While hackers have been causing a lot of pains to enterprises, another community of hackers have also been finding out vulnerabilities in the IT systems, albeit with a different objective. Such hackers, known as ethical hackers, proactively identify IT system vulnerabilities by hacking into the systems. Ethical hackers are a boon to enterprises because they identify potential vulnerabilities without any malicious intent. Enterprises can fix the issues before hackers can exploit them. Ethical hackers are being increasingly recognized – reputed organizations have been paying bounties to ethical hackers to find security loopholes in their systems that are hitherto undetected.
An ethical hacker can be a group of people or individuals who hacks into the systems of one or more enterprises with the intention of identifying vulnerabilities. However, such hackers do not exploit the weaknesses of the system with any malicious intent. The idea is to identify vulnerabilities before hackers with malicious intent do. Ethical hackers can be employees or non-employees of an organization. There are also instances of ethical hackers hacking into systems on their own and letting the organization know of its findings. According to Renee Chronister, an ethical hacker with Parameter Security in St. Peters, Mo, ethical hackers use the same tools and techniques as malicious hackers. Only the intent differs.
The main benefit is that ethical hacking helps enterprises stay one step ahead of malicious hackers by proactively identifying and fixing vulnerabilities. However, there are other benefits of employing ethical hackers which are described below.
Khalil Shreateh, a teenager in a small village in Palestine identified a serious issue with Facebook when he was able to post anything on anyone’s wall. Though Facebook declined to acknowledge that as a security loophole, Khalil established his finding when he posted on the wall of Mark Zuckerberg. In the same way, in 2008, Dan Kaminsky, the co-founder and chief scientist at White Ops, a fraud prevention company discovered a serious issue with – How Internet service providers handled mistyped website names. The issue was immediately fixed and stopped a huge avenue for cyber scammers.
Malicious hackers have a certain modus operandi, the way they look around for loopholes and exploit them. Being a hacker, the ethical hackers are familiar with how the malicious hackers think and work. This allows them to go to places where they have a greater chance to identify loopholes. According to Chronister, “Ethical hacking identifies and exploits your weaknesses so you can see – what sensitive data can be assessed and empowers you by being able to remediate these weaknesses hopefully before malicious hackers strike.”
Ethical hackers are not lay persons that evaluate IT systems for security, they are seasoned experts with diverse backgrounds – system and networking administration, software development, testing, mathematics et al. However, what binds them together is the singleness of purpose – making IT systems stronger. According to Ed Skoudis, a SANS Institute Faculty Fellow and founder of Counter Hack Challenges, an educational organization devoted to information security, “Regardless of the background, truly effective ethical hackers love a challenging puzzle. They revel in taking things apart to find their flaws.”
Ethical hackers really stretch the resistance of the IT systems to find vulnerabilities, if any. They bring the perspective of seasoned and relentless hackers which is not available with regular system experts in a company. They offer a critical, nit-picking attitude which tests the system and makes it a tough one to crack.
The view on ethical hacking has been changing from indifference and cynicism to acknowledgement. Enterprises would earlier regard regular IT security as the best available defense against malicious hackers. Now, organizations have been announcing bounties that reflect both acknowledgement, and incentive for ethical hackers. Many ethical hackers have agreements with reputed enterprises to test their IT systems. Consider the following facts −
Microsoft and Facebook will support a panel of experts tasked to reward ethical hackers who identify and flush out serious vulnerabilities in the system with $5000. Microsoft will pay up to $100,000 to hackers who discover vulnerabilities, depending on the type of issue discovered. For example, Microsoft will pay $11000 for discovering bugs in Internet Explorer. It may be relevant to note that Microsoft was opposed to the idea of bounties for ethical hackers not so long ago.
Khalil Shreateh, who discovered the wall-posting bug on Facebook, was not acknowledged by the Facebook IT security team who claimed that Khalil was not explicit enough with his findings. Facebook promptly fixed the bug, though. However, Khalil was rewarded for his efforts by Marc Maiffret, who discovered the rampant Code Red vulnerability that tormented Microsoft Windows users.
It may not be absolutely safe to hire ethical hackers because of the amount of vulnerabilities exposed, especially with industries that host huge confidential information. In case an ethical hacker turns rogue, the enterprise could face serious risks. However, it is not common for ethical hackers to turn malicious. Enterprises that allow ethical hackers test their systems need to have checks and balances in place. For industries such as banking and finance, defense and healthcare, it may be a difficult proposition to hire ethical hackers because of the huge confidentiality factor.
All in all, hiring the services of ethical hackers is most of the times, a worthwhile step. Ethical hacking can prevent small to large disasters such as terrorist activity, national security or financial frauds in large scale. Indeed, ethical hacking should be treated as necessary for bolstering IT security. However, the attitude towards ethical hacking still needs a lot of change or evolution. Enterprises need to come forward and put in place a system of incentives for such hackers and encourage them to test systems hard. If needed, research and development can be sponsored.