On December 1, I gave a lecture at the Moscow Institute of Physics and Technology (informally known as PhysTech). This is a very famous and prestigious university in Russia. In Soviet times, it trained personnel for Research Institutes and Experimental Design Bureaus , in particular for the Soviet nuclear program.
Nowadays MIPT closely cooperates with Russian and foreign companies, trains business people, software developers and great scientists. For example, the researchers who discovered Graphene and won Nobel Prize for this in 2010 were once MIPT graduates.
This is a very interesting place with a rich history. So it was a great honor for me to speak there.
It was also my first experience of giving a lecture.
Lecture and report at the conference, what’s the difference?The lecture is much longer and informative, ~ 90 minutes and 96 slides. The responsibility is also much higher. It depends a lot on the lecturer whether these young people in auditorium (4th year students) will work in this area in the future or will decide that it’s boring and unpromising. And, talking formally, the lecture was part of the “Information Security” course and they will have to pass an exam on this topic.
The lecture was unofficially titled “Vulnerabilities, money and people”.
What are vulnerabilities and why does anyone care about them?I started with different descriptions of vulnerabilities and then simplified that technically it’s just a software bug that gives an attacker some undocumented capabilities.
Then I tried to show the value of vulnerabilities for organizations. The easiest way to do this is to examine well-known security incidents. They occur constantly, and there are plenty to choose from.
The unpatched vulnerability in Apache Struts was exploited in Equifax’es web-portal only 3 days after disclosure, which resulted in huge losses for the company: $243M as of June 2018 . Vulnerabilities could harm national security, Stuxnet is a great example. Last year’s cryptolockers epidemics (see “ WannaCry about Vulnerability Management “, “ Vulnerability Management vendors and massive Malware attacks (following the Bad Rabbit) “, “ Petya, M.E.Doc and the problem of trust “) continue to be relevant even now, as latest incident with Moscow’s cable car system shown. Attacks are committed not by some individuals, but by well-organized criminal groups: Cobalt, Lazarus, Silence, MoneyTaker, etc. For example, Lazarus was able to steal $81M from Bangladesh Bank .I also mentioned 2018 Cost of a Data Breach Study by IBM Security and Ponemon Institute: the average total cost of data breach in $3,86 million there were tens of thousands of such breaches in different countries and regions.
All this had to show that vulnerabilities cause real damage to organizations, and therefore it makes sense for them to hire security experts to minimize risks.
What you can do in this area and how to make money on it?IMHO, it’s very important to show students from the very beginning what they can get if they invest some efforts in studying.
I created a map with active vulnerability-related vacancies opened in the last week worldwide. I searched them by requests “Vulnerability Management” and “Vulnerability Analyst”. For example, for “Vulnerability Management” request there were more than 1300 vacancies. 900 of then were in USA (mostly West Coast). Next comes United Kingdom, Germany and India.
Not for all of these jobs Vulnerability Management will be the main specialization, it can be one of many required skills. Not all employers are ready to relocate specialists and solve difficulties in obtaining work permits for them. But in any case, the talented specialist has a lot of opportunities for self-realization in organizations, security vendors and security service providers. It’s even possible to earn money as a freelancer in various bug-bounty programs.
Practical partTo show how new vulnerabilities can be found and exploited, I reviewed several types of vulnerabilities:
Cross-site Scripting (XSS) Remote Command/Code Execution (RCE) SQL Injection Stored XSS Buffer OverflowNothing complicated, basic examples that will be in the exam questions. Before the lecture I published it in a post “ Making Vulnerable Web-Applications “. Of course, this is only the beginning and it’s necessary to train more: on DVWA and similar projects, participate in CTF and real-life bug bounty programs. What you don’t need to do is to hack random websites. :wink: Always remember about the Criminal Code and whether it is worth it.
And then I spoke about my main specialization:
Databases of “known” vulnerabilities Vulnerability Description and Prioritization issues Vulnerability Scanners andtheir limitations Asset Management forPerimeter andInternal Infrastructure The realities of Vulnerability Management and Patch Management process in the organization, including the psychological aspectsI hope that I showed that managing “known” vulnerabilities in an organization is also pretty fun.
In conclusionI would like once again to thank the administration of MIPT and personally Alexander Kolybelnikov for such a great opportunity. And wish the students all the best.