Ethical hackers- sometimes known as white hat hackers, recently participated in Apple’s vulnerability bounty program and scored big. Over the span of three months, five hackers, led by 20-year-old Sam Curry, uncovered 55 vulnerabilities. Eleven of those vulnerabilities were deemed critical. Their payout? $288,000 and counting.
Facts
Apple instituted a bug bounty program in 2016 after they increasingly struggled to find vulnerabilities internally. The program has rewarded millions of dollars to ethical hackers since—a welcome investment compared to the potential cost of even a single malicious hack.
For Curry’s team, engaging in such a venture was a massive undertaking. Apple.com and iCloud.com are responsible for over 25,000 web servers. Apple also owns 7,000 other unique domain names. Curry and his cohorts were up for the challenge. One of the critical vulnerabilities they found involved Apple’s iCloud platform and a wormable weakness that could be spread through email, stealing photos and other valuable information. Another was found by brute forcing into an Apple Distinguished Educator admin account. From there, further internal network penetration was possible. Upon discovery, the ethical hackers immediately reported the vulnerabilities to Apple. Apple remedied each issue within days and sometimes hours—exceptionally quickly, in other words—which can be difficult for a company without Apple’s sound infrastructure and resources.
Related: Why Collaborative Enterprises Need a Better Way to Manage Risk
Cybersecurity experts agree that Apple is widely secure, but with such a large footprint, vulnerabilities are bound to exist. Penetration tests, or pen tests, are administered internally. However, it isn’t always enough. Apple’s bounty program crowdsources hobbyist and professional ethical hackers in a gig economy format to fill in the gaps.
After all, even the predicted final payout of upwards of $500,000 to the Apple hackers is small potatoes compared to a cyber security breach that involved a ransom, a public relations disaster, an extended period of downtime, a stock market drop, or worse.
Lessons Learned
As the saying goes, “Every company is now a tech company.” Most companies these days have an online presence. They utilize third-party software and create and/or buy infrastructure that inevitably includes weaknesses. Hackers are also becoming more sophisticated. Thus, bounty programs are an increasingly common tool in a company’s cyber security toolbox.
Bug bounty programs aren’t just for the Big Five. In fact, bug bounty programs are popular among businesses of all size, including startups. Startups work hard and fast to get their product to market on limited funds. Securing a complete cyber team is difficult in the beginning. Cyber security experts are expensive. And there is currently a cyber security expert drought—a trend that is worsening. By setting the perimeters of a bug bounty program and budgeting for found vulnerabilities, startups are able to access cyber security experts quickly and affordably. For an established business with a solid cyber security team and strategy, bug bounty programs offer an extra layer of security. For big businesses in banking and healthcare, ethical hackers can cover a lot more ground than internal cyber security teams alone.
Related: Utility Of Cyber Security Certifications
Bug bounty platforms are available from trusted vendors like HackerOne and Bugcrowd. These SaaS offerings help launch a successful bug bounty program by providing a communication pathway between ethical hackers and enterprises. Their hackers are vetted and capable. Bug bounty hunters are given the creativity to think like a hacker. In a landscape where hacking continuously shifts and evolves, cyber security programs become archaic quickly. Most hackers who participate in bug bounty programs are moonlighters. Some do it to increase their skills as a cyber security employee or future employee. Some do it to hope to find The Big One that pays accordingly. Still others do it to participate in the tight-knit community of ethical hackers who share knowledge among themselves. Whatever the reason, with cyber crime on the rise, ethical hacking has gone from fringe to mainstream. Even the U.S. Department of Defense utilizes ethical hackers.
Quick Tips
Working with an ethical hacking organization isn’t as simple as just signing up, however. It’s important to lay the proper groundwork first.
- Remember, eithical hackers find vulnerabilities. They don’t vet and fix them. If an organization’s cyber security team isn’t prepared to act on the issues found by an ethical hacker—let alone understand the report issued by the hacker—it means those funds are best invested in stronger cyber security.
- The intent of ethical hacking isn’t to be a holistic cyber solution. It should be deployed as a nice-to-have after a strong cyber security policy is executed. In other words, basic security scans, pen tests, and best practices should be in place before utilizing a bug bounty program. Bug bounty programs shouldn’t come at the cost of another cyber security effort.
- There are several different bug bounty models. Some work under a specific scope. Others operate during annual or bi-annual “hack-a-thons” as opposed to a service offered year-round. Different vendors offer different types of platforms. In order to make a bug bounty program work, it should be a collaborative effort between IT, the cyber security team, and the C-suite.
While ethical hacking isn’t an enterprise must-have—yet—for cyber security teams who are looking for the next step toward heightened security, it may be just the thing.
Read More: Incident Of The Week
