Securing the Financial Sector One Ethical Hack at a Time with Kayla Underkoffler of HackerOne

Our Guest: Mastering the Art of Financial Cybersecurity with Kayla Underkoffler

Meet Kayla Underkoffler, a cybersecurity maven with a passion for protecting the Fintech realm. With over three years of experience as a Lead Security Technologist at HackerOne, she’s been on the front lines of the battle against cyber threats. Kayla is no stranger to the world of strategy and cross-functional coordination, having honed her skills during her time at The Walt Disney Company and as a Technology Alliances Manager. She’s your go-to gal when it comes to defending the digital frontier!

But Kayla’s journey into the cybersecurity galaxy didn’t start there. She’s armed with a Master of Business Administration from the University of Maryland – The Graduate School, where she gained the knowledge and skills needed to tackle the ever-evolving landscape of digital security. Her Bachelor’s degree in Management Information Systems from the University of Tampa laid the foundation, and her minor in Cybersecurity showed her commitment to the cause.

When she’s not busy safeguarding the digital universe, Kayla finds time to give back. As the Founding President of SHINE Philanthropy Council and a member of various other student organizations, she’s a force for good both in the virtual and physical worlds. So, whether she’s defending against digital marauders or championing charitable causes, Kayla Underkoffler is a cybersecurity superhero worth celebrating!

Episode Transcript

Kayla Underkoffler: They’re going to go about traditional security issues in a different way than your internal team is going to do. They don’t have the boundaries in place. They don’t have the political bureaucracy raining down on them. Their goal is to find valid bugs. A lot of them, if they’re working in a vulnerability disclosure space, which is less incentivized, they’re still reporting those vulnerabilities in good faith because they found them. And these ethical hackers, they’re very excited to be able to be in on the ground floor of this. 61% of our hackers said that they are going to use and develop hacking tools from Gen AI to find vulnerabilities. So there is a very demonstrated eagerness in this community, and I think that’s a big thing that we need to make sure we really encourage.

Jacob Hollabaugh: Welcome to PayPod, the payments industry podcast. Each week, we’ll bring you in-depth conversations with leaders who are shaping the payments and fintech world, from payment processing to risk management, and from new technology to entirely new payment types. If you want to know what’s happening in the world of fintech and payments, you’re in the right place.
 
Hello everyone, and welcome to PayPod. I’m your host, Jacob Hollabaugh and today on the show, we are going to be diving into the security side of the financial world as digitization has compounded, to say the least, over the last few decades. So to have the threats looking to capitalize off that digitization and threaten your monetary assets. Keeping your data, your information, your money secure has never played a bigger role in the financial landscape and the payments ecosystem than it likely does today. So we’re going to talk about what makes a financial institution vulnerable, how it can protect itself. Much more on the security front. Joining me, as always, I have an expert in these topics matter. I’m joined today by Kayla Underkoffler, lead security technologist at HackerOne, the company empowering the world to build a safer internet, bringing peace of mind from security’s greatest minds. I really love that tagline. Gotta say, Kayla, welcome to the show. Thank you so much for joining me today.

Kayla Underkoffler: Yeah, thanks for having me. I’m excited.

Jacob Hollabaugh: Yeah, I always add the taglines of the companies in that we’re speaking with, and I really enjoyed that one. I think it’s a spot on, and it makes me peace of mind that the company you’re with, HackerOne, knows what they’re doing. The name is interesting and fun and may scare even some people. Like, wait a minute, isn’t hackers supposed to be the other side of the equation in this world of cyber security? So first things first. Can you give me and the listeners just a quick overview of who HackerOne is, what you offer, who you work with, the general overview.

Kayla Underkoffler: Yes, absolutely. So at HackerOne we are the leading provider for human centered security testing. Human powered security testing. Really what we do is we help customers really understand exactly where the vulnerabilities are, their whole attack surface, and then we help connect them with the ethical hacking community that can help them run continuous security testing on those assets. On that environment, we work to connect the best minds with the best organizations and really help with continuous security efforts all across the gamut. Of course, our focus is a lot on bug bounty programs and vulnerability disclosure, and we also work within penetration testing. So it’s really there to help cover all of those basic security practices and just making sure we have the community there to actually support our customers. And as far as who we work with, we work with really everybody in the financial sector. We’ve got PayPal and Goldman Sachs, for example. Some of the institutions we work with and we work with government entities all the way down to small business. I love seeing the variation of customers we get to interact with. Everybody’s use case is different and same all at the same time. So it’s been really cool to see.

Jacob Hollabaugh: I love that. How old is the company? And then more so you mentioned the ethical hacker community, which I’m well aware of, but I think is one of those things that when the first time someone hears that, they’re like, wait a minute, that’s the thing. How old is HackerOne itself? But then also, when did that ethical hacker community come around, and when did the idea of approaching cyber security from this point of view of let’s get the people who figured out how to do all the bad stuff the best, but are willing to do it for the good of stopping all the bad stuff. When did that kind of come around or this that mentality come around?

Kayla Underkoffler: Yeah. So HackerOne, we just celebrated our ten year anniversary not very long ago. So obviously our space started out mostly within the vulnerability disclosure and bug bounty focused security services. It came out of a great need that was to connect this ethical hacking community who, as far as when they’ve been around, really mean they’ve been around forever. It’s that idea of the hacker being that curious mindset, that person who wants to understand how things work. Maybe that’s through breaking the things, because how are you really going to know the boundaries unless you push them? So that hacker community has always been there within the development space, engineering space, and then, of course, security as this, I guess you could say younger industry, but not really. It’s been there from the beginning. So the formalization of this ethical hacking community really started in, along with this idea of bug bounty platforms and vulnerability disclosure programs, and having this central channel to be able to send vulnerability issues directly to organizations. So there’s multiple platforms out there that help connect hackers to companies. So that’s a lot of how the actual formalization got started was being able to connect the two and ensure that these researchers. So the ethical hacking community is a very diverse group. So you have the security researcher folks who very they very much like to be in that category. They’re not doing this for the money. They’re there to really explore and break and build. There’s that side and then you’ve got the younger side of this community that just loves the hacker title. And they really want to embrace the hoodie aspect of it all. And so being able to channel all those entities to the right organizations is a big part of what we do and what we’ve been doing from the beginning.

Jacob Hollabaugh: Love it. Let’s turn to the financial services industry then specifically now. What is it about? I mean, obviously it deals with money, and money is as valuable as anything for us. But beyond that, very obvious. Like it’s money compared to everything else. Is there anything about the financial services industry or the way it operates that makes it unique from a cybersecurity point of view?

Kayla Underkoffler: Yes, definitely. The criticality of the industry being specifically one of the 16 critical infrastructure segments if that CISA, the infrastructure and security agency. Someone will know it. CISA, they’re a subagency of the Department of Homeland Security. So there you go. The financial services segment is one of those critical infrastructure pillars. So the emphasis on making sure security is there in every layer defense in depth and but not just there. That it’s done really well is something that’s baked into financial services. That has maybe come around a little bit slower in other areas. It’s a very traditional and conservative group as far as the type of security practices and organizations they work with. A lot of in-house work, very big, very mature security teams. So those are the regulation and the governance. That’s over. The financial industry is really what kind of drives the need for them to be able to sustain that type of a footprint. So which all again, ties back to what you said. It’s a critical infrastructure segment. But beyond that, reality is is like it’s not all that custom. It’s still the basic security practices and the basic security hygiene that financial institutions just have to do really well. And I’d say that’s the biggest difference. Like they don’t get as much leeway as some of the other sectors do. 

Jacob Hollabaugh: Yeah. And with that then across all kind of cybersecurity, all cybercrime, where does financial services fall on the list of industries or places that hackers focus on? Is it one of I’d imagine because of its critical nature, it’s like one of the maybe most focused areas that sees the most attention from the hacker community or am I wrong about that? Is it equal to a bunch of others, or where does it fall on that list of where they focus their time?

Kayla Underkoffler: Yeah, it’s definitely a popular one. It’s not the most popular that really lies within the internet and online services space for our hackers. But the actual engagement this year from our. So we have a hacker powered security report which was just recently released. It’s got a great ton of really great information that was collected from our hacker community, from our customers. It’s a great resource for anybody who’s interested in this space. One of the statistics out of that was actually that engagement and the financial services programs specifically, is now 53% of hackers are engaging with financial services programs, which is a great statistic. It’s a great number of interested individuals who are there to help protect financial services and the underlying technology there.

Jacob Hollabaugh: I’ll echo what you said. I was reading that hacker powered security reporter, the most recent one from this year, and it is super helpful document, especially for less initiated folks like myself to get. I’d encourage anyone interested getting a better understanding of just the lay of the land and some of the more high level things we’re touching on here. It’s a great thing to check out. We will link it in the show notes, and I did have a couple other questions. After reading it about some of the numbers it shared in there, the main one being it listed out the most common vulnerabilities for each sector, and obviously I was most interested in the financial services one. Could you give me a couple of those? What are the most common vulnerabilities for the financial services industry, where the most attacks are taking place, or where the most attention is being focused?

Kayla Underkoffler: Yes. Yeah, definitely. So overall, the top three vulnerabilities from the report that are on our platform. So, so vulnerabilities that are reported through our platform. The top is cross-site scripting and then from there we get into improper access control and information disclosure. So just quick examples to put some context around what these vulnerability types are. So when you’re talking about a cross-site scripting vulnerability, you’re talking about maybe someone’s built a form and they have that online that’s out there for anyone to engage with.

And unfortunately there was some issues on the back end of this form when it was created that allows for extraneous code to be plugged into a field code that wasn’t meant to be put there. So let’s say it’s a name field. I’m supposed to put Kayla into this field and instead I put malicious code. If the form itself isn’t built right and really the back end processes when I put in that malicious code. If it’s sent back to the infrastructure on the back end or there’s engagement there that allows that code to execute, there’s a whole myriad of things I could do from that point. And that’s where the problem has officially opened up, is I was able to execute something I shouldn’t have been able to do on this form. So a lot of the things you can see from that are results of that vulnerability is something like, so now I own this form as a, let’s say, a bad actor. If I’m a bad actor, in this case, I own this form and now I might redirect somebody who’s filled in this form and they’re trying to interact with it, and I might redirect them to another site that looks a lot like the site they’re familiar with and are trying to go to, but I own it and I’m collecting that data. Or I might use the ability to get in through that form to watch traffic going back and forth, collect data instead of actually sending them somewhere. I’m just going to collect their interaction with the legitimate website. So that’s what cross-site scripting is.

When we get specifically into the financial sector, the top two vulnerabilities combined were the improper access control and information disclosure. So they make up one quarter of all the vulnerabilities submitted for financial services programs on the HackerOne platform. So basically what this means here is these are the proper checks to be sure that the right people or actions are interacting with the data, aren’t there. So anybody is able to interact with something there, see or interact with something that they’re not supposed to be able to interact with. So to put that in the financial services perspective, when you’re interacting with an application, a financial services application, and there’s some business logic error in the back end that has left the improper access control. So someone’s able to see what they shouldn’t be able to. That can often lead to things like I can now interact with someone else’s account information because the logic errors were there behind the scenes. And so now I’m able to log in and interact with someone’s information I’m not supposed to be able to see. And when you put that into the financial services industry, that obviously demonstrates the high impact of that. You’re looking at someone else’s money, someone else’s history, someone else’s information. So those are definitely very important areas for the financial services industry. And those are the top vulnerabilities that are reported.

Jacob Hollabaugh: And when a financial services company has one of these vulnerabilities, has a bug in it that needs fixed, what’s the time and cost commitment look like to actually take care of the issue? Because that’s always one of the I did in a former life, briefly actually hosted another podcast about cybersecurity. And one of the main things in my short stint in this world was just talking about the everyone says how important security is, but they don’t actually want to think about it or do anything about it until something bad has happened and they have to fix it. And then from that point forward, they might understand the importance of being proactive and preemptive. So this leads to that argument of the main reason is because of maybe how long it’s going to take, or how much you could lose just off of that one vulnerability. So can you put it a little into perspective what that commitment looks like time and cost wise, when you have one of these vulnerabilities pop up that you need to have someone come in and fix?

Kayla Underkoffler: Yeah, absolutely. Generally, when it comes to the programs that we have on the platform, everybody has their own commitment that they make. These organizations have their own commitment that they make for this is how long it will typically take us to address this vulnerability. That might be 30 days, 90 days for a low severity vulnerability. So they’re going to communicate that through their program. And then when it comes to the actual detailing of how long it takes someone to remediate a vulnerability, the cool thing about being like on the Hackerone platform is that you can track that number. So across the platform, this is another metric within the Hacker Power Security report. Across our platform, the average time to remediate a vulnerability dropped from 35.5 days in 2022 to 25.5 days this year. So that’s a ten. Yeah, it’s a ten day improvement. That is really incredible to see. Financial services, though, specifically went from 26 days to 18 days year over year. And that’s super impressive because remediation is very challenging. That is one of the my background pre HackerOne. I was on a vulnerability management team. I did a lot of the vulnerability scanning. So I was the one everyone hated to interact with because I was telling them they had this vulnerability that they had to fix. And it was easier for me because I didn’t have to fix that vulnerability. I just said, look, this is what I found. You need to fix this remediation is one of the hardest tasks in security, and it’s also the most critical. We find vulnerabilities and they have to be fixed. So it’s a huge area of focus for everyone, and especially in the financial services industry because they’re popular targets. So when a vulnerability is released, they need to be fast, they have to be fast to remediate. So it’s great to see this, this huge improvement from them and to bring it to 16 days on average is just super worthy of applause for the industry in general, and definitely something for other segments to strive for sure.

Jacob Hollabaugh: Yeah, it’s definitely incredible advancement and then at the same. From the institution standpoint to still think of one day with that vulnerability is scary. So it’s incredible. And they should be very thrilled with folks like yourself in the community who are bringing that number down and down, but that shouldn’t let them, hopefully doesn’t let them start thinking it’s okay. Like they’re getting so good at this, they’ll fix it super fast. But that it’s one day with the vulnerability is one day that something could really go wrong. And it’s fantastic that we’re getting better and better at fixing them. But you still don’t want them, you still want to avoid them. And if you do have them, you want to get the best in there quickly to get through that cycle as fast as possible. Let’s close out discussing a couple recent trends that I’d imagine are just as big, if not bigger, talking points in the world of cybersecurity as they are in mainstream culture right now. The first one in maybe less in mainstream culture right now, but still a big talking point in the financial world. And I expect one day in the mainstream culture again, are cryptocurrencies, blockchain technology in general, crypto is kind of, you know, the first use case that everyone heard the word blockchain. But blockchain goes well beyond just cryptocurrencies. But those types of technologies, blockchain based technologies, how have those, if at all, changed the security world within the financial industry? Or looking forward? How could they possibly, if they were to start to grow in popularity in use case again, does it dramatically change what folks like yourself are doing, or what institutions need to be concerned about from a security front? How do those kind of just interact with the industry as a whole?

Kayla Underkoffler: Yeah, so the overall trend of what maybe has these new focuses, like what has it changed in security? It the big thing is that this is it’s really still emerging right? Crypto and blockchain is still emerging, still taking shape, especially from the security perspective. Because even though the underlying technology of blockchain was originally and still is a very secure technology, the problem becomes that on the back end, there are still traditional security issues that allow for problems to take place, that allow for bad guys to get in that cause problems. It’s the traditional behind the scenes issues. So while blockchain in and of itself and crypto, they’re super high value targets for the cyber criminal gangs of the world, very sophisticated, very sophisticated cybercrime gangs and ransomware gangs especially, who target this space a lot. The underlying technology is probably not going to be what they’re going to go for first. It’s going to be the more simple back of house traditional issues that go into play of having a defense in depth approach for any organization. So that’s the big takeaway here, is that even though we have these new technologies that of course, financial services want to take advantage of, they want to adopt these cryptocurrencies.

Kayla Underkoffler: They want to be able to attract new retail customers by doing this. But every time you do that, you also get a bigger target on your back from these bad actors. And so making sure you’re putting the proper emphasis on the behind the scenes security just as much as the new technologies, it’s really critical, because the big thing for crypto specifically is that while with traditional financial services, we have human redundancies built in. If there’s a hack to a piece of technology that deals with traditional financial services, it’s likely that your money will be refunded. It’s likely that they will be able to handle this. They have backups for this, their processes in place in the crypto space. That’s not the case. Those redundancies haven’t been built in yet. There’s no undo button. So if something happens, your funds are just gone. And that changes the picture of impact for crypto. And again just is why it’s so important to consider the entire defense in depth strategy, which is not all that different from how we operate today and all the other spaces. It still goes back to the basics of making sure that you have a proper security posture in place.

Jacob Hollabaugh: Yeah, makes total sense. The other trend then, that I want to ask about is the continued proliferation of AI tools. Really at the disposal of anyone with an internet connection at this point, has some pretty amazing tools and programs now at our fingertips, even for a layman that would have no idea how to have considered using these things in years past or now, it’s right there for anyone that wants to try to use it to do some pretty amazing things. How do you see the effects of generative AI and these new tools playing out on both sides of the cyber coin, from the standpoint of the bad actors making things a lot easier, or maybe access to doing some things that used to be a little more complex or a little easier to spot. Certain things now made easier for them, as well as from the standpoint of folks like yourself trying to thwart those or point out the vulnerabilities. What do you see the proliferation of these tools doing to the industry over maybe the next half? Or so.

Kayla Underkoffler: It’s like the same with the emerging nature of this is going to it’s like high speed. Right now new things are being built every second and often not with security in mind. So one of the things that I think is very important with AI is that we learn from some of our past mistakes in building new technologies and the next new thing, and that we actually tap into the ethical hacking community more than we have in the past. Because the truth is that these folks, they are so curious about anything that’s new. They’re hackers. They want to understand it all. They want to be on the bleeding edge and they want to secure it. They want to find the issues. And the more we can depend on that community to help us rapidly secure these new technologies that were rapidly developing, the better off we’re going to be over the next ten years of AI development right up front.

Jacob Hollabaugh: When you’re building the thing to poke holes in it versus once it’s built, can you come and fortify it? But now we know you’re there, and we should use you proactively to have to do less rebuilding in the future. If you’re actually here for the whole ride, you can help us poke the hole as we go along and streamline this process a lot better, I’d imagine.

Kayla Underkoffler: Exactly, yes. And when you engage with the hacker community, that’s one of the big things. They’re a very creative group. As far as their specific focus on security, they’re going to go about traditional security issues in a different way than your internal team is going to do. They don’t have the boundaries in place. They don’t have the political bureaucracy raining down on them. Their goal is to find valid bugs and be able to hopefully get paid for those if it’s via bug bounty, a lot of them if they’re working in a vulnerability disclosure space, which is less incentivized, right. Like bug bounty, you’re paying for valid vulnerabilities to incentivize that security research vulnerability disclosure. Yeah, they’re still reporting those vulnerabilities in good faith because they found them. And these ethical hackers, they’re very excited to be able to be in on the ground floor of this. And that’s one of the things we really need to learn from past development efforts and make sure that we really are engaging them. And that is happening. That’s certainly happening. Like some statistics from the Hacker Security report, 61% of our hackers said that they are going to use and develop hacking tools from Gen AI to find vulnerabilities. And then another 62% of hackers plan to specialize in the top ten large language models, the OWASP Top 10. So there is a very demonstrated eagerness in this community to actually partake and help secure. And I think that’s a big thing that we need to make sure we really encourage as the development of AI continues.

Jacob Hollabaugh: Yeah, I’m right there with you, and I’m definitely already I came into this conversation very hopeful for that community to do a lot of amazing and good things for us and for us, everyone, to give them the opportunity to do so. And I’m leaving it even more hopeful in their abilities and fingers crossed on the side of the institutions and whatnot that have in the financial world. As much as they’ve developed as fast as any industry, it’s almost because they’ve had to. They have been a little staunch in their ways and a little slow with some of the infrastructure over the years, and I’m fingers crossed that they are trying to be proactive in bringing in communities like the ethical hacker community to make sure that to let them do what they want to do and help us make a better and safer internet, to bring it back to your wonderful catch phrase for the company. So, Kaley, this has been a real pleasure for those listening who either may want to follow you or learn more about HackerOne. Keep up with everything you and the company have going on. Read these wonderful reports like the one we’ve been citing here. Where would be the best place for them to go to do so?

Kayla Underkoffler: We have a great presence on LinkedIn. We have a lot of different events that we publish there and resources. So definitely, of course, LinkedIn is a great place. Our website has all of that information as well. Blog posts, it can be found there that have a lot of technical resources, a lot of definitions of what we do in the space. So yeah, I’d say those are great starting points.

Jacob Hollabaugh: Wonderful. We will link to those in more in the show notes below. Kayla, thank you so much for your time and knowledge today. I’ve greatly enjoyed it and hope to speak again sometime soon.

Kayla Underkoffler: Yeah thanks, Jacob, appreciate it.

Jacob Hollabaugh: If you enjoyed this episode and want to hear more, head on over to soarpay.com/podcast to subscribe on your podcast listening platform of choice. That’s soarpay.com/podcast.