Sunday 08 Sep 2024
Edge Weekly
By
main news image

This article first appeared in The Edge Malaysia Weekly on September 25, 2017 - October 1, 2017

AS cyber attacks increase — which saw the largest ransomware attack in history, WannaCry, taking place in May that led to an estimated US$4 billion in losses globally — corporations are also increasing their spending on cyber security.

A beneficiary of this wave of crime is cyber security professionals, whose job it is to fight cybercriminals.

According to HackerOne, a US-based web platform that connects businesses with researchers to resolve cyber security threats, security-conscious organisations had awarded more than US$7 million to over 3,500 of its registered researchers in 2016.

HackerOne’s platform allows corporates to form a bug bounty programme by authorising external parties to perform security assessments of their systems or applications, and subsequently rewarding the party that discovers vulnerabilities.

More than 600 organisations, including the US Department of Defence, General Motors, Uber, Twitter, Yahoo!, GitHub, Panasonic Aviations, Kaspersky Lab and Dropbox use the platform to find critical software vulnerabilities before criminals can exploit them.

Ranked the third best hacker globally by HackerOne, Shahmeer Amir is one of the researchers who earned over US$150,000 (or an average RM26,000 a month) in the past two years, resolving vulnerabilities for over 500 companies.

“I have a bachelor’s degree in electrical engineering, so cyber security was never something that I didn’t plan [to do], but I was always fascinated by the fact that computers can be hacked. I did not have a clue as to how to do it back then, but I had a keen interest to discover it. So I started learning from online resources and the rest is history,” the 23-year-old Pakistani tells The Edge on the sidelines of the Cyber Security Asia 2017 conference recently.

Shahmeer says 77% of bug bounty programmes find 50% of critical flaws in the first 24 hours and they are 48 times faster than a conventional security penetration test.

He once found himself capable of impersonating Google Inc’s support staff. “I could actually talk on behalf of them (within the internal communication system),” he says.

Shahmeer thinks that cyber security threats are inevitable, even within the top technology firm in the world, and to mitigate these risks, it all boils down to human factors. “Mitigating these risks is not just going in and talking to someone and deploying a firewall system. It is a bigger picture because when we talk about cyber security in general, people tend to ignore the basic aspect, which is the human element. You can patch all machines and loopholes, but the human element ... what are you going to do with that?

“This is the key aspect of cyber security. You have to educate your personnel so that they can protect your organisation from internal threats. About 80% of attacks that happened worldwide were because of internal intruders,” he adds.

Shahmeer says a company’s attitude towards cyber security also plays a crucial role in cyber warfare. “No matter how good the system is, if the user is stupid, then the system cannot protect a user’s data. It is like putting your name or your mother’s name as a password … they are easy to guess.

“Visa Inc and Mastercard Inc have the most secure systems on the planet. This is because they are very concerned about their security. Take Facebook. It pays US$500 for a single flaw identified in its system … and it has one of the top security teams in the world,” he says.

Shahmeer also suggests that corporates build an in-house computer emergency response team to counter cyber attacks. “In this era, the best way to prevent an attack is to be quicker than the attacker, so keeping up to date with the latest attack vectors helps a lot in overall infrastructural security. The top three controls businesses should put in place to manage cyber threats are firewalls, intrusion prevention systems and recursive drills and trainings.”

On the governmental level, Shahmeer says it is important for every country to have an institution that creates cyber security benchmarks to keep everyone on the same page.

“When it comes to cyber security, the whole world is young on it. You can put locks on doors or install vaults to secure money, but when something is on the internet, it is open, and anyone can take it and do whatever he wants. [That’s] because when the internet was put up there, there was no concept of making a secure foundation,” he explains.

With the world getting more interconnected — thanks to the internet and growing sophistication in information technology — Shahmeer believes the demand for cyber security experts and work for researchers will increase in the coming years.

“Cyber security is my area of focus because I believe that at a certain point of time, the world will need people like me to save it from the bad guys. Wars will not be fought with guns and tanks, but keyboards and computers.”

 

 

Save by subscribing to us for your print and/or digital copy.

P/S: The Edge is also available on Apple's App Store and Android's Google Play.

        Copyright © 1999-2024 The Edge Communications Sdn. Bhd. 199301012242 (266980-X). All rights reserved

        Print
        Text Size
        Share