Ethical hackers: How hiring white hats can help defend your organisation against the bad guys

hacker.jpg

Image: iStockphoto/supershabashnyi

Hackers have long held the reputation of gaining unauthorised access to computers for criminal-related activities, such as stealing money, identity, or more commonly these days, just to wreak havoc.

Some of the most recent notable attacks include when Sony Pictures was hacked, supposedly by the North Koreans, which cost the company $15 million and its relationship with many Hollywood celebrities such as Sylvester Stallone. Part of that catastrophe saw passwords, mailboxes, personal employee data, passport copies, and social security numbers being made available online.

Another hacking incident that drew worldwide attention was when extramarital affairs website Ashley Madison became a victim of a vicious online attack. Hackers that were responsible for the attack initially threatened to release user data for every day the website was live, before eventually data dumping approximately 10GB worth of member information including email addresses and credit card details.

SEE: Job description: Security architect (Tech pro Research)

But, this slew of attacks have left the reputation of other hackers tarnished, according to Harper Reed, Braintree’s head of commerce, who blames the media for portraying hackers as “nefarious” people.

“Hackers aren’t necessarily criminals; they’re just people who are trying to mould the world around them into the world they want it to be, which also sounds very similar to all good people,” Reed said.

Reed, who identifies himself as a hacker, went on to explain that the ethics of hackers is to solve puzzles, which means the spectrum around the definition of what is a hacker is fairly broad.

“There are amazing hackers out there building companies every day. People are changing the world; some are doing very controversial things, some are doing very normal things. But if you say you want to work with a bunch of developers and you thought ‘that’s a really great hack,’ you could be talking about something very accessible for people with disabilities or you could be talking about leaking government documents,” he said.

More about IT Security

According to Symantec’s 2016 Internet Security Threat Report, Australia ranked no. 1 across the Asia Pacific, and ninth globally, for ransomware attacks, where the average number of attacks per day increased 141% from 2014 to 2015. The report also highlighted incidents that resulted from attackers made up 46% of the total top causes of data breaches.

In order to combat the exponential rise of online attacks, security companies, businesses, and government organisations have started to recruit their own team of hackers. Unlike their criminal counterparts (black hat hackers), white hat hackers, also known as ethical hackers, are hired to help organisations identify and fix security flaws in their systems.

Sean Lim, vice president of the International Council of Electronic Commerce Consultants (EC-Council), an ethical hacker certification body, explained ethical hacking is one of the fastest growing spaces globally, mainly because organisations have realised the need for it.

Lim went on to say that while the approach between black, white, and grey hat hackers—otherwise referred to as “crackers” that hack systems to draw the attention of owners without malicious intent—are all the same, their motivations are often different.

“Today we see the key motivation has become very financial. In the early days it was related to an outburst of rage and people only did it because they wanted to gain infamy or some kind of notorious reputation,” he said.

“But more and more we see two types of hackers: One financially motivated, and two state-sponsored, which means countries that want a cyberwar because they want to gain an upper hand on where they stand globally. Many of these hacks, we notice, are very complex and quite difficult to imagine a group of hackers would have access to such technology and money that would fund such technology.”

The Digital Transformation Office, which was formed by the Australian government and tasked with creating a single online myGov portal for dozens of government-related services, went on a search at the end of last year to hire an ethical hacker to join the team.

The DTO ethical hacker, who has chosen to remain anonymous, revealed their role at the organisation is to identify, advise, and support the DTO.

“I am able to help design detection mechanisms to identify attacks more effectively than someone who has not had experience being an ethical hacker,” the person said.

A DTO spokesperson said hiring the ethical hacker will help the organisation secure products built at the DTO by working closely with developers and web ops engineers to amend problems they discover, including security problems such as software defects.

“At the DTO, the ethical hacker is involved in all aspects of system development. This means finding potential security vulnerabilities are easier and cheaper to fix. It also means potential security design flaws can be mitigated before the project has progressed past the point to which it is expensive and time consuming to rectify,” the spokesperson said.

This is a similar approach the US Pentagon recently announced it was taking. According to the Pentagon, it is the first time the federal government has undertaken a program with outsiders attempting to breach its networks, with officials saying the department’s systems get probed and attacked millions of times a day.

The program, called “Hack the Pentagon,” will begin in April with department officials and lawyers still working through a number of legal issues involving the authorisation of white hat hackers to breach active defense websites.

Officials said the pilot program will involve public networks or websites that do not have any sensitive information or personal employee data on them.

It is being called a bounty program, but it is unclear if the hackers will be paid a flat fee or based on their achievements, or whether they will only be offered the glory and notoriety of breaching one of the world’s greatest military systems.

SEE: Hack the Pentagon: First US government bug bounty programme opens for business (ZDNet)

Lim highlighted that hiring ethical hackers for most companies can be a costly exercise, despite it being one of the skills that are most in demand. The alternative for many is to outsource the skill to security companies.

Nick Savvides, Symantec ANZ information protection business manager, agreed saying the task of ethical hackers is beyond conducting a general security assessment, which he said focuses on examining a company’s policy and comparing whether the work that is carried out in real life lines up with the policy. This is unlike an ethical hacker, which Savvides said works outside the confines of a business’ policies.

“It’s really the ability to have someone act as a bad guy for you to test the integrity of your systems, processes, and your people, and let you know where the weaknesses are,” he said.

Also see