With cybersecurity attacks on the rise, companies must explore new ways to stay one step ahead of threat actors. IDG Research Services found that 78% of IT leaders are not confident in their companies’ security postures, which lead 91% of organizations to increase cybersecurity funding for 2021. As part of this increased focus, many companies are turning to ethical hacker groups to help prevent future attacks. In addition, more open-source developer tools are now on the market. This has made it easier for companies to work with ethical hackers, more so with bug bounty programs.

Recently, ethical hacker Alex Birsan targeted open-source developer tools. He broke into more than 35 different companies, including Microsoft, Apple, Netflix and Uber. In addition to earning $130,000 for his efforts, Birsan also uncovered dependency confusion, a new way attackers are launching supply chain attacks. Birsan shared a detailed account of his processes and outcomes in a Medium post.

What Are the Goals of Ethical Hacking? 

Ethical hackers such as Birsan often refer to themselves as white hat hackers or offensive security testers and researchers. They use the same methods and tools cyber criminals use to try to find and exploit gaps. While threat actors make money through theft, extortion and ransoms, clients pay ethical hackers to help defend against those attacks. The biggest difference is that ethical hackers attempt to breach and access systems with permission. Their intent is to be helpful. Meanwhile, attackers have no permission and have malicious intent.

Ethical hackers benefit the clients that hire them because they approach the project with the same mindset as an attacker. They aim to find out how to gain access and cause harm. However, their purpose is to find vulnerabilities in apps, infrastructure and open-source coding before attackers can. Organizations can then fix the issues before an actual attack or breach occurs. This can save a lot of money in time and reputation damage even after paying the ethical hacker.

Two Ways to Hire an Ethical Hacker

Companies often work with ethical hackers in two different ways.

First, they might hire an individual hacker or an ethical hacking company, typically for a specific purpose. For example, the company may request the hacker conduct a penetration test or attempt to break into a specific system. Remember the increase in supply chain attacks from open-source vulnerabilities we mentioned above. Many companies are asking ethical hackers like Birsan to specifically look for vulnerabilities in their software delivery systems.

It’s important to remember that when an ethical hacker is successful, they now have access to your data and infrastructure. Because you have to fully trust them with your systems, it’s essential to hire a trustworthy ethical hacker and to clearly define the boundaries for the project. It really is a Catch-22. If you don’t invite a white hat hacker into your most sensitive systems, you may be unaware of vulnerabilities attackers can exploit. While the cost of hiring an ethical hacker may seem high, it’s significantly less than the cost of recovering from an attack.

The Benefits of Bug Bounties

The other option is to set up a bug bounty program. Organizations can post on specific platforms for ethical hackers and announce a bug bounty program, which means the company sets up the parameters of the program and then pays the hackers for reporting vulnerabilities found in their systems. Each program is a bit different, with some being open ended while others have specific dates. Many bug bounty programs specify which systems to attempt to enter and how far the hackers can go once they gain access.

While you have significantly less control with a bug bounty program, you get a wider range of skill sets attempting to uncover vulnerabilities. With a single ethical hacker, you are dependent on that hacker’s expertise and tools. Additionally, bug bounty programs can be cheaper than ethical hackers because you pay for specific results, while consultants typically charge by the hour with bonuses for success.

Taking a Second Look

With increased reliance on the cloud due to the shifts in our daily habits from the pandemic and many companies still working full-time from home, the stakes of cybersecurity have increased. Even the best security professionals are limited in their ability to find vulnerabilities in a system they helped design and protect. By getting a second (or hundredth) set of eyes and minds to examine your systems, you are more likely to proactively prevent breaches from occurring.

More from Risk Management

Working in the security clearance world: How security clearances impact jobs

2 min read - We recently published an article about the importance of security clearances for roles across various sectors, particularly those associated with national security and defense.But obtaining a clearance is only part of the journey. Maintaining and potentially expanding your clearance over time requires continued diligence and adherence to stringent guidelines.This brief explainer discusses the duration of security clearances, the recurring processes involved in maintaining them and possibilities for expansion, as well as the economic benefits of these credentialed positions.Duration of security…

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today