of the most high-profile and highly sensitive data breaches around the world and has successfully navigated responses to incidents such as business email compromise, phishing and spear phishing, DDoS, credential stuffing, nation-state, critical infrastructure and major, double-extortion ransomware attacks.
Ms. Griffanti shares her experience in navigating crisis communications, refining incident response plans and the lessons learned from some of the most high-profile breach incidents known. Our guest advises companies to think about what their worst enemy could do to them and to practice their plans more than once a year:
"So when we were thinking about responding to hundreds of media inquiries, there was no ultimate decision maker on things and eventually we got there. But those types of roles, responsibilities, escalation protocols and processes, those are the things you want to have down in your playbooks now, before an incident happens".
The conversation touches on the most common communications mistakes that companies make when facing a breach:
"We see companies prolong the news cycle by saying it was an outage and then moving to security incident, then moving to cyber attack, then ultimately ripping the band aid off and saying it was ransomware".
All this and much more is discussed in this episode of The Cyber Insider podcast by Emsisoft, the award-winning cybersecurity company delivering top-notch security solutions for over 20 years.
Be sure to tune in and subscribe to The Cyber Insider to get your monthly inside scoop on cybersecurity.
Hosts:
Luke Connolly – partner manager at Emsisoft
Brett Callow – threat analyst at Emsisoft
Intro/outro music: “Intro funk” by Lowtone.
Next Episode
Ransomware Gangs, MSP security, and Cyber Predictions, with Dmitry Smilyanets
In this episode we’re excited to host Dmitry Smilyanets, the Director of Product Management at threat intel company Recorded Future. Prior to that Dmitry was a Russia-based hacker who was indicted and extradited to the United States for his role in a cybercrime scheme – he was the manager of the largest hacking group ever prosecuted in the United States. Having been both a black hat and a white hat, he has fascinating perspectives which we uncover during this month’s release of the Cyber Insider.
When asked about his unique background, Dmitry had this to say: "I think that my background gives me a unique perspective on the world of cybercrime. I understand the motivations and tactics of hackers in a way that many cybersecurity experts do not. At the same time, I have seen the consequences of these actions firsthand and know how important it is to protect against them."
One of the most surprising things about the world of cybercrime is how organized and business-like it can be. Dmitry described some of the groups he encountered as having entire offices, complete with marketing teams, HR departments, and money laundering operations. This level of organization makes it all the more difficult to track and prosecute cybercriminals.
When it comes to cybercrime, the role of governments can be complex and varied. Some governments actively encourage hacking groups, while others turn a blind eye. Dmitry noted that in Russia, the government is unlikely to actively protect cybercriminals, but will prosecute them if they commit crimes within the country: "Russia will not prosecute you if you hit America, but if you accidentally use Russian infrastructure or stole some credit cards from Russians or even used stolen credit cards in Russia, they'll have enough to prosecute you, put you for two, three years in pretrial detention."
All this and much more is discussed in this episode of The Cyber Insider podcast by Emsisoft, the award-winning cybersecurity company delivering top-notch security solutions for over 20 years.
Be sure to tune in and subscribe to The Cyber Insider to get your monthly inside scoop on cybersecurity.
Hosts:
Luke Connolly – partner manager at Emsisoft
Brett Callow – threat analyst at Emsisoft
Intro/outro music: “Intro funk” by Lowtone.
The Cyber Insider - Bug Bounties, the Uber Breach, and Ransom Demands, with Katie Moussouris
Transcript
[0:00:08] Luke Connolly: Welcome to the Cyber Insider Emsisoft's podcast all about cybersecurity. Your hosts today are Brett Callow, Threat Analyst here at Emsisoft, and I'm Luke Connolly, partner manager, and we're very excited to have Katie Moussouris with us today. In case anyone isn't familiar with Katie, she's the founder and CEO of Luta Security, a company that helps organizations implement and manage bug bounty programs. Prior to starting Luta Security, she worked at co
If you like this episode you’ll love
Episode Comments
Generate a badge
Get a badge for your website that links back to this episode
<a href="https://goodpods.com/podcasts/the-cyber-insider-250053/bug-bounties-the-uber-breach-and-ransom-demands-with-katie-moussouris-30588830"> <img src="https://storage.googleapis.com/goodpods-images-bucket/badges/generic-badge-1.svg" alt="listen to bug bounties, the uber breach, and ransom demands, with katie moussouris on goodpods" style="width: 225px" /> </a>
Copy