How CSOs in Hong Kong can protect vulnerabilities through ethical hackers

Binary streams and circuits flow through a secure, locked system.
Suebsiri / Getty Images

Evident through the high-profile attack on national carrier Cathay Pacific, data breaches are becoming commonplace in Hong Kong as cyber criminals seek to exploit enterprise vulnerabilities.

Prompted by a sharp spike in attacks – jumping 80 percent within the space of five years – technology leaders across the city-state face a new type of security dilemma in 2020 and beyond.

With hackers knocking on the network door, the need for businesses to strengthen security defences, eliminate risk and manage vulnerabilities continues to heighten.

Step forward ethical hackers, a proactive approach to mitigating security concerns at enterprise level. Tasked with identifying, exploiting and resolving potential security threats, ethical hackers work alongside organisations to close cyber loopholes through enterprise-sponsored bug bounty programs.

“Companies pretending that security vulnerabilities in their operations don’t exist aren’t just ignoring them at their own peril, they’re being negligent custodians of precious data,” cautioned Marten Mickos, CEO of HackerOne. “Companies that recognise they’re not perfect are those that come out on top.

“The bottom line is that vulnerabilities exist, and criminals are looking for them anyway. It’s better to harness the power of ethical hackers before bad actors can exploit vulnerabilities for nefarious purposes.”

During early 2018, the World Economic Forum concluded that cyber crime would cost businesses more than $1 trillion during a 12-month period, with such figures expected to reach $3 trillion in 2020. In short, as many as 74 percent of businesses across the world could expect to be hacked despite organisations worldwide collectively spending less than $100 billion to fight such attacks.

“This 10:1 cost to investment will only grow if we don’t focus on true prevention,” Mickos cautioned. “We hear from organisations that security disrupts flow, provides negative feedback and never seems to learn.

“When most of us started working in software, new releases would take six months to develop and test. Today, new software is released every hour. This new pace of innovation poses a problem for security teams — but by implementing a strategy that supports continuous security, we can stay alert for potential software vulnerabilities. Vulnerabilities in code open the door to disastrous consequences for individuals, companies and society itself if they are exploited before they can be mitigated.”

For Mickos, the common cyber challenge for organisations is centred around “finding the balance” between driving innovation and keeping data safe.

“The key is to ensure security is constantly evolving,” he advised. “If security issues are found sooner in the development lifecycle, they take less time to fix. That’s where having a bug bounty program comes in.

“Over time, security teams learn the common mistakes their teams make through bug reports, they can adapt their development strategies to avoid making the same mistakes twice and evolve their security programs to meet their changing needs and focus areas.”

Hacking for good

Since 2013, hackers have earned $100 million in bug bounties by “hacking for good” on the HackerOne platform.

From $30,000 paid to hackers across the globe in October 2013 — the first month of bounty payments on HackerOne — to $5.9 million paid to hackers in April 2020, Mickos said working with hackers has proven to be a powerful way to pinpoint vulnerabilities across digital assets.

“We are building a community able to test and vet every piece of our digital connected civilisation,” he added. “$100 million is a number that attracts the best hackers, providing companies and governments unmatched ROI, significantly reducing the risk of data breach.

“We have arrived at the point in history where you are ignorant and negligent if you do not have a way to receive useful input from ethical hackers. In this new world of ever-evolving threats, the only way to get ahead is to get transparent. Openness, not secrecy, is the way forward.”

For example, LINE is widely recognised as one of the most popular messaging applications in Asia Pacific, serving millions of users in countries including Japan, Thailand, Indonesia, Taiwan and India. Keeping messaging data secure allows the business to bring people around the world closer to each other, to information and to services, offering increased levels of user confidence in the platform.

“When LINE first started their bug bounty program, their goal was to create a contact point for reporters,” Mickos explained. “They wanted bugs to be shared with them rather than exploited in the wild or sold or shared, and they wanted to reward the individuals who found them. They knew that, with every bug, their internal security improved in tandem.”

In June 2016, LINE launched its own public bug bounty program to boost security levels. Since then, the business has thanked nearly 300 hackers and paid out more than $300,000 in bounties. After three successful years, LINE made the decision to fully migrate its self-managed program to the HackerOne platform to raise global awareness and tap the world’s largest community of skilled hackers.

“Moving to HackerOne allowed for an increase in participating reporters, as well as valid reports,” Mickos added. “It also resulted in a wider array of services being inspected and tested.”

In the eight months since launch, hackers on the LINE program on HackerOne have earned over $100,000 in bounties for discovering more than 100 vulnerabilities.


Copyright © 2020 IDG Communications, Inc.