Originally published in Forbes on July 29, 2019
Brands are under pressure to protect themselves and their customers from increasingly sophisticated cyber attacks. With daily media headlines and new regulations, consumers have never been more aware of the threats out there. As a result, businesses are being forced to take the issue of cybersecurity more seriously, facing it head on and putting in place the necessary steps (e.g., encryption, two-factor authentication and key management) to protect their data from hackers.
One avenue that’s not commonly talked about is the value that ethical hackers can have on a business. The common perception is that all hackers are the bad guys. But this is a mistake. As opposed to their Black Hat counterparts, who are out to use their skills on an illegal basis, White Hat hackers use their skills in an ethical manner to keep companies safe. They can be brought in to test and bypass a company’s defences and rather than taking advantage of any vulnerabilities, these are reported and advised on how to fix them.
Usually, these gaps tend to be found in poor or improper system configuration, software or hardware flaws and operational weaknesses in process or technical countermeasures. It’s important to note that just because a successful test is conducted, that’s not a 100% guarantee a company is secure, but it does help against automated attacks or unskilled hackers. But how do ethical hackers test a company’s defenses and what techniques do they use? The four key methods of an ethical hacker include:
- Monitoring: They’ll monitor a company to understand the data it creates and stores and where any sensitive data is -- the gold mine hackers are after.
- Testing: Existing defenses will be tested for a way through via out-of-date security patches or open ports.
- Diving: Ethical hackers will also go dumpster diving (i.e., they'll go through physical and digital bins for charts, passwords and any sensitive data they could use to launch an attack).
- Surfing: Shoulder surfing (looking over someone’s shoulder) to view what they’re typing is another common method.
These are methods used every day not just by ethical hackers but cybercriminals as well, and it’s this kind of insight that’s so valuable. What’s more, White Hats provide situational awareness -- the ability to identify, process and comprehend the critical elements of information happening across a company. This is an invaluable resource because few businesses understand the critical importance of knowing the impact of people, data and processes -- a key weakness that criminals look to exploit.
Hiring A Hacker
For anyone thinking of hiring an ethical hacker, much like their criminal opposites, they can be motivated by a number of reasons. This can include seeking professional kudos, responding to ad hoc requests or, in general, they just have a desire to do the right thing. Bug bounties are also highly motivating, with organizations like the U.S. military and Apple regularly offering rewards to anyone who can find and report vulnerabilities. It’s a technique that can help turn Black Hats into ethical hackers.
From an individual perspective, those looking to become an ethical hacker can work on a freelance basis, look for permanent employment or (for those that don’t have them yet) gain official qualifications to demonstrate their skills. A number of institutions -- including CREST, Mile2, SANS Institute and the EC-Council -- all award qualifications and conduct tests to certify an ethical hacker’s skills.
For many companies, hiring an ethical hacker will be considered a risk, so it’s these qualifications that should help them identify those with legitimate interests in working for the good side. Businesses wondering where to start when looking for an ethical hacker should simply approach it as they do with any other job search. However, searching for just an ethical hacker is too broad; instead, they should think about what they need. Do they need someone to test their cloud services and applications, or are they after a pen tester? They also need to identify someone who has the situational awareness to understand the risks facing the business and be able to communicate that effectively to senior stakeholders.
Lastly, some may feel uneasy about hiring an outside hacker and inviting them to test their systems. Companies can protect themselves with standard employment contracts, where ethical and moral requirements, as well as police checks, can be implemented.
When it comes to protecting data, businesses should leave no stone unturned. This is even more important today with the demise of the corporate network perimeter. Data, applications and services are increasingly managed outside the network and in the cloud, and more and more individuals are accessing data and applications from outside the network. This creates issues both in terms of how companies can trust cloud providers with their data and how companies can trust the devices that want access to their data and applications.
Implementing techniques like encryption, strong key management and multifactor authentication should be necessities. Beyond that, the implementation of ethical hackers should also be strongly considered. Not only will hiring one give a company instant increased protection against potential cyber attacks, but it gives valuable insights into how hackers operate and what data they’re most interested in. With companies always being a potential target for cybercriminals, ethical hackers can be a handy force for good against the dark side.