Over the last year, ethical hackers have prevented more than US$27 billion in cybercrime, according to a report released Tuesday by a leading bug bounty platform.
In its annual Inside the Mind of a Hacker report, Bugcrowd maintained that ethical hackers working on its platform were able to prevent those cybercrime losses to organizations by exposing vulnerabilities that would otherwise have gone undetected.
The report is based on a survey of the platform’s users and security research conducted from May 2020 to August 2021, in addition to millions of proprietary data points collected on vulnerabilities from nearly 3,000 security programs.
“Hacking has long been maligned by stereotypical depictions of criminals in hoods, when in fact ethical hackers are highly trusted, and industrious experts who empower organizations to release secure products to market faster,” Bugcrowd President and CEO Ashish Gupta said in a news release.
The report noted that nearly three of four ethical hackers (74 percent) agreed that vulnerabilities have increased since the start of the Covid-19 pandemic.
“Due to the rapid change almost everyone underwent due to the pandemic, many vulnerabilities and weaknesses were introduced,” observed John Bambenek, a principal threat hunter at Netenrich, a San Jose, Calif.-based IT and digital security operations company.
“You can do things fast or do things secure and out of necessity we did things fast,” he told TechNewsWorld.
Shifting Vulnerability Landscape
There’s little question that the vulnerability landscape has shifted since the start of the pandemic, added Jake Williams, co-founder and CTO of BreachQuest, an incident response company in Dallas.
“As the majority of knowledge workers moved from on-premises to remote work, network architecture fundamentally shifted,” he explained to TechNewsWorld.
“We view security as the intersection of confidentiality, integrity, and availability,” he continued. “The shift to remote work happened so quickly that most organizations only worked on availability without worrying about the other aspects of security.”
“Vulnerabilities caused by the rapid transition to remote work will certainly continue to be discovered,” Williams insisted.
The pandemic has also increased the demand for new talent at cybersecurity companies. Of the many certifications out there that can be obtained by cyber-newbies, Certified Ethical Hacker is considered the most important by Abhijit Ghosh, CTO and cofounder of Confluera, a cyberthreat tracking platform maker in Palo Alto, Calif.
“In addition to showcasing their understanding of hacking tools and techniques, the experience with hack-a-thons and catch-the-flag competitions is not unlike the real-world scenario in which cybersecurity professionals must respond in real-time to an attack-in-progress,” he told TechNewsWorld.
“I also associate this certification with the individual’s passion for this industry,” he added, “something that you’ll need a lot of when cyberattacks hit at the most inopportune time, like the weekends and holidays.”
Continuous Monitoring Needed
The Bugcrowd report also noted that more than nine in 10 of the ethical hackers surveyed (91 percent) acknowledged that point-in-time testing — which is what they do — can’t secure an organization year-round.
“That’s a reflection of what software delivery professionals have known for years and years — shorter, more agile cycles improve quality,” said Tim Wade, technical director for the CTO team at Vectra AI, a San Jose, Calif.-based provider of automated threat management solutions
“Rapid, smaller scope engagements with an opportunity to incrementally measure capabilities over time is almost certainly going to move the needle for organizations,” he told TechNewsWorld.
Bug bounties have their merit in the cybersecurity field but still fall into the category of focusing efforts on post-deployment and being reactive, added Archie Agarwal, founder and CEO of ThreatModeler, an automated threat modeling provider in Jersey City, N.J.
“I would rather legitimate security researchers always find vulnerabilities before the criminals. However, the industry focus must shift towards proactive, continuous security in the design and build phase,” he told TechNewsWorld.
“Only by leveraging automated threat modeling that weaves seamlessly throughout the software development life cycle will we start to truly tackle the scale of vulnerabilities being found,” he said.
The report also contains information on the lifestyle, expertise and motivations of the ethical hackers on the Bugcrowd platform, in addition to several “up close” pieces on several hackers.
“I’m always inspired by the ingenuity and entrepreneurial mindset of those drawn to ethical hacking,” observed Bugcrowd Founder and CTO Casey Ellis.
“Our latest report shows that 79 percent of ethical hackers taught themselves how to hack using online resources,” he told TechNewsWorld.
“The report also found that this is the youngest, and most ethnically diverse, generation of ethical hackers in history,” he added. “The impact this cohort has on thwarting cyberattacks and advancing the industry is monumental, and this is sure to continue.”
Craig Young, a principal security researcher at Tripwire, a cybersecurity threat detection and prevention company in Portland, Ore., explained that organizations leverage bug bounty programs as a form of crowdsourced security testing.
“No security team, no matter how mature, is able to catch 100 percent of the issues 100 percent of the time,” he told TechNewsWorld, “but bug bounty programs help reduce the risk that a missed issue will be leveraged for intrusion.”
‘Many Eyes’ Advantage
“Having many eyes, especially with the necessary talent and training, is one of the best things you can do to find and eradicate bugs,” added Roger Grimes, a defense evangelist at KnowBe4, a security awareness training provider in Clearwater, Fla.
“No matter how great your internal bug-finding team is, an external team will always find bugs the internal team did not,” he told TechNewsWorld. “Bug bounty programs invite many external people and teams to look for bugs in your software — before the malicious hackers do.”
Despite the benefits ethical hackers can bring to an organization, pockets of distrust remain.
“Most industries are not comfortable with bug bounties and ethical hackers because they do not understand the tremendous benefits,” Grimes said. “They think inviting hackers to hack their software will lead to more maliciousness overall when the real outcome is exactly the opposite.”
Nevertheless, he noted things have gotten better over the years. “A decade ago, most organizations would never have allowed bug bounty programs,” he observed. “Now, you have a slew of competing bug bounty consortiums and people earning money by finding bugs before the malicious hackers do.”