IF you can’t beat them, hack them. This serves as a reminder for businesses that are not familiar yet with “ethical hacking,” or “white hat hacking,” that they can avoid getting victimized by cybercriminals at large via a counter attack before the latter could launch a malicious threat on their information technology systems.
Cyber attacks have been perennial problems ever since the digital world began. In fact, global cybercrime losses are estimated to reach $6 trillion this year and expected to hit $10.5 trillion by 2025.
To address this, business owners are racing to beef up their cybersecurity measures to prevent data breaches that could put their investment and reputation in trouble. One of which is resorting to ethical hacking to protect their organizations against the forthcoming problems from hackers. And this is made possible by hiring “white hat” hackers (WHHs).
Good or bad
THE art or technique of discovering and exploiting a security loophole in an infrastructure like a website, a software, or a computer is called hacking. A person involved in this practice is a hacker, which can be either good or bad.
According to Secuna Chief Information and Security Officer Allan Jay Dumanhug, WHHs are totally different from their malicious counterparts—the “black hat” hackers (BHHs).
“WHHs are all ethical, moral, and cybersecurity professionals making an honest living. They enjoy the intellectual challenge of creatively overcoming and circumventing limitations to keep the Filipino business community safe,” he said.
“They are very familiar with the tactics of BHHs who are the ones who attack organizations to steal data, compromise systems, and do other kinds of cyber damage. WHHs use this knowledge and their expertise to counter the BHHs’ attack as well as assess the organization’s level of strength in withstanding it,” he added.
Ethical hacking
DATA have become an invaluable resource that BHHs take advantage of to gain something, mostly financial. Through the years, they have proven to be sophisticated and creative geniuses when it comes to penetrating a system.
Hence, malicious attacks on various organizations worldwide, big or small, have led to losses amounting to millions of dollars, and are feared to cost trillions today and beyond. These incidents have led businesses across the globe to be ultra careful, made them rethink their views on the importance of ethical hacking, and reconsidered their cybersecurity strategies.
The proverbial “eye for an eye, a tooth for a tooth” might not always work in the real world, but to fight off a hacker with a hacker does. So an organization needs WHHs who have the same capabilities as the BHHs.
Bug bounties
INTERNATIONALLY, more and more ethical hackers are discovering and disclosing security vulnerabilities. Proof of which is that vulnerability submissions to one of the best-known bug bounty programs, HackerOne, have increased by almost two-thirds since last year.
Based on its 2021 Hacker Report, which details the development of penetration testing and ethical hacking over the last 12 months, the number of hackers submitting vulnerabilities during that period has grown by 63 percent.
Bug bounty schemes are created to provide ethical hackers or WHHs a means of finding and reporting these vulnerabilities before cyber criminals could take advantage of them. In return, they are rewarded with financial incentives.
Locally, Secuna is the largest cybersecurity-testing platform in the Philippines. The Department of Information and Communications Technology has certified it as a recognized Cybersecurity Assessment Service Provider. This company connects firms and brands to vetted and trusted international cybersecurity professionals who simulate cyberattacks and find security flaws that BHHs can exploit to gain access to IT systems.
Even if platforms like Secuna are readily available to help find an organization’s IT security flaws that online attackers exploit, reporting vulnerabilities here are not as high as in the case overseas.
“Most of the companies in the Philippines do not have a Vulnerability Disclosure Policy or a program where their researchers can report potential vulnerabilities to them. Some of the high-profile breaches in the country could have been avoided if there was a program where researchers can report their findings. This highlights the importance of white hat hacking in the country,” said ctulu, the No. 1-ranked WHH of Secuna.
“Cybercrime and cyber-related offenses are now starting to increase. To combat this scourge of cyber-attacks, hiring WHHs enables companies to find flaws in their cyber security before those flaws are found and exploited by someone with criminal intentions,” added Chris Laconsay, who is also a WHH registered on the same platform.
In-demand service
ETHICAL hackers or WHHs are fast becoming in demand, with the market value for their services expected to reach $4.1 billion by 2027 globally. This holds true, especially now that remote working expands the attack surface for vulnerabilities amid the Covid-19 pandemic.
Since many have lost their jobs due to the unprecedented health crisis, they might consider ethical hacking as a fallback. With or without an IT background, they can have an equal chance to work in this field.
A Bachelor’s degree in Information Security and/or Computer Science gives a strong foundation for any WHH. Training courses that result in certification that recruiters look for, such as the Offensive Security Certified Professional program, are also one preparation for the ethical hacking career path.
Once hired, the WHHs can work themselves up the organization with positions like Penetration Tester, Red Team, Application Security Engineer, and Security Researcher, among others. Salary-wise, a Philippine-based WHH can earn a monthly stipend ranging from P18,200 to P63,000.
To excel at being a bug hunter who finds flaws in the IT systems and networks and provides solutions, “a top WHH should have these two qualities: an endless curiosity and patience. To drive your curiosity to hack and break things, you need a lot of patience since finding bugs is not easy,” said ctulu.
For Laconsay, ethical hacking “involves a great deal of problem-solving skills and creativity.” He noted: “As I observed, currently famous WHHs are usually very good at these. Learning newer things is what gives me immense motivation. Willingness to learn a new trick or trade is what kept me going.”
Learning Python, C++ or Structured Query Language gives an edge for a WHH, ctulu pointed out. He added that ethical hackers can come from various backgrounds that, like their tasks, break the mold.
“Some of the WHHs I know are nurses, businessmen, or taxi drivers. As long as the hacker can follow the rules, conduct tests, write the reports properly, and have a good attitude, there won’t be any problems,” he said.
“Though anyone can become a WHH without any programming skills, you need to have at least one programming language to be good in this craft,” Laconsay stressed.
Changing public perception
WHILE there seems to be a general misconception about hacking due to reports on cyber attacks and underground activities of BHHs, this perception needs to be changed.
“Not all hackers are bad. Many of the WHHs are actually security professionals hired by companies to find and exploit vulnerabilities before the BHHs find them and take advantage,” said ctulu, who has audited and tested the Covid-19-related systems of the Philippine Red Cross on the Secuna platform.
Because of the stereotypical negative view on such word, there are still many companies that hesitate in hiring WHHs. It also prevents ethical hackers from volunteering or stepping up to help firms once or before a breach happens.
“Helpful hackers who see a potential threat usually don’t say something because they are afraid that doing so might land them in jail. However, reporting these flaws is critically important. Failure to do so gives malicious hackers or the BHHs the means and opportunity to hide and strike from the shadows,” he stressed.
Images courtesy of Alphaspirit | Dreamstime.com and Secuna