Ethical hackers are useful in letting businesses know where their vulnerabilities lie. Here are five occasions when they've proven essential.
Cybersecurity risks are one of the biggest threats to any business. According to research by Allianz, it's actually the number one concern for risk management professionals around the world, ahead of business disruptions, legislation changes and natural disasters.
While the popular image of a hack is of a large-scale, multifaceted attack that uses complex code and requires significant expertise, the truth for many businesses is far more mundane. Most data breaches can be traced to a few easily solvable issues that, if identified and fixed quickly, can shut down many potential avenues of attack.
However, finding these problems is often easier said than done. So how do you know where your vulnerabilities lie? The answer is to turn to an ethical hacker.
Why you need ethical hackers
Ethical hackers use the same techniques as criminals to try and gain access to your systems - except they won't steal any data and they'll tell you what you're doing wrong.
Many firms commission ethical hackers directly, but they can also be recruited via 'bug bounty' programs that incentivize independent hackers and security researchers to look for weaknesses.
There are a number of vulnerabilities that can be detected by ethical hackers, including:
- Poorly configured services.
- Broken or weak authentication processes.
- Input validation errors that can be used for injection attacks or even social engineering weaknesses, where employees are tricked into giving up access credentials.
Their findings can then be used to close any security holes and avoid potentially costly data breaches.
If you're still unsure, take a look at these real-world cases, where ethical hackers have uncovered vulnerabilities and saved businesses from potentially serious repercussions.
1. Taking over social accounts
Vulnerabilities that can leak personal info need to be treated with the utmost seriousness - but they're not always where you might expect. For example, in 2019 a security researcher discovered a vulnerability in a popular WordPress plugin that shares content on social media. The hacker found it stored access tokens, allowing anyone to take over a user's Twitter feed and view their personal details.
2. Accessing cameras
Video services have become increasingly popular in recent years, and one of the most popular offerings is Zoom. However, it’s had its share of security issues, including one vulnerability reported by an ethical hacker in 2019 that meant the service's Mac client could be used to initiate a user's camera and forcibly join a call without their permission.
At the time, around 750,000 companies used Zoom to manage meetings, though its popularity has risen amid the coronavirus pandemic and the need to work from home. Fortunately, Apple was able to quickly patch the issue once alerted.
3. Hacking the air force
Military organizations possess some of the world's most sensitive digital assets, but they don't take kindly to hackers poking about uninvited, so they regularly host sanctioned bug bounty events where hackers can search for weaknesses in a controlled environment.
In one of their most recent events, the United States Air Force handed out a total of $290,000 to security researchers who had uncovered more than 460 vulnerabilities in one of its platforms.
4. Bypassing payment limits
According to Mastercard more than half of all people in the US now use contactless payments. To ensure its security when authentication isn't required, these systems typically have spending limits, but two security researchers from Positive Technologies have identified how these can be bypassed.
They explained how flaws in Visa cards can allow users to go over the UK's spending limit without the need for further verification, regardless of the terminal or issuer. Given that £8.4 million was lost to contactless fraud in the UK in the first half of 2018 alone, any weaknesses in the safeguards for these solutions need to be fixed quickly.
5. Keeping connected cars secure
Internet of Things (IoT) technologies now control many parts of our lives, and one of the most common uses for the technology is in connected cars. Hackers have demonstrated on numerous occasions how it's possible for these systems to be taken over. One of the most notable was the vulnerability in Jeep's Uconnect onboard entertainment system, which hackers Charlie Miller and Chris Valasek used to access the car's central computer and take control of its steering, brakes and engine.
Clearly, the potential for danger in these settings is high, so Jeep's owner Fiat Chrysler had to recall 1.4 million Cherokees and issue a patch to close the vulnerability; the first time any company has made a major recall of a physical product due to a software issue.