Hack hackers before hackers hack you
Bug bounty programs call on so-called ethical hackers, who legally search for vulnerabilities, to find security leaks in an organization's IT systems.
Hacking today is an illegal industry worth billions, comparable to international drug trafficking. Hard to grasp, highly dangerous for the economy and society, the perpetrators are rarely brought to justice. Justice lags behind the ubiquitous cybercrime, which is why it's best to find professionals yourself to protect you from high-consequence cyberattacks. But who?
Those who understand hackers best are hackers themselves. There are also good ones - so-called white hats. These are the professionals who also call themselves ethical hackers. They scan your entire network from a hacker's point of view, finding leaks that black hats (criminal hackers) could use as an open door for cyberattacks.
Bug Bounty - white hats vs. black hats program by professionals
You probably won't have the network and will have a hard time assessing which specialists are on your side and what they are doing in your systems. The company, run by Sandro Nafzger, Florian Badertscher and Lukas Heppler, specializes in providing its customers with "ethical hackers" who run through all possible scenarios - and show them security holes before they are used by "black hats" to sabotage them. In this way, they benefit from the collective intelligence of a global community of highly specialized security researchers.
Experience shows that the previous security measures are no longer sufficient to effectively protect against cyberattacks. In fact, every IT system that Bug Bounty Switzerland tested with their ethical hackers still has security gaps that could not be found with previous tools such as scanners and automated tests or proven methods such as penetration tests and audits - and are only discovered in a bug bounty program. In the process, protection expands, at best in the form of a real-life scenario. You deal directly with hostile thinking and proceed in exactly the same way as cybercriminals would.
Hackers of all types and persuasions are able to penetrate corporate infrastructures via combinatorial, analytical and technical thinking. However, the way to get there is often very different. But it usually involves intensive research that provides information about the corporate infrastructure.
This information can be compared with known vulnerabilities - and the first attempts to penetrate the company can be launched. Thinking like a hacker can also mean spending days reading lines of code from web interfaces in order to finally come across logic errors that open doors. A hacker's imagination is trained to deal with complex interrelationships - and can often draw broad conclusions from small pieces of information.
The recently disclosed vulnerabilities in the Log4j framework led to companies around the world becoming vulnerable to attack. The speed of the race between attacker and potential victim is both impressive and frightening. Companies that did not previously have a systematic and continuous system for dealing with vulnerabilities had to deal with them virtually overnight. It would have helped if those affected had dealt with the issue proactively at an earlier stage - and had better established the corresponding processes and competencies. Knowing vulnerabilities and knowing whether or how they apply to your own infrastructure are two different things. The Log4j gap has impressively shown that dealing with vulnerabilities is an unsolved problem of central importance. Numerous companies have felt the pain of such omissions.
The disclosure of vulnerabilities also leads not only to more protection, but also to a kind of "guidance" for "bad guys". Bug bounty programs can lead to fast and broad knowledge through their continuous execution, if they are well set up. In addition, a bug bounty program opens up the creation of an open and transparent corporate culture: a key factor in the success of digitization and transformation.
"Good" and "bad" proceed in the same way
But how do we know who are the so-called "good guys" and the "bad guys"?
The motivation of ethical hackers today is often economic - they make a living from it. Good hackers do more or less the same as the "bad" ones. By joining forces via crowdsourcing, they gain versatility and better intelligence. Underground organizations do the same. Depending on the hack, they drum up resources and structure their projects according to the goal. It is precisely this collective intelligence, which results from the combination of the ethical hackers' individual backgrounds, skillsets and experience, that makes the programs so successful.
