When the Pentagon wants to find a vulnerability, it calls a white hat hacker.
While some U.S. government agencies struggle with adopting more nimble IT technologies and practices, the Defense Department is showing how embracing programs such as bug hunting, vulnerability disclosure programs and hackathons can help uncover software flaws and keep infrastructure safe at a time when nation-state hacking is on the rise.
This same approach to bug hunting is also creating a market for white hat or ethical hackers with the right skills and talents to work with one of the U.S. government’s largest and most complex agencies.
the Defense Department has been running “Hack the Pentagon” programs since
2016, a report released in late February shows how successful and important
these and other initiatives have become in securing its vast IT infrastructure.
unclassified report, prepared by the Defense Department’s Cyber Crime Center, looks at the DoD’s Vulnerability Disclosure
Program (VDP) over the course of 2019, and finds a nearly 22 percent increase
in the amount of submission reports compared to 2017. Of the 4,013
vulnerability reports submitted last year; 2,836 were validated by the Pentagon
and assigned for mitigation. These vulnerabilities, the report notes, were previously
unknown to the DoD and not found by automated network scanning software, red
teams, manual configuration checks or cyber inspections.
of this is the work of nearly 1,500 white hat hackers and researchers working
in concert for the Defense Department. “The unity of effort every step of the way has been and remains truly incredible, making clear the value of ‘strength in numbers’ in aligning the capabilities and talents of multiple partner elements working together to achieve common ends,” Jeffrey Specht, the executive director of the DoD’s Cyber Crime Center, writes in the report.
the four years that the Pentagon has run its Vulnerability Disclosure Program,
it has driven a new perspective on how a large government agency can work with
outside security professionals to make a difference, says Deborah Chang, vice
president of policy at HackerOne.
“‘Governments lead the way’ isn’t a phrase you often hear, especially in technology,” Chang tells Dice. “But in the realm of hacker-powered security, governments and government agencies are decidedly progressive on their use and promotion of this proven approach to cybersecurity.”
Finding Timely Vulnerabilities
The 2019 DoD report finds that many of the vulnerability reports submitted to the Pentagon pertain to flaws in web services and servers. Over the past year, however, white hat hackers have also found an increasing number of security issues with VPN endpoints.
focus on VPNs comes at a time when some of the most popular of these services,
including ones used by the Defense Department, are under attack. In recent
months, security firms have found that nation-state hackers have been
attempting to exploit unpatched vulnerabilities in Fortinet, Pulse Secure and
Palo Alto Networks VPN servers as well as Citrix remote gateways.
This is the benefit of having white hat and ethical hackers to call on: Finding those vulnerabilities that might be missed by the Pentagon’s own internal teams despite the amount of resources that the department can deploy, says Casey Ellis, CTO at Bugcrowd, a crowdsourced security company.
DoD has a tremendous internal penetration testing and red team, but it’s still
a finite resource in terms of the time they have for testing, and the skills
and approaches they have in-house. The crowd augments this, and balances that
equation against what the bad guys have available to them,” Ellis tells Dice.
“As the speed of technology change continues to accelerate, the opportunity for
government in private/public partnerships is to insource and double-down on the
core responsibilities, while outsourcing the context and integrating learning
from the experts.”
these types of successes in finding software vulnerabilities that have pushed
the rest of the U.S. government, through the Department of Homeland Security,
to create a binding operational directive that would require all federal agencies,
including civilian agencies, to adopt a VDP.
this directive speaks to the value that the outside security researcher
community provides, it also underscores the importance of the full
vulnerability life cycle, including how to communicate with security
researchers acting in good-faith all the way to vulnerability handling and
remediation,” Chang says.
Breaking Into White Hat Hacking
those IT or security professionals looking to take advantage of these types of
government-sponsored hacking and bug hunting programs can expect a decent
payday, with the Defense Department spending
about $34 million
on these programs.
In terms of skills, Ben Sadeghipour, head of hacker operations at HackerOne, says that IT pros need an offensive mindset and to know some of the basics of security and hacking government systems.
example, if you are hacking on a web scope, being comfortable with the basics
of Web technology and hacking concepts will help you hack any bug bounty
program, including the DoD,” Sadeghipour says.
adds that good white hat hackers also need to think a bit like their black hat
counterparts: “Curiosity, tenacity, and the tendency to enjoy thinking like a
criminal while having no desire to actually be one.”
The post White Hat Hackers Help Pentagon Close Its Cybersecurity Holes appeared first on Dice Insights.