Ethical hacking: How firms can avoid cybercriminals' snare


Side view of a hacker using a computer with a digital interface. PHOTO | POOL 

Hacking. Data Theft. A few weeks ago, Naivas Supermarkets hit the headlines in their admission that the business had been hit by an online criminal organisation hunting for valuable client data.

Other than taking immediate steps to contain attacks, corporates are now looking at Ethical Hacking, also known as bug bounty hunting, as a way of checking their systems and stepping up cyber security in their organisations.

My first interaction with the word was somewhat anticlimactic a few weeks ago when I attended a Tech Conference. To start us off the conversation was this lady, let’s call her Alice, who led a discussion on cybersecurity and boy didn’t she impress!

She understood the topic so deeply, so intimately and so precisely that I wondered whether the bugs might get the wrong idea and ask for a happy ending. He..he

As she went on and laid out valuable information on cybersecurity and ‘Bug Bounty Hunting’, I kept wondering: “When is she going to pull out the gun?”

Which was apt because she wore an all-black ensemble, complete with a thick, studded leather belt and stilettoes. To my amazement, however, Bug Bounty hunting, as it turned out, had nothing to do with a good old hunt, no. It has got everything to do with tech, coding, and debugging of programmes.

Bug Bounty is a reward paid to an Ethical Hacker for identifying and disclosing potential security risks in a corporate’s web, mobile or systems.

The Ethical hacker checks for loopholes in the software and discloses the vulnerabilities and weaknesses to the corporate to ensure the owner of the software takes action on the bugs discovered.

The whole point of the exercise is to ensure that a system or software is as secure as possible, to fully protect the confidentiality and integrity of data held within it.

Bug bounty hunting simply means bringing on board ethical hackers who are allowed a certain level of access to a company’s protected code for purposes of checking for errors and malfunctions.

Ethical Hacking is a safe way of staying ahead of black-market hackers who might be trying to unethically and illegally access your data or source code.

It also enables corporates to perfect their tech-based products either before they hit the market or as a way of enhancing their performance and data safety in its operations.

A corporate will shortlist a group of software programmers and the assignment will be simple: “Here is our programme, you get access to the code, play with it and identify any bugs (errors).”

The software engineers will have duties to only disclose their findings to the corporate and they will be paid for every error that they find, hence the name, bug bounty hunting.

Let’s say you are a large corporate holding sensitive client data, which data is worth billions if it is accessed and traded in the black market.

With the proper incentives, black market hackers will normally try to infiltrate your system illegally and attempt to access that data.

Since corporates are aware of these kinds of risks, cyber security has become a continuous function of savvy corporate who will check all corners of their business to avoid being hacked.

To make better decisions regarding the cybersecurity measures your firm needs to take to protect your systems from hacking, you will need to think like a hacker.

That’s why Ethical Hacking has become extremely valuable to businesses. Ethical hackers will use the best skill to do exactly what a black-market hacker will do.

The only difference is that the Ethical hacker has permission to hack the system and all information received from the exercise will go towards helping the business identify and fix hacking risks in their systems and software.

The first bug bounty programme was introduced in 1995 when a startup called Netscape Communications offered cash and Netscape merchandise to people who reported security bugs in the new beta release of its Navigator 2.0 browser.

In the last few years, different companies including Google, Microsoft, Facebook, and Yahoo, have started to offer significant rewards to bug bounty hunters to identify bugs within their systems.

In Kenya, Safaricom launched its first bug bounty programme in 2018 through HackerOne, the cyber security company and the telecom’s program partner.

“The reason for starting this programme was to encourage hackers to report any bugs/vulnerabilities that they may find in Safaricom’s products and services to Safaricom in a confidential and ethical manner instead of exploiting them or disclosing them to the public,” said Thibaud Rerolle, Safaricom’s then Technology Director.

Companies are willing to pay sufficiently high a price for the discovered vulnerabilities as the ultimate end user of the unpatched vulnerability is unknowable at the point of sale.

It might take an outsider to discover a loophole in the systems of a company which may be a blind spot for its in-house cyber security professionals.

The surest way to ensure that you get the most out of a bug bounty relationship is to have a contract that regulates the conduct, expectations and timeframes expected.

Some of the core clauses include a duty to confidentiality. The Bug Bounty Hunter must place himself under the confidentiality terms under which the corporate has an obligation to comply with.

Safety and privacy of data is crucial in this Agreement and stiff penalties must be imposed for unlawful disclosure of customer data.

This is in the understanding that the customer, in the event of such disclosure, will seek remedies from the corporate, and the corporate must in turn be indemnified by the Bounty Hunter.

However, such a clause will not exclude the corporate from its duties to its clients. It will remain liable for the protection of customer data and in the event of an unlawful breach of Data Protection rights, then the corporate will be held liable for the acts of the Bug Bounty Hunter.

As a way of closing all loopholes, the Ethical Hacker is expected to delete all traces of the Corporate’s data that they will have obtained for the assignment.

Holding a corporate’s data after the closure of the program without further authorization to do so amounts to wrongful conduct on the part of the Ethical Hacker.

Ethical hacking will emerge as one of the core careers of the future, and practitioners who choose to pursue this career path must cultivate high ethical standards of business, especially because negligence acts and Criminal offences committed by the hacker will be borne by the hacker.

The corporate can sue you for careless handling of their data, and this attracts both fines and Jail terms under Kenyan Law.

Ms Stardust is an attorney and founder of Lex Centre LLP.

PAYE Tax Calculator

Note: The results are not exact but very close to the actual.