Synack’s army of ethical hackers bolsters corporate security, US election systems
A cyber security company has recruited a global army of 1600 ethical hackers to test the security of corporations and government institutions.
The company is also bolstering security at remote voting systems for the US elections in a bid to prevent interference by hostile states.
Synack, which was founded by former members of the National Security Agency, stress test their client’s security by continuously trying to penetrate their computer networks.
Once so-called network vulnerabilities have been identified they can be fixed or sealed to prevent possible attack by hostile states or criminal hackers.
Jay Kaplan, the co-founder of Synack along with Mark Kuhr, said that the main threat against western companies and government organisations were from Russia, China and North Korea along with groups of cyber criminals.
Kaplan, a former NSA technical security expert, said the best way to test the security of an organisation’s cyber security was by attempting to hack into their networks.
In an interview with National Security News, Kaplan said: “Right now we have just over 1,600 fully vetted freelance ethical hackers in the community from over a hundred countries around the world. “The advantage that you get by using such a diverse pool of ethical hackers is different techniques, tactics, and procedures to uncover the vulnerabilities across our customers.”
‘Typically, when a customer engages with a consulting firm, you get one person. They come in for a two-week period, they send you a report, and then you go and remediate the findings.
“In our world, by having 50 to 100 security researchers assigned to a project at once, it lends to just higher efficacy and better results. It also enables us to operate much more continuously across our customer base, rather than it being more of just a point-in -time dynamic.”
Kaplan added that the main focus of Synack was to attempt to demonstrate where their customers – which include over 20 federal civilian and defence agencies as well as Fortune 500 companies – where they are most vulnerable so they do not fall victim to nefarious actors – such as cyber criminals or hostile states.
He continued: “In the past, organisations have employed a variety of different techniques to uncover and shine light on vulnerabilities in their organisations, whether that’s using big consulting firms, hiring people themselves, or using a variety of tools.
“The problem is that these tools and techniques haven’t really scaled up at times. And so, when we started the company back in 2013, we really sought to bring a new way of doing this type of work to the market. And we take much more of a crowdsourced approach to the problem, which is very differentiated in the market. And we leverage this worldwide network of freelance ethical hackers in over 100 countries around the world.”
Synack has multiple tools which can be offered to help a company improve their cyber security but they claim their most significant product is what they call
Synack 365, which they say provides continuous testing across their web applications, mobile applications, API endpoints, and network infrastructure.
Kaplan said that they can protect companies because their ethical hackers – who have to undergo a lengthy vetting process before they are recruited – take on the role of a hostile state or a cyber-criminal to find weakness ina corporation’s security.
Kaplan added: “This is pretty unprecedented in this space because what this means is that our ethical hackers are constantly on top of changes in these environments and retesting to find new flaws that might have been introduced.
“In the old model, the old way of doing this, typically you’re doing this once a year, you know, over a one-to-two-week period. The problem is as soon as that application environment is updated, those results are kind of stale.
“So, the exposure window is quite large until you conduct your next security assessment. And frankly, you’re probably not finding all the vulnerabilities that matter to you as an organisation because it’s one person.
“In our world, our customers come to Synack and they say, here’s what our attack surface looks like, or we help them map out that attack surface. We have a product that we call Attack Surface Discovery, which helps them understand this is everything that we can see from an attacker perspective, what’s on the internet and what can potentially be attacked by a nefarious actor. And then we will work with that customer to identify what are the most critical environments that should be tested continuously and what are the ones that maybe aren’t changing quite as frequently that we can maybe test once or twice a year. And through that scoping exercise, we will come up with an engagement model that makes the most sense for that customer.’
“Once that customer launches, our researchers are notified that a new customer has been onboarded onto the platform. And the researchers that have expertise on the specific technology that those customers are leveraging will basically be able to sign up to access that particular customer and start performing testing. It is a very controlled exercise.”
Bolstering security for U.S. Presidential election against foreign threats
Kaplan also explained that Synack is working to ensure that the forthcoming election remains as secure as possible from interference by both hostile states and non-state actors.
Synack is also working to ensure that voter registration platforms remain secure.
He added: “We’ve been doing work on behalf of some of the voting system manufacturers, voter registration systems for a variety of different states and local municipalities. We’ve also been doing some work with some of the platforms that are enabling people to vote remotely, particularly those in the military that are deployed overseas. You know, there are new capabilities now that are enabling them to vote. Synack has been working on these types of security testing capabilities for many years now, dating back six, seven years ago, we’ve been doing security testing on a variety of systems. This election is no different.
“But I wish there were more municipalities doing more because I think we need to instil as much confidence in our systems as we possibly can. And I think having actual live hackers go after these systems gives people a lot of confidence that they’ve been tested, gives people confidence that their data is secure because it’s a lot easier to say after the fact that there are security problems and the election results aren’t real.
But when you have these types of results saying, no, they’ve been stress tested, vulnerabilities are not available in these types of systems, I think it makes people feel a lot better.
“And so that’s what we’re all about and that’s the type of work that we’re doing. And that work is expanding, but it’s definitely not where we want it to be quite yet. We’re hoping to be much more comprehensive across all the states, given that a lot of the states are using different systems. It’s a challenge, but also a blessing in disguise, because it’s hard for a hacker to compromise the entire election system because every state is using something different.”