Censys: The World of Attack Surface Management
The Capital One hack that came to light earlier this year has proven just how vulnerable even the large financial institutions are. It’s not like it’s the first time a bank or a large corporation has been hacked. What is different, however, is how the hacker was caught.
Paige Thompson, the hacker responsible for stealing the information of more than 100 million people, was caught thanks to an anonymous tip to a cyber tip line. It’s considered a victory for cyber tip lines in general.
It’s also believed that it’s going to give a huge boost to crowdsourcing cybersecurity. Capital One is one of a growing number of companies that encourage the white hat hacker community to test their system for vulnerabilities.
There are currently not a lot of companies that engage in these kinds of programs. Conventionally, you’d hire a security expert to test your system. Companies don’t want just anyone rummaging around in their software for weaknesses, after all.
It’s a good system, but it’s also very limiting. Sure, the experts will use a range of different attack vectors, but each company typically has its own preferred tactics. You’ll get the opinion of two or three people here.
It’s helpful, but how effective is it really? If you were able to crowdsource the function instead, you’d get the input of hundreds of experts. Each of them would use a different approach or creative solution.
Considering that your company is going to be attacked from various angles, and by many different hackers, crowdsourcing this function provides a more accurate representation of what might happen in reality.
As a result, more companies are turning towards a more crowd-based approach. Companies are incentivising the ethical hacker community to look for bugs and weaknesses in their systems. It makes a lot of sense – who would you rather have trying to hack your system? Someone who will alert you to the bugs, or someone who will exploit them?
The Rise of Bug Bounties
Some companies offer rewards of up to around $20,000 for those who do find bugs. Other companies, like Capital One, offer recognition instead. They’ll thank the ethical hacker, possibly on a special page on their site.
For some, the recognition and the idea that they’re actively helping to make the internet a safer place is enough. Generally speaking, though, as the idea starts gaining more momentum, we’d expect to see more tangible rewards coming to the fore.
So, It’s Open Season on These Company’s Systems?
Not exactly. It wouldn’t make sense for a company to leave the field here wide open. How would you then prosecute malicious breaches? A hacker could beat the system and claim that they were just looking for bugs.
So, that’s not quite how things work just yet. For the moment, these ethical hacking attempts are mostly conducted under invitation from the company concerned. The companies then give the ethical hacker the assurance that they won’t be prosecuted for the attempt.
Still, it does open up a new world of possibilities. Hacker collectives wanting to make an “honest” living could approach companies with the offer of testing their systems, running phishing tests, or even conducting security awareness training.
Cybercrime is a modern plague that costs us billions of dollars a year. If you can create flawless code to secure your system, you’re sitting pretty. Unfortunately, as we all know, flawless coding is extremely difficult.
Your developer might well have put a lot of effort into writing the perfect code. But there are many creative malicious hackers out there. They might see different options for exploiting the code. Therefore, it’s safer to assume that your system has bugs in it. And, who better to find those bugs than an ethical hacker collective?
Get familiar with 2019's cybersecurity facts and stats with this infographic.