Russell Coleman, Co-ordinated Disclosure Advisor at HackerOne, explains how ethical hacking can help organisations improve their cybersecurity.
You may have an image in your head of what a hacker is. Pop culture and some fearmongering security vendor marketing still depicts them as hooded social outcasts, maybe driven by greed or a need to make trouble but definitely as someone who is out to do bad. Such stereotypical cybercriminals do exist (although in much smaller numbers than you might imagine), but there is a far greater army of ethical hackers who use their skills for good.
The image of hackers is changing, although even now there are still some organisations that are reluctant to invite strangers in to hack their systems and help get things fixed. However, it’s important to remember that cybercriminals are not waiting for your invitation, they are already constantly trying to break in. This reinforces the need for a good cybersecurity hygiene that, above all else, needs to constantly evolve in order to secure the business. So, what innovation can ethical hacking bring?
We believe that hackers represent a global force for good, coming together to help address the growing security needs of our increasingly interconnected society. While their reasons for hacking may vary, this gives businesses an opportunity to leverage some of the smartest technical minds in the world, making IT systems a lot safer than before.
The original definition of a hacker (first uttered at MIT in the 1960s) is: one who enjoys the intellectual challenge of creatively overcoming limitations. Hackers love to break things. They play around on networks, websites and apps to explore the intricacies of a tool or IT system, with the objective of rooting out the bugs. For ethical hackers, it is about so much more than just money; many have a desire to make the Internet a safer place and according to latest research they are also finding exciting career opportunities through bug bounty platforms, with 78% of hackers using this experience to help them find a career.
However, the hackers aren’t the only ones who can benefit from their own creativity and skill. By leveraging this diverse, ethical hacking community, organisations can have more well-trained eyes scanning their systems and seeking out any security vulnerabilities. Basic nuts and bolts such as knowing your attack surface, performing vulnerability assessments and building vulnerability management processes are good first steps. But, ethical hacking can improve the overall security posture, by finding issues missed by other testing methods. It also enables innovation and provides peace of mind. With constant system monitoring, businesses can embark on new IT projects, try new tools and support different working methods all the while knowing that the community has their back. Our digital lives are constantly evolving and, with a hacker powered platform, security can meet this pace of development.
According to HackerOne’s customer base, in 77% of cases, hackers find the first valid, vulnerability in a piece of software within 24 hours of program launch. They have the experience, skills and knowledge to seek these vulnerabilities out. Hackers often think in different and creative ways compared to in-house security teams, helping to reinforce and complement current security testing methodologies. Hacker-powered pen tests, vulnerability disclosure policies and bug bounty programmes are all starting to become essential components of proper cyber hygiene. Guidance on vulnerability disclosure has been published by numerous organisations, including the United States Department of Homeland Security, The Dutch Government, The Singapore Government, the UK’s NCSC and The European Union Agency for Cybersecurity.
In addition to the added security and data protection abilities that hacker power security brings, it can also help to streamline some of the practices businesses have in place and free up time and resources. A recent survey which looked into the major challenges facing CISOs found 34% of respondents cited a lack of skill sets and resources as holding organisations back when it comes to offensive security. In addition, 64% reported that their businesses were spending too much time fixing security issues in code. While both of these are major obstacles holding businesses back, they can be overcome by leveraging the skill set of the hacking community.
While ethical hackers get a thrill from breaking into IT systems, CISOs with a desire to be constantly vigilant as their teams develop new products can use the insights collected to tighten up their IT systems and boost security protocols. Any organisation that incorporates hacker-powered security now will be in a far better position to overcome malicious attacks. Responsiveness matters and accepting third reports on vulnerabilities not only helps to enable CISOs in their job role but it shows a commitment to security.