An ethical dilemma: operating from the frontline of cybersecurity
- 31 October, 2017 14:25
Hackers are suffering from an image problem. Often thought of as anti-social geeks, hidden away in basements, the reality of modern hackers paints a different picture. Intelligent, social and motivated, today’s hackers have a diverse repertoire of capabilities. While hackers are increasingly organised in professional groups, criminal or otherwise, the assumption that all hackers operate illegally simply doesn’t hold true.
Black Hat Hackers, criminals who steal or manipulate data, dominate mainstream images of hackers, often overshadowing their more ethical counterparts. White hat hackers instead use their technological skills to breach then resolve vulnerabilities in cybersecurity measures, rather than exploit them.
Ethical hackers share the same methods and techniques as black hats to test and bypass a system's defences. Rather than maliciously taking advantage of any vulnerabilities found, they document them and provide advice on how to fix them. These gaps tend to be found in poor or improper system configuration, hardware or software flaws, and operational weaknesses in process or technical countermeasures. A successful test doesn't mean a network or system is 100 per cent secure, but it should help it withstand automated attacks and unskilled hackers.
More than just a hacker
Ethical hackers don’t all take the same approach, differing in their motivations and drive to hack. Some want to work towards the greater good or seek professional kudos, while others are directly employed by an organisation or responding to a professional request. Bug bounties, where the public are financially incentivised to find vulnerabilities in an organisation’s systems, are prolific in the United States and are growing in popularity in Australia. While Australia is yet to hold public bug bounties, private bug bounties offer hackers the opportunity to test their skills for more virtuous purposes.
Hackers looking to transition to an ethical practice can work on a freelance basis, look for permanent employment within an organisation, or set about gaining official qualifications to demonstrate their skills. Training courses are available from institutions such as EC-Council, offering certifications for an ethical hacker’s skillset. In an increasingly competitive industry, these certifications are useful for businesses when determining the validity and expertise of a hacker and are a crucial step for hackers to be considered legitimate.
Typical steps an ethical hacker will take when securing a business:
1. Study the Business
To help protect a business an ethical hacker must understand what data has been collected or produced and where the most sensitive parts of that data are stored. By understanding the organisation’s systems in greater depth, ethical hackers can recognise what data Black Hat hackers are likely to target. Data is the new oil, and an ethical hacker is aware of its true worth, and so they will be able to consult with the business if they are unaware of which data they hold is most valuable. The ethical hacker should also study past vulnerabilities or attacks the business has been exposed to.
2. Test Existing Defences
Organisations invariably have security measures in place however this doesn’t guarantee their efficacy. An ethical hacker will attempt to evade measures such as IPS (Intrusion Prevention systems), IDS (Intrusion Detection systems) and firewalls, to gain access to a business’ server. Additionally, they can employ other common strategies like intercepting and logging traffic that passes over a digital network, bypassing and cracking wireless encryption, and hijacking web applications and web servers. Hackers also need to evaluate any vulnerabilities related to laptop theft and employee fraud.
3. Scanning Ports and Seeking Vulnerabilities
Using port scanning tools to scan the business’ systems and find open ports, an ethical hacker can identify open network services running on a server and exploit vulnerabilities. Through an open port, an attacker could access a business’ network and therefore their data. This is about understanding how the company looks from the outside to potential cybercriminals, much like a thief scouting an office building and checking to see if there are open windows on the ground floor. Once identified, vulnerabilities in the network services that are accessible through the port can be studied and corrective measures implemented.
4. Examine Patches
White Hats will review if known vulnerabilities exist in any software that the business uses and whether a patch is available. The ethical hacker will ensure that relevant patches are applied to machines in a timely and consistent manner. Currently businesses are not doing enough to implement patches that are available, so this can be a valuable avenue. For example, in a recent study by BitSight, Windows XP or Vista was found to still be running on 20% of the 35,000 systems examined. Microsoft discontinued patches for XP two years ago, and Vista this year, and so any device running those operating systems is especially vulnerable to hacking.
5. Dumpster Diving
The essence of ‘dumpster diving’ is to rummage through physical and digital bins for passwords, charts, and anything with crucial information that can be used to generate an attack. To thwart these types of attacks, organisations must always ensure employees shred unwanted documents and dispose of unwanted digital media appropriately.
There are other social tools an ethical hacker can employ, such as ‘shoulder surfing’. This involves literally looking over someone’s shoulder to see what they are typing or what is on screen in the hope of gleaning sensitive information, such a passwords.
7.Find Once, Fix Always
Once an ethical hacker has identified and secured any vulnerabilities they must educate the business. They need to help the business understand where those weaknesses were, how they came about, and how to prevent similar ones appearing in the future. Fixing broken processes or establishing new ones can stop same issues from being repeated. By doing this, the White Hat reduces the risk of the business being the victim of a data breach, though no solution ever guarantees complete security.
In an increasingly volatile digital landscape, private enterprises and public organisations need to bolster their cyber defences to protect against malicious hacking and data breaches. While there are many effective technologies that provide valuable layers of defence for an organisation, ethical hackers are an increasingly powerful tool to add to the line-up. Hiring White Hats lets organisations dig deeper into the mindset of criminal hackers, how they operate and what data they will target. Ethical hackers are the next frontier of defence for organisations looking to stay vigilant in the changing climate of cyber-security.