Tuesday December 10, 2019
Home Lead Story Hire Hackers ...

Hire Hackers To Safeguard Your Data

Here's how hiring hackers can help you safeguard your data

Hackers have become an invaluable extension of the most trusted security teams. Pixabay

At a time when cyber attacks on businesses across industries are multiplying as they go digital, joining hacker-powered bug bounty and vulnerability disclosure programmes is the key to minimise such incidents and safeguard your key data, a top cyber security officer said on Tuesday.

Hacker-powered security is a technique that utilises collaboration with the hacker community to find unknown security vulnerabilities and reduce security risk. Popular examples include bug bounty programmes and vulnerability disclosure policies.

“Hackers have become an invaluable extension of the most trusted security teams, on a mission to find what others may have missed or could not see,” Alex Rice, Chief Technology Officer, HackerOne told IANS.

San Francisco-based HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with cybersecurity researchers.

It develops bug bounty solutions to help organizations reduce the risk of a security incident by working with the world’s largest community of ethical hackers.

Goldman Sachs is works with hackers to identify vulnerabilities in their consumer websites. Pixabay

Back in May 2018, Goldman Sachs became the first investment bank to launch a vulnerability disclosure policy.

“In the first year of their programme, more than 23 vulnerabilities, each representing real-world risk to their customers and data, were safely resolved,” Rice noted.

Today, Goldman Sachs is working with hackers to identify vulnerabilities in their consumer websites.

“On average, their internal security team has resolved vulnerability reports within two months, and have responded to bug reports in as little as one minute, further resolving reports within one hour,” said Rice who co-founded HackerOne in 2012.

Food delivery platform Zomato has paid more than $100,000 (over Rs 70 lakh) to 435 hackers to date for finding and fixing bugs on its platform.

With the help of HackerOne’s bug bounty programme since July 2017, Zomato has successfully resolved 775 vulnerabilities report.

“Zomato security team is tasked with protecting sensitive information for over 55 million unique monthly visitors,” said HackerOne.

Hackers are no longer anonymous guns-for-hire. They are being embraced by everyone — from the insurance industry to government agencies.

In August, HackerOne revealed that hackers earned $21 million in just a year reporting vulnerabilities via various bug bounty opportunities as governments’ efforts to fix malware increased a whopping 214 per cent globally.

According to Rice, research continues to show us that most breaches occur from basic lapses in security hygiene.

“It is important that organisations have layered defences, and use basic cyber hygiene principles such as multi-factor authentication and password best practices, followed by a security programme that focuses on covering your entire attack surface,” Rice told IANS.

Software is eating the world and software has bugs.

“All organisations — financial institutions, healthcare organisations, e-commerce companies, big box stores, media companies, practically anyone — are going digital and are equally at risk. We’re all in this together and are more alike than we realize,” he maintained.

Zomato has paid more than $100,000 (over Rs 70 lakh) to 435 hackers to date for finding and fixing bugs on its platform. Pixabay

On the bright side, the number of hacker-powered security programmes is rapidly growing all over the world.

According to HackerOne’s “2019 Hacker-Powered Security Report”, Latin America saw record growth of 41 per cent over the previous year and Asia Pacific grew 30 per cent.

Today, six of the top 10 financial services organisations in North America, and companies like Goldman Sachs, PayPal and Lending Club, are working with HackerOne.

Rice said that in terms of vulnerabilities, it’s really important that organisations have an efficient system in place to identify vulnerabilities and apply patches in a timely manner.

“Unpatched machines are still the most common attack vector for cybercriminals. Outside of basic hygiene practices such as applying timely security updates, the most effective means of doing so is to leverage the power of the friendly hacker community or what we call ‘hacker-powered security’,” Rice noted.

To tackle cyber attacks from nation-state bad actors, government agencies around the world are launching bug bounty and vulnerability disclosure programmes – like the European Commission, the UK’s National Cyber Security Centre, Singapore’s Ministry of Defense, Singaporean Government Technology Agency, the US Department of Defense, including the Army, the Air Force and the Marine Corp.

Also Read- Cyber Threat Landscape To Worsen In 2020

In 2018, the number of hacker-powered security programmes in the federal government sector grew an impressive 214 per cent, according to HackerOne. (IANS)

Next Story

Now Hackers Aim to Hit Cybersecurity Firms

Companies may face a penalty of up to Rs 15 crore or 4 per cent of global turnover for major violations under the proposed Personal Data Protection law, according to official sources

A French soldier watches code lines on his computer during the International Cybersecurity forum in Lille, northern France, Jan. 23, 2018. VOA

The new breed of hackers is flexing their muscles and now, cybersecurity firms which aim to safeguard your data are being hit right in their backyard — signaling a worrisome trend for enterprises and governments as encryption is proving to be fundamentally flawed.

In a bizarre incident late last month, global cybersecurity firm Palo Alto Networks “admitted” that the personal details of its seven current and former employees had been “inadvertently” published online by a “third-party vendor”.

The personal details of some past and present employees — their names, dates of birth and social security numbers — were exposed online.

Palo Alto Networks, however, did not divulge further details on who the third party vendor was and how the personal details of the employees were leaked.

San Francisco-based HackerOne which itself is a vulnerability coordination and bug bounty platform and boasts of clients like Starbucks, Instagram, Goldman Sachs, Twitter and Zomato, last week paid $20,000 to a community user who exposed a vulnerability in its own bug bounty platform.

The vulnerability was exposed by a user with the handle called “haxta4ok00”.

“I can read all reports @security and more programmes,” posted the hacker on the community page.

US Intelligence, Privacy
A specialist works at the National Cybersecurity and Communications Integration Center in Arlington, Va., Sept. 9, 2014. (VOA)

“I did it to show the impact. I didn’t mean any harm by it. I reported it to you at once. I was not sure that after the token substitution I would own all the rights. I apologise if I did anything wrong. But it was just a white hack”.

The big question arises: How safe is our data with the cyber security enterprises that have mushroomed in the recent past.

In a statement shared with IANS, HackerOne said it believes in transparency and the vital role it plays in building trust.

“This was a vulnerability reported through HackerOne’s own bug bounty programme by an active HackerOne hacker community member and was safely resolved. The team followed standard protocol to conduct a comprehensive investigation of the issue and implement immediate and long-term fixes. All customers impacted were notified the same day,” HackerOne noted.

“It may seem counterintuitive to publish when things go wrong, but many companies face similar security challenges, and the value of public disclosure for the public and our community far outweighs the risk,” the company added.

Palo Alto Networks said they took immediate action to remove the data from public access and terminate the vendor relationship.

“We also promptly reported the incident to the appropriate authorities and to the impacted individuals. We take the protection of our employees’ information very seriously and have taken steps to prevent similar incidents from occurring in the future,” the company said in a statement.

An employee works near screens in the virus lab at the headquarters of Russian cybersecurity company Kaspersky Labs in Moscow, July 29, 2013. VOA

The big question arises: If cybersecurity firms are unable to thwart hacking on their platforms, where would an individual or a firm in India go to secure data?

“Both these incidents show that deliberate actions or even mistakes by companies can cripple huge security systems,” Virag Gupta, a lawyer who is arguing the case in Supreme Court for data localisation in India, told IANS.

The Data Protection Bill, which has been cleared by the Cabinet, envisages “sensitive” personal data to be stored in India, but it can be processed outside the country with the explicit consent of the individual concerned.

“Critical” personal data, which is another classified data, can only be stored and processed in India and will not leave the country. What constitutes “critical’ data” will be defined by the government at the time of framing regulations.

Also Read: Malaysia Launches Vaccination Campaign After 1st Polio Infection in 27 Years

“The new Data Protection Law in India must ensure an easy and fast redressal system that provides for both punishment and compensation,” said Gupta.

Companies may face a penalty of up to Rs 15 crore or 4 per cent of global turnover for major violations under the proposed Personal Data Protection law, according to official sources. (IANS)