The hacker crowd

Editorial Type: Technology Focus Date: 07-2017 Views: 1,134 Tags: Networking, Security, Hacking, Synack PDF Version:
Can hacking be used as a force for good? Jay Kaplan, the CEO at Synack explains how hackers can help to protect a nation

Whatever your do to defend against hackers, there's a good chance it's not working as you would like. Worse still, the perception of protection may instil a false sense of security, devoid of reality.

Naturally, the CISO takes the brunt of the blame, but it's tough when they are following best practice based on industry standards - standards which fall far below those set by the hackers themselves. Hackers have become adversaries who are criminals and financially motivated individuals with highly complex hacking tools and the know-how to back them up. It does at times seem like the headlines proclaiming that 'the hackers are winning' might actually be true.

If a trick is being missed, it is that we are not adapting and playing the hackers at their own game. To beat a hacker you must first think like a hacker, an ethos that should be widely adopted when tackling threats. By joining forces you can actively invite hackers to help identify, anticipate and diminish cyber risk, from the perspective of a true external attacker, not just that of machines or hired professionals. Gaining visibility into how attackers view your attack surface, what pathways they can take to find a way in, and which areas of your attack surface are resilient or vulnerable, could prove invaluable.

Offering the growing cadre of ethical hackers a reward or bounty will help companies to proactively identify application bugs and network flaws. Instead of relying on individuals performing periodic penetration tests, companies are turning to crowdsourced application security and penetration testing platforms that provide not only the scalability and diversity of a crowd, but also a controlled and contained environment that can be trusted by the most sensitive organisations.

While the creativity and ingenuity of the human hacker far exceeds the capabilities of machines, the importance of software cannot be forgotten. Platforms that are purpose-built can help organisations to track activity and accurately determine value, and in turn secure success beyond a simple vulnerability rating. In order to realistically analyse crowdsourced pen testing, organisations must be equipped with the tools and intelligence to understand and visualise testing methodology and quantify efforts. At the end of the day, security isn't just about knowing what's there and what damage can be done - it's about knowing what isn't there as well.

With board members increasingly demanding security assurance from both the CEO and CISO, implementing a detailed report helps business leaders to add real data to their business risk assessments. Coverage should include what area of the system is being hit and with what techniques, what gaps are exposed, and which assets are effectively protected. This in turn helps to track progress towards risk reduction goals for the present and the future, building trust and confidence between the organisation and the security system. In the past, key stakeholders would blindly place their trust in the report left behind by a couple of time-based penetration testers, leading to a false sense of security and a lack of real understanding of how to move forward with the information received - which would frequently add tension between the security organisation and the development team.

Just years ago the term 'hacker' was an almost exclusively negative one. Now however top Global and Fortune 500 enterprises, as well as Federal Government agencies, are entrusting hackers to protect their most sensitive applications and IT environments. By reaping the benefits from pairing hundreds of the world's most trusted hackers at once, along with advanced technology to more diligently and realistically assess system security in real-time, it's possible to create and execute actionable plans that get ahead of the bad guys. NC