The growing importance of ethical hacking in protecting organizations against the current threat landscape was discussed by a panel speaking during a HackerOne webinar entitled ‘Hacker Powered Security Predictions for 2021 EMEA.’
Moderator Mårten Mickos, CEO of HackerOne, firstly emphasized how the shift to digital, including remote working, had “opened up a lot of new attack surfaces and exposures to various forms of criminality.” In addition, the SolarWinds attack at the end of last year demonstrated just how interconnected everything is, with one security breach impacting numerous organizations throughout the world. Mickos added this showed “we are not really cyber-secure until everything is cyber-secure.”
Julien Ahrens, a full-time ethical hacker, believes that in this environment, organizations firstly must embrace transparency, clearly communicating when an attack has taken place or when a vulnerability has been discovered. He said: “If I’m going to report a security vulnerability in a system, then I would expect the company to be transparent about how they tackled the issue and when they plan to release a fix.” Ahrens added this approach can help ethical hackers like him to find further security issues.
Teemu Ylhaisi, CISO at OP Financial Group, concurred, saying this kind of external transparency is “vital” in the financial industry. “This is an area where financial institutions do not need to compete – we’re not competing against each other – we have a common enemy, the criminals, and we’re working together to fight them.”
In regard to the use of bug bounty programs to find vulnerabilities, both Ylhaisi and Ahrens acknowledged that many industries have some reluctance, but Ahrens noted that “as soon as you explain the principle and the details to stakeholders, they tend to agree.”
Mickos commented: “The best way to develop resistance to COVID-19 is to take the vaccine, and similarly, ethical hacking is the immune system of the internet – it’s better to take the ethical hackers and the reports that they give you than to allow a breach to happen.”
As well as bug bounty programs, Mickos highlighted the growth of vulnerability disclosure programs (VDPs), particularly favored by governmental organizations in the US. Here, “the organization will say anybody’s welcome to report vulnerabilities to us but we don’t promise to pay you anything.” Mickos added that “it’s a way of having an official channel for anybody who finds a flaw to report it.”
In the view of Ahrens, these can be useful for companies in learning about their security weaknesses, but generally won’t be as effective as paid bug bounty initiatives, “where you usually get the attention of hackers that are on more of a professional level.”
Looking ahead to the coming year, Ylhaisi outlined that “visibility, detection capabilities and the reaction to incidents is key” for organizations to protect themselves.
Early detection is critical as the panellists acknowledged that it is virtually impossible for organizations to block every potential pathway into a system. The best way of achieving this, according to Ylhaisi, is improving user awareness of staff, as the targeting of employees through tactics such as phishing is by far the most common cause of system breaches. He noted that staff at his company now report 35,000 email threats monthly. “This has helped us a lot to react at the very early phases,” he stated.
Summing up, Mickos compared the situation to being a soccer goalkeeper, stating “you cannot cover the whole goal but if you are very quick in your reactions and if you can predict where they [the cyber-criminal] will try, you can jump there to catch it.”