Cybersecurity is a lot like The Force in the Star Wars saga is that there are definitely dark and light sides. The challenge is no one knows for sure how many individuals with cybersecurity expertise are on each side of The Force. What we do know is the bonuses and incentives being provided to attract individuals to the dark side of the proverbial force appear to be a lot higher.
A report published this week by Digital Shadows, a provider of risk assessment tools, notes the prize money being offered to individuals willing to contribute examples of how to compromise applications and systems has risen sharply on Russian cybercriminal forums such as Exploit and XSS. Apparently, these contests are now being openly sponsored by hacking groups such as Sodinokibi, also known as REvil.
Prizes now range as high as $15,000 for articles on subjects such as:
“Searching for 0day and 1day vulnerabilities. Developing exploits for them
APT attacks. Hacking LAN, elevating rights, hijacking domain controller, attack development
Interesting combinations, algorithms. Writing your own crypto algorithms and hacking other people’s
Innovative functionality, reviews, analysis of interesting algorithms that are used, development prospects
Forensics. Digital forensics. Software, tricks, methods”
In contrast, cybersecurity researchers that spend a few months looking for vulnerabilities can expect a bounty of somewhere between $100 to $35,000, depending on the severity of the flaw discovered. The Cloud Native Computing Foundation (CNCF), for example, is offering a bounty of between $100 to $10,000 for security flaws in Kubernetes code. The trouble is it takes a lot more time and effort to access an application or system and test it for vulnerabilities, so in a lot of cases the cybersecurity experts engaged in this research might only be making the equivalent of the minimum wage for their efforts. It’s also true there are many organizations willing to pay a lot more for the same information.
More troubling still, a recent report from Deloitte suggests most organizations are not especially well prepared to fend off an attack from the dark side. A survey of 2,282 C-Suite executives conducted by Deloitte finds nearly 65% of respondents are aware that destructive cyberattacks, such as NotPetya, represent one of the top cyber risks at their organizations. And yet, only a quarter of respondents (25%) said their organization had a comprehensive approach, including new education tools, technical solutions and business strategies to address these types of cyberattacks. The other 75% said they are working on it.
Most cybersecurity professionals, however, know that most C-suite executives are not especially good judges of what a comprehensive cybersecurity strategy needs to entail, so many of the 25% of respondents that think they have one in place are most likely sadly mistaken.
The good news is there are many cybersecurity professionals committed to the light side of The Force. Like there counterparts in the Star Wars movies, they are both outnumbered and outgunned. The immediate challenge is signing up more recruits to reduce the chronic cybersecurity talent shortage. Longer term, advances in machine and deep learning technologies alongside other artificial intelligence (AI) and advanced analytics should help level the playing field. In the meantime, may the Force be with the cybersecurity professionals that remain committed to the light side.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.