Putting ethical hackers at the heart of corporate security
Becoming the victim of a malicious attack is not a question of “if” but “when”. The UK had the highest number of cybercrime victims per million internet users at 4,783 in 2022 – up 40% over 2020 figures. According to The Minister for Security, there were also around 690,000 incidents of computer misuse in England and Wales in the year to September 2022, the vast majority of which related to unauthorised access to personal information. Furthermore, high-profile ransomware attacks at The Guardian and The Royal Mail demonstrate the rise in this increasingly popular cybercrime.
These problems are not going to go away until we tilt the scales such that the economic benefits of producing secure digital products, systems and organisations outweigh the benefits of producing insecure digital products, systems and organisations. However, there are also other ways to tilt the scales in our favour, not least the use of ethical hackers.
Criminals in the driving seat
For too long, cybercriminals have had an advantage over consumers and businesses. Badly written code, outdated legacy applications, unpatched software and long-forgotten digital architecture left standing after the completion of a project are a few everyday examples of where vulnerabilities might be exploited.
Nevertheless, the problems affecting software quality are not solely attributed to past coding mistakes. According to the Open Source and Risk Analysis (OSSRA) report by Synopsys, the prevalence of open-source products has become pervasive in the software landscape. In fact, a striking 84% of commercial and proprietary code bases were found to contain at least one identifiable open-source vulnerability.
It is clear that companies have started designing stronger security processes across the software development lifecycle, however, it is often these same people creating the system who are tasked with testing it for vulnerabilities, exposing them to their own blind spots. Moreover, security protocols are often siloed, so we might check an application while ignoring the API. Such a reductionist approach to cybersecurity can miss the bigger picture.
Introducing ethical hackers
What these organisations really need is a pair of fresh eyes from outside the business who can identify issues without preconceptions. That’s where hackers come into play. Companies can engage a team of external investigators to probe for vulnerabilities and expose weaknesses that traditional automated scanning and internal teams might miss.
Like the cybercriminals they target, ethical hackers will be discovering vulnerabilities using tools and lists of known vulnerabilities such as the Common Vulnerabilities and Exposures (CVE) database. And like the cybercriminals they emulate, they are able to look into the dark corners and recesses of an organisation, looking for the back doors and open windows of their digital edge. Consider this: one-third of organisations admit to monitoring less than 75% of their attack surface, while 20% believe that more than half of their attack surface remains uncharted or unobservable.
Consequently, it becomes evident why cybercriminals, armed with significant and often cost-effective manpower, as well as an array of techniques, specifically target undisclosed assets and consistently discover exploitable weaknesses. The first step to keeping up, while avoiding overburdening internal security resources, is to establish a Vulnerability Disclosure Program (VDP).
The value of VDP
VDPs offer a controlled framework for security operators to proactively and continuously assess internet-connected applications and infrastructure, recording weaknesses and anomalies. VDP providers have gathered massive communities of hackers and researchers, each with a specific skill set and experience, which can make an organisation’s security much more robust. These hackers undertake ongoing assessments on internet-facing assets, including third-party software, such as open-source libraries, which are a breeding ground for cybercrime.
Even the most risk-adverse organizations, including defense agencies in the UK, US, And Singapore, have leveraged VDPs. The US Department of Defense has seen over 45,000 vulnerabilities reported through theirs since its inception in 2016. That’s how continuous feedback from hackers, related to the potential fall-out from vulnerabilities, extends the scope and knowledge of internal security teams. Delivering and maintaining this level of coverage in-house is beyond the scope of most companies.
Every digital organisation should establish a VDP to leverage ethical hacking, however, to ensure hackers' security, the UK Home Office should also update the Computer Misuse Act to boost legal protections for good faith cyber exploration and threat research.
Ethical hacking in the real world
In practice, hacking can be customised to meet many sizes and types of requirements. The UK’s National Cyber Security Centre is leading the field with its vulnerability disclosure reporting program, which applies to its own website and extends to any online government site. The UK’s Ministry of Defence (MoD) is another example of a government agency leading by example. It is collaborating with the hacker community to support its own technical talent and introduce more diverse perspectives to help defend assets more effectively.
Businesses with large-scale asset inventories might also want to think about establishing a Vulnerability Rewards Program (VRP), which provides financial incentives to identify and report weaknesses. Companies can onboard hackers who offer specialist expertise to take part, depending on the assets that are in the VRP. The promise of attractive reimbursement will entice the best security specialists globally.
At the same time, if enterprises are offering more substantial financial incentives for spotting and submitting weaknesses quickly and directly, then the value to cybercriminals of stockpiling vulnerabilities for future ransomware attacks reduces accordingly.
Looking to a secure future
Staying one step ahead of the cybercriminal community is an onerous and complicated task, however, hackers can help tilt the balance in favour of the businesses and away from the malicious actors who are constantly probing for weakness. By introducing financial incentives and protecting them from well-meaning but misguided prosecution, we can help ensure a brighter future for businesses and individuals alike.
