What are ethical hackers, and why do we need them? Ethical hacking allows you to see how your systems might be breached, but it goes far beyond pen testing.
The original version of this post was published in Forbes.
In an online world infested with hackers, we need more hackers.
No, that’s not an oxymoron. While hacking remains a generally pejorative term (“Don’t respond to any Facebook invites from me! I got hacked!”), the reality is that it’s all about the motivation. To have a chance of blocking or defeating malicious hackers, organizations need “good” or ethical hackers on their side—people who know how to think like the bad guys.
It’s like anything adversarial: The best detectives know how to think like criminals. The best sports teams get that way in part by figuring out what their opponents are likely to do before the game starts.
Not that this is a new concept. Hacking has been a “mixed-use” term for decades. How it is perceived depends on the prefix—white hat, black hat, grey hat. White hats are good guys, black hats are bad guys (you know, like in the old spaghetti westerns) and the greys float somewhere in between, generally choosing a side based on how much it will benefit them or a cause they support.
The annual Black Hat security conference is 22 years old and is generally aimed at ethical hackers who want to learn more about how to think like a black hat and help their organization avoid becoming the next catastrophic data breach headline.
But as malicious hacking evolves and the “attack surface” expands exponentially—the Internet of Things (IoT) is now more frequently called the Internet of Everything (IoE)—the definition and mission of ethical hacking are evolving as well. In addition to helping protect a company’s digital assets, ethical hacking is also about making the online world (and the physical world) a better, more secure place for everybody but criminals.
Indeed, one of the presentations at last month’s Black Hat in Las Vegas was titled Hacking for the Greater Good: Empowering Technologists to Strengthen Digital Society. It featured technologist, cryptographer, blogger and author Bruce Schneier; Camille François, chief innovation officer at Graphika; and Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF).
Schneier, whose latest book Click Here to Kill Everybody focuses on the expanding physical consequences of hacking because “everything is a computer,” continued that theme on the panel, noting that hacking has moved “beyond data to flesh and steel … You mean the computer will shut off the person’s heart? That’s way different than deleting a spreadsheet.”
That doesn’t change the basics of hacking to help companies—any security expert will tell you that if an organization wants its applications, systems and networks to be secure, one of the things it needs to do is hire hackers, either internal employees or external contractors, to test them by attacking them. That is generally called penetration testing: A group of “pen testers” try to hack into anything and everything. The goal, of course, is to find vulnerabilities and fix them before malicious hackers can exploit them.
Pen testing is a long-established (and highly recommended) thing to do before exposing digital assets to the public, but it is far from the only thing. Good pen testers generally recommend that if companies aren’t using multiple analysis tools during the software development life cycle (SDLC), they ought to be. Among them are tools for static, dynamic and interactive security testing plus software composition analysis (SCA), which focuses specifically on finding vulnerabilities and potential licensing conflicts in open source code.
Ted Harrington, executive partner at Independent Security Evaluators, notes that people shouldn’t confuse pen testing with a full security assessment. A pen test simply determines whether an intrusion is possible.
“If your goal is to find most or all of your issues so you can fix them, a penetration test simply doesn’t do that. Security assessment is actually what most companies need, yet they often ask for penetration testing. This is a problem because the terms are not interchangeable and they deliver different things,” he said.
And ethical hacking involves much more than pen testing anyway. “There is so much more to hacking professionally than just pen testing,” said Christopher Hadnagy, chief human hacker at Social-Engineer, LLC, who also presides over the Social Engineering Village at DEF CON, held immediately after Black Hat in Las Vegas. “The social engineering side, security awareness, and the other parts that all lead to the part of being a professional.”
There are even training and certification courses to become a Certified Ethical Hacker (CEH), but they aren’t really necessary—witness all the freelance hackers chasing bug bounties offered by major companies like Google, Apple and Microsoft and, in some cases, making pretty good money doing it.
“Certifications can help demonstrate someone has knowledge in the area, which is beneficial for folks looking to get into the industry,” said Thomas Richards, principal consultant at Synopsys, “but they should never be used as a qualifying measure if the individual can perform the task.”
“I have seen previous sales professionals become amazing social engineers and people with a non-IT background who have excellent penetration testing skills.”
Hadnagy agrees, although he said some documented qualifications help. “I personally look for performance-based certs like the OSCP (Offensive Security Certified Professional) or the APSE (Advanced Practical Social Engineering) as opposed to just Q&A,” he said.
Harrington says much the same. “Credentials are helpful in establishing a baseline of knowledge, but they are neither all-encompassing nor even necessarily an indicator of elite skill,” he said.
But beyond the basic skills, there is the potentially tricky topic of what “hacking for the greater good” really means. “Greater good” could mean vastly different things depending on who gets to define it in a politically and morally contentious time.
For example, is “hacktivism” part of the greater good, depending on the cause? Not in the view of these experts.
“Those who seek flaws in systems in pursuit of a political agenda are not ethical hackers,” Harrington said. “Make no doubt about it: Even in the name of a cause with which you might agree, hacktivists are not the good guys.”
“Hacktivism never pays off,” Hadnagy said. “You always have to hurt someone to make your point. I steer clear of certain topics and the politics of it all. Take the high road, work at what is passionate for you. To me, doing good means when I leave I hope you felt better for having met me.”
He said that motivation led him to start the ILF (Innocent Lives Foundation), a nonprofit that uses “ethical white hat hackers to track and unmask those who create and trade in child abuse material.” It also led him to create the SE (social engineering) Code of Ethics, to establish best practices and standards for white hat hacking.
Richards offers the same advice. “The ‘greater good’ to me is helping humanity for nonfinancial motivation,” he said. “I have spoken with individuals who have used technical skills to identify and track criminals successfully. Recently, at DEF CON, there was an open source intelligence (OSINT) challenge to find missing persons. Both of these are worthy pursuits.”
Another conflict over “greater good” is when a hacker finds a vulnerability in some component of a company’s online presence—application, system, network or supply chain—and reports it publicly.
Most ethical hackers agree that responsible disclosure requires notifying the company privately first and giving it some time to fix it—at least a couple of months—before going public with it.
As with just about everything, however, things are not always black and white.
“It depends,” Hadnagy said. “Did they use the vuln to hurt someone? Did they blackmail the company? I think bug bounty programs are super smart—you pay people for hard work, it motivates responsible disclosure and helps to get things fixed.”
“A company that goes after the reporting hacker who did no harm hurts future desire to want to report ethically,” he said.
To which Richards adds, “The vulnerability existed prior to the research identifying it. If a person identifies a leak in a dam, they do not go to jail for informing people about it.”
Finally, there is unanimous agreement that the world needs more ethical hackers. “It’s an arms race and the good guys are outnumbered,” Harrington said.
That, Hadnagy said, is in large measure because there are no good college or university programs teaching it.
“The youth of my time learned by doing, but we didn’t destroy. These days you can’t do that without breaking the law. The youth of today need a safe place to practice, learn and perfect these skills—and we are not providing that.”
Harrington agrees, and offers a list of what to do: