Companies are under threat from cyber criminals. As noted by the 2019 Data Breach Investigations Report, 52 percent of more than 43,000 reported security incidents and data breaches involved hacking, and 66 percent were conducted by outsiders.
And it doesn’t stop there: The accelerating pace of new technological frameworks such as the Internet of Things (IoT) opens new opportunities for malicious actors. According to Fast Company, while 65 percent of organizations believe that security “is a way to differentiate from the competition,” and safeguard critical data, just 48 percent have the capability to determine if their IoT devices have been compromised.
The result? Businesses are now looking for actionable perspectives from the other side of the security lens, employing “ethical hackers” to discover system vulnerabilities and suggest potential solutions. But what’s the difference? Where does cyber crime give way to ethical hacking? Why does it matter? And how can companies leverage ethical hacking to get ahead of evolving security threats?
Hacking isn’t inherently negative. The term was first used during the 1960’s at MIT to describe someone with the capability to solve technical problems creatively. Today, hacking is an effective way for companies to determine where their IT infrastructure is vulnerable before malicious attackers attempt to circumvent server or cloud security.
So how do companies determine who’s out to help and who’s looking to do harm? Put simply, intent defines action. Hacking with the intention to reveal vulnerabilities for remediation is one thing; hacking with the intent to install ransomware and hold data hostage is something else.
Broadly speaking, hacking with criminal intent can be divided into four categories:
- Nation States — Nation state hackers may be working on behalf of governmental agencies or in line with what they perceive is the will of their state, even if they’re not officially sanctioned actors. According to Motherboard, popular productivity tool Slack recently warned investors that it’s a target for nation state attackers.
- Hacker Groups — Hacker groups are typically looking for profit or hoping to cause damage. In some cases, this means holding data hostage until companies pay up. In others — such as the recent spate of supply chain attacks — it’s about stealthily collecting data across trusted systems for weeks or months without detection.
- Malware-as-a-Service — Not every hacker has the skillset to develop and deploy sophisticated malware. Intelligent attackers, meanwhile, have recognized the potential profit in creating easy-to-use malware strains and selling them online as-a-service. As noted by Tech Observer, malware-as-a-service will likely increase through 2019 as the booming market drives feature expansion.
- Hacktivists — According to Tech Target, hacktivisim is “meant to call the public’s attention to something the hacktivist believes is an important issue or cause.” Hacktivists often perceive their own intentions as noble but depending on the tactics they employ may cross the line into criminal activity.
A Hack of Many Hats
Ethical hackers, meanwhile, have permission from companies to discover and exploit vulnerabilities on corporate networks. As noted by Built In, “companies and government organizations invite these non-malicious hackers to penetrate their systems in order to pinpoint security gaps and develop stronger defenses.” To better understand the role of ethical hackers it helps to think in terms of popular hacker “hat” colors: Black, white and grey.
Black-hat hackers are the bad guys. Criminals or malicious nation-state actors who don’t ask permission, take what they want and may leave a trail of destruction in their wake.
White-hat hackers are security professionals, from infosec experts to ethical hackers and network security architects. Ethical hackers are highly valued for their ability to think like malicious actors — some began their careers as black-hat hackers, while others have a knack for finding the network path of least resistance.
Grey-hat hackers occupy the middle ground. They’re not out to steal information or damage networks, but they don’t always follow the rules. For example, they might uncover a critical corporate flaw but instead of reporting the risk to enterprise IT they release the exploit to the public at large. While this may result in quick-thinking digital defense it also opens the door for malicious actors.
Ethical Hacking vs. Penetration Testing
Penetration testing and ethical hacking are often conflated since they serve the same general purpose: Assessing and mitigating IT risk.
But penetration testing describes a subset of the overall ethical hacker mandate. The true value of ethical hacking to companies isn’t the ability to find the quickest way into corporate systems: As Computer Weekly points out, ethical hackers tackle the security process end-to-end, from conducting reconnaissance for weak points to achieving access, exploring IT environments and escalating privileges.
Ultimately, it’s their ability to anticipate hacker action that sets them apart — according to the EC Council, ethical hackers can help companies determine what type of vulnerabilities an attacker may see, what systems they will prioritize and what potential harm could result if critical data is stolen.
As the cyber skills gap continues to grow, there’s an increasing need for ethical hackers. The challenge? Ensuring potential assistance isn’t a grey- or black-hat hacker wearing white to land a job. To help close the distance, reputable training organizations now offer training for certified network defender (CND), certified ethical hacker (CEH) and certified (practical) ethical hacker qualifications. The result? Companies get well-qualified and committed ethical hackers and IT professionals enjoy new development opportunities.
Hack or be Hacked
That’s the bottom line: Malicious actors are getting more sophisticated even as reliable attack tools become as-a-service offerings. Companies can’t afford to ignore the impact of highly-trained, white-hat experts — ethical hacking helps bridge the gap between expanding attacker impact and successful security solutions.