SL urged to use ‘bug bounties’ to boost cyber security

By Madushka Balasuriya

The Sri Lankan Government should strongly consider implementing ‘bug bounty’ programs as a means of securing their online websites and databases, an expert in cyber security said yesterday on the opening day of the 2017 Cyber Security Summit. 

Bug bounty programs are schemes through which companies can offer a ‘bounty’ - most commonly a monetary reward - for anyone able to find previously undiscovered bugs and hacking routes into their websites. Citing the successful implementation of such initiatives in numerous online domains ranging from those belonging to the Dutch Government - which are some of the most secure in the world - to those of large global corporates, Jake Davis noted that this was one of the easiest and most efficient ways to secure a company’s online systems.

“You can hire as many in-house security teams or external companies as you want - and that’s fantastic, you can cover all the areas - but the most unknown and ridiculous, abstract way of hacking into a website you still won’t be able to find it,” said the former hacker-turned-cyber security expert in his keynote address.

“But hackers are always doing this sort of stuff. From their point of view, they sign on to a bug bounty website, they see a company and think ‘I can get paid $ 1,000 minimum to hack this website, I’m going to now look for things that they might not expect’.”

Davis, who was among the founding members of infamous hacking groups Anonymous and LulzSec, has numerous Hall of Fame credits (Bug Bounties) to his name for disclosing the vulnerabilities of several major websites, most notably Apple, Facebook, Twitter and Google. Now serving as a cyber security consultant, he believes bug bounties offer a way of exploiting hackers’ “sense of mischief” for the greater good.

“Hackers have that sense of mischief, especially more ‘black hat’ hackers, and if you tell a hacker, ‘the more hypothetical damage you think can cause with this bug that we can fix, the more we’ll pay you,’ hackers get that mental satisfaction, and kind of mutual respect from their peers.”

Starbucks, Twitter, Snapchat, Rockstar Games and even Pornhub are some of the companies which utilise bug bounty programs, paying each hacker upwards of $ 50 per bug found, with collective sums handed out as bounties ranging from $ 100,000 to nearly $ 1 million. Davis though believes the widespread prevalence of bug bounty initiatives should speak towards its effectiveness.

“A lot of different companies do this. But one of them that I find very interesting is Pornhub; they’ve paid out the same as Rockstar Games and more than Starbucks. If a porn website has a bug bounty program it sort of shows that we should all probably have bug bounty programs.”

For those that maybe flinching at the thought of cumulatively paying hundreds of thousands of dollars to effectively get their website hacked, Davis explains that in the long run it’s far less costly than having to deal with the fallout if even one of those hacks were to destabilise your company.

“Over time it’s probably going to be much cheaper than hiring security teams to overlook all this stuff. Also just take the Starbucks example - 259 hackers received bounties, that could be 259 company destroying headlines for Starbucks.”

However, that’s not to say all bug bounties need be costly affairs; the Dutch Government has some of the most secure government websites in the world - so much so that even Davis says he would struggle to hack into them - but they’ve achieved this feat spending no more than the cost of a t-shirt.

“This is my favourite ever bug bounty, it’s like marketing for hacking,” Davis said as a slide appeared behind him showing a man wearing a t-shirt with the caption ‘I hacked the Dutch Government and all I got was this lousy t-shirt’. 

“Now I really want one of those t-shirts, so I need to hack the Dutch Government. But the problem is I can’t hack the Dutch Government because the Dutch Government is now too secure, because everybody wants to break in and help them secure their systems so that they can get these ludicrous t-shirts.”

Pix by Daminda 

Harsha Perera 

Cybersecurity as a growth enabler

Cyber Security is fast becoming “embedded into everything” organisations are trying to achieve and as such is now one of the key pillars of growth for any modern company, said a representative of leading IT and networking company CISCO. 

CISCO’s APJ & GC Global Security Sales Organisation Managing Director Stephen Dane said that while in the past cyber security was often only an “afterthought”, that can no longer in good conscience be considered the case.

“It used to be considered the kind of thing the guys did in the smallest room in the basement, but that’s really changed,” he said while addressing the Sri Lanka Cyber Security Summit in Colombo yesterday. 

“With digitalisation, with technology becoming more central to organisations’ futures, cyber security has become much more interconnected with a company’s digital transformation strategy and really needs to be at the heart of an organisation’s thinking when they’re trying innovate.”

Dane explained that this was inevitable due to the “rapid change” in technology and interconnected devices seen recently, through such innovations as the Internet of Things (IoT). This, he said, has increased vastly the “attack surface” area that IT professionals need to be on the lookout for.

“We’ve seen billions of devices become connected. There is a huge amount of an increase in attack surface that we’re seeing. Massive increase in computing power, massive cloud increases. These things mean that it’s much harder for us within the IT field to actually understand where our assets are. And actually managing those two environments is more complex than it used to be.”

“With this sort of digital transformation taking place so rapidly, it is imperative that every organisation has a digital transformation strategy,” said Dane, adding that this has led to a scenario in which cyber security is now being more readily acknowledged as a driver of growth as opposed to an inconvenient obstacle.

“Organisations for the first time are looking at cyber security and looking at it as a growth enabler. That is really exciting. That means everybody in this room is involved in growing businesses rather than stopping projects,” he said.

This shift in perception however seemingly can’t come soon enough for Dane, with media reports revealing high level security breaches only growing in frequency. The latest involved credit reporting company Equifax, which recently announced a data breach had exposed the personal information of some 143 million Americans. Meanwhile, hackers were also found to have successfully breached CCleaner’s security to inject malware into the app and distribute it to millions of users. “It’s a situation that’s only going to get worse. I think the industry will get better at basics, which is really where we need to start in terms of patching systems and developing proper playbook around how we respond to attacks. But this is going to be a battle that’s going to go on and on.” (MB)