Charlie Miller and Chris Valasek identified a vulnerability in Jeep’s Unconnect onboard entertainment system, which could be used to access the automobile’s central computer and take control of the steering, brakes, and engine. Fiat Chrysler, which owns the brand Jeep, had to recall 1.4 million Cherokees and issue a patch. This was 2015.
Over 300 cybersecurity experts watched the 17-year old ethical hacker Ahmed Attalla when he demonstrated a live hacking technique, the man-in-the-middle-attack. This was 2019.
He was booking a train ticket for a family member through the Indian Railways website, when Renganathan decided to check the Insecure Object Direct References (IDOR) vulnerability. And, he found it. According to the 17-year-old, it was a common vulnerability that developers often seem to overlook. It could cause serious threats to the data on the server. A malicious hacker could gain access to personal details of millions of passengers. This is 2021.
Ethical hacker Sam Curry was browsing through social network Discord, when he came across several users posting links to graffiti artist Banksy’s official website. Upon clicking on one of them, he realised that the website was vulnerable, and it could let anyone create arbitrary files and post new content. Despite sending a prompt e-mail, his warning was ignored. But the ethical hacker tried multiple times, including a text on Instagram. A month later, a fan found an advertisement of Banksy’s first non-fungible token (NFT). He bought it before realising that it was a fake created by a malicious hacker, and he was scammed $336,000. This is now.
Nothing much has changed except for the rapid advancement of technology. Although some crises were averted, the possibilities of a million other vulnerabilities exist worldwide. And we need more ethical hackers, aka white hat hackers, aka bug bounty hunters.
The white hat hacker is an information security expert who penetrates a computer subsystem or a network, usually with the owner’s authorisation. Most times, ethical hacking services entail finding and attempting to exploit vulnerabilities and figuring out the possibility of an unauthorised access or malicious activity.
With deep technical expertise in infotec, ethical hackers usually identify security exposures in insecure system configurations, hardware and software vulnerabilities, and operational weaknesses in technical countermeasures.
It’s not a new job profile
In the 1990s, former IBM executive John Patrick coined the term ethical hacking. But the concept and its applied practice existed much earlier. In the 1960s, the Massachusetts Institute of Technology referred to creative engineering techniques applied on machinery to make it operate more efficiently as hacking. Back in the days, hackers were considered to be a compliment for those with exceptional computer programming skills.
A decade later, malicious hacking became frequent. Hackers began to realise that telecommunication systems could be manipulated for a free long-distance call. No surprise, hacking took a turn for the worst.
War Games, a 1983 film, portrayed a student unintentionally hacking into war-game supercomputer operated by the US military, highlighting the vulnerabilities of large computer systems in the real world. In the 2000s, compliance regulations like the Health Insurance Portability and Accountability Act that overlooked the security of digitised medical and business data uncovered the role of ethical hackers in the cybersecurity system. While the term “hacking” developed a negative connotation, ethical hackers became the protagonist of the cybersecurity landscape.
When ethical hacking was put forward by InfoSec Cyber Security Certification Body EC Council in 2002, it received mixed responses. The EC Council had to explain that ethical hacking would be a bodyguard of sorts to computer systems, and the white hat hackers would follow ethical principles and protect information from malicious hackers.
More recently, the 2020 pandemic brought an onslaught of cyberattacks worldwide. Adobe systems faced a data hack involving 2.9 million customers. The Centre for Strategic and International Studies and McAfee released a report, The Hidden Costs of Cybercrime that revealed monetary losses to have hit $945 billion and predicted that organisations would spend $145 billion on cybersecurity services. Ethical hackers became more important and in demand than ever before.
From government organisations, banks and business enterprises to SMBs, no sector is free from cyber-attacks and ethical hackers are the protectors. Microsoft uses ethical hackers to execute beta testing on their new products. IBM has a team of ethical hackers to keep their security systems tight without any vulnerability.
Also Read: Hacker Versus Hacker
How do white hat hackers help business organisations
Ethical hackers are allowed enough leeway within the organisation network to legitimately and repeatedly exploit the known attack vectors. Using the same techniques that a black hat hacker would use, they test the resilience of the cybersecurity architecture. After evaluation, they report to the top C suite executives and the IT teams use the data from the report to improve their security posture. Their report also includes demonstrations of how threat actors could attack their system.
Several companies also entertain bug bounty programs that are agreements offered by companies to ethical hackers who are rewarded for reporting or finding security vulnerabilities. Apart from the popular global bug bounty programs like HackerOne, BugCrowd, Cobalt, Safehat, and Intigriti, some of the top bug bounty programs in the Middle East include Saudi Federation for Cyber Security and Programming’s (SFCSP) BugBounty and CROWDSWARM.
Also Read: What Marketers Don’t Know About AI
Would cloud migration increase the need for ethical hackers?
Since the increased rise of digital transformation, cyber-attacks have increased tenfold, making security the topmost concern. Experts believe penetration tests can’t keep up with the changing cyber techniques adopted by malicious threat actors, and the only thing that can keep company and consumer information intact is by fighting fire with fire – pitting hackers against hackers.
Are they basically penetration testers?
Not really. Most companies are under the impression that penetration testers and ethical hackers are the same, IT experts say there is a difference. While white hat hackers conduct routine tests looking for flaws, penetration testers, who have the same goals, have a narrow focus on specific aspects of a network. More importantly, they have limited access as compared to ethical hackers.
The bug hunters’ toolkit
Using a form of reverse engineering, the white hat hackers imagine scenarios that could compromise the business data. One of the most popular methods is to scan ports using tools such as Wireshark, Nessus, and Nmap. It helps them identify open ports, analyse, and report possible remedial processes.
Some hackers scrutinise patch installation to make sure there are no new vulnerabilities caused by latest updates. They also perform network traffic analysis and sniffing, along with an attempt to evade intrusion detection systems, honeypots, and firewalls.
To ensure that black hat hackers cannot introduce security exploits to expose company information from structured query language (SQL)-based relational databases, ethical hackers also perform tests to detect SQL injections. Similar to threat actors, ethical hackers must try and obtain end user access to obtain company information through social engineering techniques.
There are also red hat ethical hackers who specialise in cracking Linux-based network systems. Instead of reporting vulnerabilities to the company owner, they conduct reverse hacking measures to cut off black hat hackers from computer resources.
Also Read: Is It Time To Ring The Cyber Alarm Bell?
It can get expensive
Security testing costs depend on the type of business. If the company possesses a large user database, it might have to increase its budget. Experts strongly advise companies to balance costs with higher priority given to security. Ethical hacking investment would be minimal compared to the losses accrued from a cyberattack. Depending on the budget, companies can choose to have in-house ethical hackers or hire an agency, or an independent bug bounty hunter.
Troubles of an Ethical Hacker
While it is possible that some hackers could steal data or introduce vulnerability, many ethical hackers are helplessly judged and threatened.
Ethical or not, having the word hacker in the job title runs the risk of being assumed to have violated the Computer Fraud and Abuse Act (CFAA). In the US, the community heaved a sigh of relief on the recent upgrade of the definition of unauthorised access where the act criminalises only violations of data access from prohibited files. Experts add that ethical hackers need to be given whistleblower protection as some companies can threaten them with legal action for finding lethal vulnerabilities in their products. In the Middle East, security experts expect focused regulation as more countries are beginning to rope in bug bounty programs; more recently being Iran.
Many ethical hacker communities believe that several reported vulnerabilities through alternative channels either get ignored or don’t get patched soon enough. A Belgian-based bug bounty platform Intigriti revealed that 12 per cent of their submissions failed to reach the appropriate security teams. Yet, the fight is strong.
Despite controversies, ethical hacking is critical to the sustainability of any digital organisation. While they have the privilege of gathering company network access, their main objective is to assure safety in the digital, wireless infrastructure.
