Organizations need to be able to match the ingenuity and resources of cybercriminals to better defend themselves against the increasing number of threats and attacks that could paralyze their business.
Unfortunately, some laws restrict genuine security research. As we await the findings of UK Parliament’s review of the 1990 Computer Misuse Act, it’s time to rethink traditional approaches to security testing and for the UK government to support the case for ethical hacking proactively.
Why criminals have had the upper hand
Cybercriminals have had the advantage over businesses for too long. Poorly written code in old applications, unpatched software, and forgotten digital scaffolding accidentally left up after projects were completed are a few examples of how mistakes made years ago enable fresh attacks. However, it’s not just coding errors from the past that cause issues. Software is now dominated by open-source products; at least one known open-source vulnerability was detected by Synopsis in 84% of all commercial and proprietary code bases.
Although organizations have begun designing more robust security processes and testing throughout the software development lifecycle, it is often the same people who built the systems that are checking for issues. In addition, security activities tend to be siloed (e.g., we test an application but ignore the API). This reductionist view of cybersecurity all too often misses the bigger picture, but for a cyber attacker the whole is the goal.
The case for ethical hacking
What’s needed is fresh eyes and an outsider mentality to see where issues exist. This is where ethical hacking comes in. An organization can have a legion of external researchers on their side probing continuously for any weaknesses, uncovering vulnerabilities that automated scans and internal teams miss, performing recon to discover new insecure assets.
Like cybercriminals, hackers will also be leveraging tools such as publicly available Common Vulnerabilities and Exposures (CVE) databases. They go beyond CVEs in known applications to discover and examine hidden assets that potentially pose a greater risk. One-third of organizations say they monitor less than 75% of their attack surface and 20% believe over half of their attack surface is unknown or not observable. So, it’s easy to understand why cybercriminals with significant and often cheap labor power plus an array of techniques target unknown assets and regularly uncover exploitable vulnerabilities.
The way to keep pace and avoid burnout in internal security teams is to engage hackers to work on their behalf by setting up a vulnerability disclosure program (VDP).
The value of a vulnerability disclosure program (VDP)
VDPs are structured frameworks for security researchers to help proactively and continuously test internet-facing applications and infrastructure, documenting and submitting any found vulnerabilities. Program providers have amassed communities of ethical hackers and security researchers numbering in the hundreds of thousands, all with unique skill sets and perspectives to strengthen the security of an organization’s applications. Hackers perform ongoing tests in internet-facing assets including third-party software such as open-source libraries.
When a VDP is implemented, statistics indicate that over a quarter receive a vulnerability report within the first day of a program launch and new customers are notified of four high or critical vulnerabilities within their first month of use.
Therefore, ongoing feedback from hackers regarding the potential impact of vulnerabilities effectively extends the reach and knowledge of in-house security teams. Trying to deliver, and maintain, this breadth and depth of coverage in-house simply isn’t viable for most organizations.
Ethical hacking in practice
So, what does ethical hacking look like in practice? Programs offered by vulnerability disclosure platform providers can be tailored to meet all sizes and types of requirements.
The UK’s National Cyber Security Centre is leading the way with its vulnerability disclosure reporting program that covers its own website and extends to any online government site, as necessary.
Another government example is the Ministry of Defence (MoD), which has worked with the hacking community to build out its bench of technical talent and to bring more diverse perspectives to protect and defend assets. This collaboration enabled an understanding of where their vulnerabilities were which is an essential step when working to reduce cyber risk and improve overall resilience.
Incentivizing hackers
Enterprises with large asset inventories could consider taking a further step in the form of a vulnerability rewards program (VRP) that offers financial incentives to report vulnerabilities. Businesses can invite hackers that specialize in specific technologies to participate, depending on the assets that are in scope for the program. By offering competitive rewards or bounties, companies will attract the top independent security talent worldwide.
If organizations are seen to provide more significant financial incentives for reporting vulnerabilities quickly and directly to them, then the value to cybercriminals of stockpiling vulnerabilities for future ransomware attacks will also diminish.
Reforming the law
Every digital organization operating in the UK should have a vulnerability disclosure program that can leverage the benefits of hacking.
To ensure encouragement and protection, the government needs to update the Computer Misuse Act (CMA). Currently, the CMA does not provide sufficient legal protections for good faith cyber vulnerability and threat intelligence research and investigation provided by UK-based cyber security professionals and hackers. We recommend the government revises the CMA to include a statutory defense for cyber security professionals who are acting in the public interest that defends them from prosecution by the state and from unjust civil litigation.
Tipping the balance towards safety
Outwitting cybercriminals remains a complex and burdensome task. Ethical hackers can help to tip the scales away from the bad actors for those organizations that are prepared to incorporate them into their security initiatives.
Supporting hackers financially and protecting them legally from misdirected prosecution will further increase the ever-growing community of hackers who are working to provide a safer internet for businesses and individuals.