Light Dark
May 31, 2021 By Jennifer Gregory 3 min read
Risk Management
Security Services
Threat Hunting

With cybersecurity attacks on the rise, companies must explore new ways to stay one step ahead of threat actors. IDG Research Services found that 78% of IT leaders are not confident in their companies’ security postures, which lead 91% of organizations to increase cybersecurity funding for 2021. As part of this increased focus, many companies are turning to ethical hacker groups to help prevent future attacks. In addition, more open-source developer tools are now on the market. This has made it easier for companies to work with ethical hackers, more so with bug bounty programs.

Recently, ethical hacker Alex Birsan targeted open-source developer tools. He broke into more than 35 different companies, including Microsoft, Apple, Netflix and Uber. In addition to earning $130,000 for his efforts, Birsan also uncovered dependency confusion, a new way attackers are launching supply chain attacks. Birsan shared a detailed account of his processes and outcomes in a Medium post.

What Are the Goals of Ethical Hacking? 

Ethical hackers such as Birsan often refer to themselves as white hat hackers or offensive security testers and researchers. They use the same methods and tools cyber criminals use to try to find and exploit gaps. While threat actors make money through theft, extortion and ransoms, clients pay ethical hackers to help defend against those attacks. The biggest difference is that ethical hackers attempt to breach and access systems with permission. Their intent is to be helpful. Meanwhile, attackers have no permission and have malicious intent.

Ethical hackers benefit the clients that hire them because they approach the project with the same mindset as an attacker. They aim to find out how to gain access and cause harm. However, their purpose is to find vulnerabilities in apps, infrastructure and open-source coding before attackers can. Organizations can then fix the issues before an actual attack or breach occurs. This can save a lot of money in time and reputation damage even after paying the ethical hacker.

Two Ways to Hire an Ethical Hacker

Companies often work with ethical hackers in two different ways.

First, they might hire an individual hacker or an ethical hacking company, typically for a specific purpose. For example, the company may request the hacker conduct a penetration test or attempt to break into a specific system. Remember the increase in supply chain attacks from open-source vulnerabilities we mentioned above. Many companies are asking ethical hackers like Birsan to specifically look for vulnerabilities in their software delivery systems.

It’s important to remember that when an ethical hacker is successful, they now have access to your data and infrastructure. Because you have to fully trust them with your systems, it’s essential to hire a trustworthy ethical hacker and to clearly define the boundaries for the project. It really is a Catch-22. If you don’t invite a white hat hacker into your most sensitive systems, you may be unaware of vulnerabilities attackers can exploit. While the cost of hiring an ethical hacker may seem high, it’s significantly less than the cost of recovering from an attack.

The Benefits of Bug Bounties

The other option is to set up a bug bounty program. Organizations can post on specific platforms for ethical hackers and announce a bug bounty program, which means the company sets up the parameters of the program and then pays the hackers for reporting vulnerabilities found in their systems. Each program is a bit different, with some being open ended while others have specific dates. Many bug bounty programs specify which systems to attempt to enter and how far the hackers can go once they gain access.

While you have significantly less control with a bug bounty program, you get a wider range of skill sets attempting to uncover vulnerabilities. With a single ethical hacker, you are dependent on that hacker’s expertise and tools. Additionally, bug bounty programs can be cheaper than ethical hackers because you pay for specific results, while consultants typically charge by the hour with bonuses for success.

Taking a Second Look

With increased reliance on the cloud due to the shifts in our daily habits from the pandemic and many companies still working full-time from home, the stakes of cybersecurity have increased. Even the best security professionals are limited in their ability to find vulnerabilities in a system they helped design and protect. By getting a second (or hundredth) set of eyes and minds to examine your systems, you are more likely to proactively prevent breaches from occurring.

 |  |  | 
Jennifer Gregory
Cybersecurity Writer

More from Risk Management
April 17, 2024

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

April 11, 2024

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature