Organizations pay a large percent of their overhead to fund cybersecurity programs. This is done at the federal, state, private, public, and all other levels and in every industry. Millions are spent to protect and defend our privacy and personal data in addition to the critical information our businesses and governments need to keep internal and available to those who need it. There are paths for certifying, assessing and authorizing IT systems in an effort to build confidence that they are protected to the highest standard.
Based on the NIST Risk Management Framework as well as other security models such as ISO 27001 and COBIT, the majority of the security controls put in place are to defend against malicious hackers (previously called crackers) whose nefarious intentions were to steal valuable information.
A few years ago there emerged a trend where vulnerability identification was outsourced using third-party persons and organizations, commonly referred to as Bug Bounty programs. Essentially these are hackers who decided to come out from the darkness to legally hack various organizations to discover vulnerabilities for profit. One of the largest bounty-for-hire companies, HackerOne, provided some interesting statistics in their annual report (HackerOne 2018):
- Over 90% of hackers are under the age of 35
- 8% of hackers are under the age of 18
- 58% of hackers are self-taught
- At 78%, Burp Suite is by far the most popular set of hacking tools
- 31.3% of techniques are learned through reading other hackers blogs on their results and tactics.
- at 78%, websites are the most valued target of hackers
- The most popular countries participating in Bug Bounties are India and the United States
- Fun, to be challenged and to learn are all bigger motivators than earning money from hacking.
- Cross-site scripting and SQL injections are the most popular attack vectors, followed by fuzzing.
The irony of this concept it laughable. These organizations no doubt spend millions to protect their data from the same people hired to discover vulnerabilities against them. But equally as disappointing is the fact that the effort going into securing and accrediting these systems is upended by the very people being hired to protect them. The belief that systems are protected because someone gives their seal of approval is being proven incorrect and that further vulnerability analysis is necessary. In fact, one could say perhaps the white hat hacking should be done first so identify the largest gaps in security, and then the expected protocol defense added after the easily exploitable has been patched.
The goal is always mitigating the risk to a level acceptable by the organization. Until a few years ago, hackers were all bad. Perhaps the better way of looking at cyber security is to include these offensive hacking partners into the total solution to achieve a better overall risk posture.
2018 Hacker Report, HackerOne, 2018. Retrieved from: https://www.hackerone.com/sites/default/files/2018-01/2018_Hacker_Report.pdf
No comments:
Post a Comment