With cybersecurity attacks on the rise, companies must explore new ways to stay one step ahead of threat actors. IDG Research Services found that 78% of IT leaders are not confident in their companies’ security postures, which lead 91% of organizations to increase cybersecurity funding for 2021. As part of this increased focus, many companies are turning to ethical hacker groups to help prevent future attacks. In addition, more open-source developer tools are now on the market. This has made it easier for companies to work with ethical hackers, more so with bug bounty programs.

Recently, ethical hacker Alex Birsan targeted open-source developer tools. He broke into more than 35 different companies, including Microsoft, Apple, Netflix and Uber. In addition to earning $130,000 for his efforts, Birsan also uncovered dependency confusion, a new way attackers are launching supply chain attacks. Birsan shared a detailed account of his processes and outcomes in a Medium post.

What Are the Goals of Ethical Hacking? 

Ethical hackers such as Birsan often refer to themselves as white hat hackers or offensive security testers and researchers. They use the same methods and tools cyber criminals use to try to find and exploit gaps. While threat actors make money through theft, extortion and ransoms, clients pay ethical hackers to help defend against those attacks. The biggest difference is that ethical hackers attempt to breach and access systems with permission. Their intent is to be helpful. Meanwhile, attackers have no permission and have malicious intent.

Ethical hackers benefit the clients that hire them because they approach the project with the same mindset as an attacker. They aim to find out how to gain access and cause harm. However, their purpose is to find vulnerabilities in apps, infrastructure and open-source coding before attackers can. Organizations can then fix the issues before an actual attack or breach occurs. This can save a lot of money in time and reputation damage even after paying the ethical hacker.

Two Ways to Hire an Ethical Hacker

Companies often work with ethical hackers in two different ways.

First, they might hire an individual hacker or an ethical hacking company, typically for a specific purpose. For example, the company may request the hacker conduct a penetration test or attempt to break into a specific system. Remember the increase in supply chain attacks from open-source vulnerabilities we mentioned above. Many companies are asking ethical hackers like Birsan to specifically look for vulnerabilities in their software delivery systems.

It’s important to remember that when an ethical hacker is successful, they now have access to your data and infrastructure. Because you have to fully trust them with your systems, it’s essential to hire a trustworthy ethical hacker and to clearly define the boundaries for the project. It really is a Catch-22. If you don’t invite a white hat hacker into your most sensitive systems, you may be unaware of vulnerabilities attackers can exploit. While the cost of hiring an ethical hacker may seem high, it’s significantly less than the cost of recovering from an attack.

The Benefits of Bug Bounties

The other option is to set up a bug bounty program. Organizations can post on specific platforms for ethical hackers and announce a bug bounty program, which means the company sets up the parameters of the program and then pays the hackers for reporting vulnerabilities found in their systems. Each program is a bit different, with some being open ended while others have specific dates. Many bug bounty programs specify which systems to attempt to enter and how far the hackers can go once they gain access.

While you have significantly less control with a bug bounty program, you get a wider range of skill sets attempting to uncover vulnerabilities. With a single ethical hacker, you are dependent on that hacker’s expertise and tools. Additionally, bug bounty programs can be cheaper than ethical hackers because you pay for specific results, while consultants typically charge by the hour with bonuses for success.

Taking a Second Look

With increased reliance on the cloud due to the shifts in our daily habits from the pandemic and many companies still working full-time from home, the stakes of cybersecurity have increased. Even the best security professionals are limited in their ability to find vulnerabilities in a system they helped design and protect. By getting a second (or hundredth) set of eyes and minds to examine your systems, you are more likely to proactively prevent breaches from occurring.

More from Risk Management

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

How I got started: Ransomware negotiator

4 min read - Specialized roles in cybersecurity are proliferating, which isn’t surprising given the evolving threat landscape and the devastating impact of ransomware on many businesses.Among these roles, ransomware negotiators are becoming more and more crucial. These negotiators operate on the front lines of cyber defense, engaging directly with cyber criminals to mitigate the impact of ransomware attacks on organizations.Ransomware negotiators possess a unique blend of technical expertise, psychological insight and negotiation skills that allow them to navigate the high-stakes environment of ransomware…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today