TechRepublic speaks to HackerOne about how ethical hackers are helping to shrink the broader attack surface of cyber criminals.
Modern cybersecurity approaches have evolved as cyberattacks proliferate and find new sophisticated ways to breach into an organization. However, despite the technological advances, the number of cyberattacks continues to be at an all-time high. According to Check Point Research, attacks increased by 50% in 2021. The recent Vectra Research Security Leaders Report says 83% of organizations surveyed do not believe traditional approaches can protect them against modern threats.
Cyberattacks are on the rise due to the expansion of the attack surface. Driven by the pandemic, the digital acceleration expanded the digital footprint of every organization. From the massive global cloud migration to millions of remote and hybrid workers running devices beyond the traditional IT architectures, the augmented attack surface presents cybercriminals with endless possibilities to search for vulnerabilities. This means cybercriminals no longer need to compromise highly guarded digital resources but only find the weakest point of entry to a system.
This diversification of the digital environment is perhaps the biggest challenge modern cybersecurity faces. As cybercrime industrializes, offering ransomware as a service (RaaS), selling plug-and-play kits that require no technical knowledge, and collaborating with each other, traditional automated cyber security solutions face an international army of attackers.
HackerOne, a security provider, has a unique approach to respond to modern attack trends. They have the world’s largest community of ethical hackers working to stay ahead of cybercriminals, going on the offense, searching for bugs and vulnerabilities before attackers do. Two years ago, Forbes reported that more than 700,000 ethical hackers were already part of the HackerOneBounty program.
TechRepublic spoke to HackerOne to understand how their disruptive approach works and how ethical hackers play a vital role in managing contemporary attack surfaces.
“HackerOne Assets puts hackers’ eyes on users’ assets, using the same recon skills they bring to bug bounty programs and pentest engagements,” the HackerOne spokesperson told TechRepublic.
Many attack surface management solutions have the same shortcomings that scanning tools do—they cover a wide area but lack context and nuanced understanding. “Because hackers are skilled at finding existing flaws, they also understand which are potentially vulnerable assets,” the spokesperson explained.
“Automated tools lack the human ingenuity and creativity these hackers bring to the vulnerability discovery and triaging process. The only others that match this ingenuity are the criminals that might attempt to infiltrate an organization’s systems,” HackerOne’s spokesperson assured.
SEE: Mobile device security policy (TechRepublic Premium)
Hacker One’s recent report reveals that the digital surface of attack continues to grow and affects infrastructure, software, apps, updates, devices and extended supply chains. According to the organization, 44% of companies do not understand their attack surface, and only 33% of apps are tested yearly.
Cloud migration and app development have become high-risk security fields. “It’s true that organizations create new risks by migrating to the cloud; for example, cloud-based storage services are often exposed to public networks by default and, if not properly secured, data can be easily accessed by attackers,” the spokesperson said.
HackerOne calls for organizations to develop best practices to ensure that cloud-based software is securely configured and deployed. “To mitigate risk, organizations should develop a shared responsibility model with their cloud vendor, secure user endpoints, set up backup and recovery solutions for when things go wrong, and perform regular audits and penetration testing on systems,” the spokesperson said.
According to Enterprise Strategy Group (ESG), organizations face increased pressure to update security as they transform business and accelerate development cycles. Cloud services and cloud-native application developments are in high gear, reaching new levels of productivity and innovation, but security gaps begin to intensify.
ESG interviewed organizations that use HackerOne services to understand the attack surface, identify and track assets, implement standardized compliance controls and establish testing processes.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Ethical hackers help these organizations identify bugs and vulnerabilities and create feedback loops that allow in-house developers and security teams to learn from mistakes. Furthermore, ethical hackers provide the resources the vastly outnumbered in-house security teams need to match a worldwide cybercriminal community.
“We believe the only way to build a safer internet is by improving the skills, understanding, and transparency between the key players that impact cybersecurity for everyone—including hackers and organizations,” HackerOne’s spokesperson said.
HackerOne added that more organizations are beginning to recognize the benefits of hacking. “The connotation of the term hacker has shifted in the past decade,” according to HackerOne. The spokesperson explained that the Department of Justice (DOJ) recently broadened the Computer Fraud and Abuse Act’s definition, reducing the chances hackers will be prosecuted for good faith research.