Companies use ethical hackers to find security flaws

Evertise
22 Jun 2022, 14:54 GMT+10

For decades, law enforcement and investigators have used undercover agents help crack their toughest cases. How better to learn about how criminals behave and how they commit their nefarious acts by putting someone right on the front lines to behave like the criminal and share information with 'the good guys?'

The same principle of undercover agents is being put to use in the information security world, with the growing reliance on certified ethical hackers. While the idea of an 'ethical hacker' might seem like an oxymoron, there are talented individuals who are willing to put their knowledge of hacking methods to work to help organizations identify their security vulnerabilities and fix them.

Hackers have broken into some of America's largest corporations but now businesses are starting to use them to their advantage.

Companies are hiring hackers to test their systems for security flaws, in fact google is one of a number of firms that asks hackers like Santillana — who are often referred to as ethical or white hat hackers — to try to find security flaws.

"We're curious, we want to test our skills, we want to help these companies," said Santillana. "I've found several bugs where you can completely compromise another user's account."

He works for a firm called Bugcrowd that connects companies, including Pinterest and Western Union, with hackers like himself. He said that the work is as much about the fun — the challenge of solving a problem — as it is about the money. Businesses pay cash rewards, ranging from hundreds to thousands of dollars, to the first person to find a particular bug. They're called bug bounties.

Mobile payments company Square has a bug bounty program.

"So we do everything we can to secure our products and services but occasionally things fall through the cracks," Square's information security technical lead Dino Dai Zovi told CBS News. He said that Square would rather have good hackers help find these problems before malicious attackers do.

"So we aren't just focusing all our efforts on locking the front door when there's a wide open window we don't know about."

Dai Zovi acknowledged it's a bit scary to invite strangers to hack you. But he said it has helped and, so far, they haven't been burned.

Working with an ethical hacker can help reduce your losses in the event of a breach in two ways:

If you are breached, a hacker may be able to locate the vulnerability much faster, preventing an ongoing attack.

When you hire a hacker, you can request that he or she provide an employee fidelity/honesty bond or other insurance coverage that will reimburse you should your company experience losses as a result of their activities.

So while the idea of hiring a hacker might seem absurd at first, it's quickly becoming a widely accepted security practice. Much like an undercover officer can root out criminals more quickly than uniformed agents, a hacker can identify vulnerabilities more effectively than a defender.