It was 3 AM when a high-profile investor in a fast-growing Asian startup called us. The situation was not pretty. In a panicked voice, he said: “The Startup we invested a lot of money in has been hacked. The hacker can do whatever he wants with the service. Help us”. Hundreds of thousands of daily users depended on the mobile application, gaining traction and popularity daily. The entire business was on the line.
Any sustained damage caused by the hacker would mean severe consequences for the startup in a hyper-growth stage and beginning to be a leader in its segment. We went straight to work because the situation was dire. The CEO and technical team effectively lost control over the business to the hacker.
What We Found
- Within a day, we found multiple attack vectors from which the hacker could compromise the startup and take control. Overall, we found over 20 critical bugs in the software. The attacker had an incredible amount of options.
- The CEO didn’t take care of security because he didn’t understand it. He blindly left it to the technical department. An increase in sales and burn rate were his largest priorities. There was significant pressure from VCs to grow. Now, he paid the price — limitless amounts of stress and sleepless nights.
- Developers didn’t take care of security either. They were too busy struggling to maintain a hyper-growing startup while releasing features at breakneck speed. Basic controls and strategies were absent because the operation mode was “release first, think later.”
- The tech department was made of “all-star” developers from some of the best universities in the world and the best computer science programs. Almost none had been exposed to proper security training for developers. They built an incredible product that was easy to maintain from developers’ perspective, but it was also a playground for any skilled hacker once he was inside.
- The startup was lucky that the hacker had tech smarts but didn’t have the “street smarts.” Like all lottery winners, he didn’t know how to use his jackpot properly. He faced our team, and he was shut out. It was a situation where destroying the business was easy, but the hacker likely didn’t have the experience to take full advantage of his opportunity. Such luck is sporadic, and it saved the startup.
- Despite all this luck, we conclude that there was an irreparable loss of sensitive data and intellectual property; it is pretty much unavoidable.
Capabilities and skills enhancement: the critical element
Capabilities Enhancement and skills improvement related to security for the entire company is still a huge issue. Just like software needs to be updated, humans need to stay up to date with the latest knowledge. This will not be solved by training just developers or hiring an experienced CISO.
Enhancing your capabilities is the core of cyber security, starting with people.
Training the tech department is not enough. Various training scenarios can help but can’t keep up with the rise in threats and technological advances. Management and all other regular employees are responsible for maintaining the organization’s security, and relevant capabilities/skills enhancement must be constantly implemented.
It’s the era of people-focused security.