Vaccinations are controlled, low impact measures that trigger significant improvements in an organism's defenses – and working with so-called 'ethical hackers' may be the digital equivalent for an organization. That's what Inti De Ceukelaire, a well-known ethical, or as white hat, hacker thinks. De Ceukelaire previously worked for Flemish broadcaster VRT and now co-runs the 'ethical hacking platform' intigriti. He will be speaking at the EBU Media Cybersecurity Seminar, 22-23 October 2019 at EBU Headquarters in Geneva. We spoke with him ahead of the conference.
EBU: How vulnerable are media companies today?
De Ceukelaire: I wouldn’t say media companies are any more or less vulnerable than other companies. But in the six years I’ve been doing this, there hasn’t been a single testing target that we as a collective haven’t been able to breach or find vulnerabilities in. A lot of industries, not just media companies, use technology, so they’re all vulnerable.
Perhaps the more pertinent question is: how interesting a target are media organizations?
Media companies reach millions of people, and they increasingly manage data. In the context of fake news and dark political campaigns, media organizations – with their access to audiences and the data they hold – are a holy grail. Media companies are also more likely than others to draw angry reactions from people with extreme political views – including some hackers, or their employers.
And there’s a third important aspect: a potential target is more interesting if the effort required to get in is low. In a way, it’s about opportunity, and hackers think about return on investment like anybody else. Banks for example may be very juicy targets, but they’re also highly secured. That means a large number of hackers out there is more likely to attack a weakly secured start-up company instead.
Nothing is completely secure – it could be one of your many connected systems, a single computer that hasn’t been updated, or an employee ignoring security measures – but the key is to make is as hard as possible.
You encourage organizations to work with "ethical hackers". How?
It’s a question of your mindset: do you want to be aware of your mistakes and learn from them, or not? If you want to learn from them, then work with ethical hackers. Ethical hackers are motivated by the challenge, not by criminal energy. Having your systems probed in this way will uncover vulnerabilities.
But you shouldn’t just “open up” your company and invite hackers to hack you. You should do it in a regulated way that eliminates as much risk as possible. There are many pitfalls in the cyber world. In my talk (at MCS 2019), I will describe processes that you should focus on, such as bug bounties, but also other things.
Something else we started with during my time at VRT is to set up a responsible disclosure programme. It’s a way for hackers to legally report vulnerabilities to you, not a carte blanche to abuse that vulnerability. Years ago I found a very bad vulnerability in a social media website. But I didn’t dare to report it, even though I had no bad intentions – because reporting it makes you a hacker, and that means you could face jail time.
Bug bounties and responsible disclosure programmes are ways to give the good guys a chance.
What difficulties do broadcasters typically need to overcome to implement such programmes?
Some broadcasters, like the BBC for example, have been working with ethical hackers for a long time. At VRT we were one of the first. Other industries, like fintech, might be a little ahead, because regulations now actually forces many banks to work with ethical hackers and do these kinds of tests. Banks started doing this more systematically one or two years ago, so I’ve seen a big increase there.
But all large media companies, just as organizations in other industries, have a central challenge to overcome: they have a lot of product owners. That can make it harder to start working with ethical hackers. Because if you do, you then have to be ready to react and get the problems you discover fixed. Everybody has to be aligned. It’s easier to do this in smaller companies.
For big companies it’s also about perceived risk and responsibility. They’re more complex, use more systems, have more complicated procedures, so they’re more afraid of something that could go wrong, like a hacked live broadcast, and less likely to let ethical hackers near their systems. But these worries are unfounded, and nothing compared to the risk of doing nothing.
The biggest difficulty is probably that people don’t know where to get started. In my talk I will go through this – how you can get started for free, options and pitfalls, and how to get the right things started in a legally sound way.
There are ways to work with ethical hackers that are legally sound and eliminate most of the real risks involved.