In many ways, the fight for cybersecurity is like a war; a digital arms race between the protectors of your most valuable data and malicious hackers seeking to infiltrate your network. But as with any war, knowledge is the key to success. Which is why some companies hire white hat hackers to advise their organizations in building a safer environment for everyone. After all, the best way to catch a hacker, is to think like a hacker.
The legendary Chinese philosopher and military strategist Sun Tzu once said, “The general who wins the battle makes many calculations in his temple before the battle is fought. The general who loses makes but few calculations beforehand.” Whether examining ancient Chinese warfare or the state of our virtual lives today, the key to victory is understanding your own vulnerabilities.
White hat or ethical hackers are cybersecurity experts who use their knowhow to compromise computer security systems to assess weaknesses or expose gaps in a legal way — this is what is known as penetration testing.
In contrast, black hat hackers use their threat intelligence to cripple networks, vandalize websites, steal personal and financial information and victimize businesses. These are the hackers that typically make headline news.
Similarly, grey hat hackers can attack or interrupt a business, but not for their own gain. Instead grey hats generally infiltrate a site or network illegally, without permission to expose security flaws or just to see if they can. They will often post their findings online without notifying the organization, which can leave businesses vulnerable to more malevolent attackers.
Businesses regularly compensate white hat hackers for their work. If and when external researchers find holes in a company’s defense or wonky segments of code in their network, they can patch it for a fee. Many companies, including Dropbox and Microsoft, offer bug bounty programs, sometimes up to $100,000 — which means white hats can turn massive profits for their threat intelligence.
The result is a beautiful symbiotic relationship where organizations are provided solutions to problems they didn’t even know they had, and external researchers are awarded for expertise.
High-Tech Bounty Hunters
The greatest benefit of bug-bounty programs is their ability to source the collective wisdom of the cybersecurity community. While some programmers elucidate new solutions to known problems, sometimes they reveal serious vulnerabilities before they become problems. This is the exact opposite of a zero day exploits.
Zero day attacks refer to a software security gap that is exploited by hackers before the vendor even knows it exists; meaning they have zero days to patch the hole. Due to their novelty, zero day exploits cannot be blocked or uncovered by antivirus software (although they can sometimes be detected by behavior-tracking algorithms that spot suspicious or malicious behavior).
Think to yourself, would you rather invest a little money in the cyber defense community to secure your network or lose thousands of dollars in a data breach to faceless cyber criminals?
Considering starting a bug bounty program? Specify what constitutes a vulnerability; clarify the types of bugs you want external hackers to remedy and the expected payout. Next, set explicit parameters on what is allowed and what isn’t; if a hacker finds a way to crash crucial operations, it’s better to ask him/her to report it rather than demonstrate it. Finally, keep close contact with your external researchers in case you need to test their latest findings.
If you are looking to raise your own threat intelligence, consider working with white hat hackers or acclaimed cybersecurity firms to mitigate the risks of operating an online business. Remember, you are not only protecting your own company, but also the personal and financial information of your employees, customers and partners.
In the immortal words of Sun Tzu, “If you know the enemy and know yourself you need not fear the results of a hundred battles.”