With cybersecurity attacks on the rise, companies must explore new ways to stay one step ahead of threat actors. IDG Research Services found that 78% of IT leaders are not confident in their companies’ security postures, which lead 91% of organizations to increase cybersecurity funding for 2021. As part of this increased focus, many companies are turning to ethical hacker groups to help prevent future attacks. In addition, more open-source developer tools are now on the market. This has made it easier for companies to work with ethical hackers, more so with bug bounty programs.
Recently, ethical hacker Alex Birsan targeted open-source developer tools. He broke into more than 35 different companies, including Microsoft, Apple, Netflix and Uber. In addition to earning $130,000 for his efforts, Birsan also uncovered dependency confusion, a new way attackers are launching supply chain attacks. Birsan shared a detailed account of his processes and outcomes in a Medium post.
What Are the Goals of Ethical Hacking?
Ethical hackers such as Birsan often refer to themselves as white hat hackers or offensive security testers and researchers. They use the same methods and tools cyber criminals use to try to find and exploit gaps. While threat actors make money through theft, extortion and ransoms, clients pay ethical hackers to help defend against those attacks. The biggest difference is that ethical hackers attempt to breach and access systems with permission. Their intent is to be helpful. Meanwhile, attackers have no permission and have malicious intent.
Ethical hackers benefit the clients that hire them because they approach the project with the same mindset as an attacker. They aim to find out how to gain access and cause harm. However, their purpose is to find vulnerabilities in apps, infrastructure and open-source coding before attackers can. Organizations can then fix the issues before an actual attack or breach occurs. This can save a lot of money in time and reputation damage even after paying the ethical hacker.
Two Ways to Hire an Ethical Hacker
Companies often work with ethical hackers in two different ways.
First, they might hire an individual hacker or an ethical hacking company, typically for a specific purpose. For example, the company may request the hacker conduct a penetration test or attempt to break into a specific system. Remember the increase in supply chain attacks from open-source vulnerabilities we mentioned above. Many companies are asking ethical hackers like Birsan to specifically look for vulnerabilities in their software delivery systems.
It’s important to remember that when an ethical hacker is successful, they now have access to your data and infrastructure. Because you have to fully trust them with your systems, it’s essential to hire a trustworthy ethical hacker and to clearly define the boundaries for the project. It really is a Catch-22. If you don’t invite a white hat hacker into your most sensitive systems, you may be unaware of vulnerabilities attackers can exploit. While the cost of hiring an ethical hacker may seem high, it’s significantly less than the cost of recovering from an attack.
The Benefits of Bug Bounties
The other option is to set up a bug bounty program. Organizations can post on specific platforms for ethical hackers and announce a bug bounty program, which means the company sets up the parameters of the program and then pays the hackers for reporting vulnerabilities found in their systems. Each program is a bit different, with some being open ended while others have specific dates. Many bug bounty programs specify which systems to attempt to enter and how far the hackers can go once they gain access.
While you have significantly less control with a bug bounty program, you get a wider range of skill sets attempting to uncover vulnerabilities. With a single ethical hacker, you are dependent on that hacker’s expertise and tools. Additionally, bug bounty programs can be cheaper than ethical hackers because you pay for specific results, while consultants typically charge by the hour with bonuses for success.
Taking a Second Look
With increased reliance on the cloud due to the shifts in our daily habits from the pandemic and many companies still working full-time from home, the stakes of cybersecurity have increased. Even the best security professionals are limited in their ability to find vulnerabilities in a system they helped design and protect. By getting a second (or hundredth) set of eyes and minds to examine your systems, you are more likely to proactively prevent breaches from occurring.