An ethical hacker can help you beat a malicious one

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
By Georg Thomas
 

Connecting state and local government leaders

By Georg Thomas

|

Organizations that engage the services of an ethical hacker can find and fix vulnerabilities on their systems rather than have them exploited.

The Conversation

This article first appeared on The Conversation.

The recent spate of cyberattacks on computer systems across the world shows how some organizations are not doing enough to protect their systems against malicious hackers.

But if organizations had engaged the services of an ethical hacker then many of the vulnerabilities on their systems could have been found and fixed, rather than exploited.

There are many instances in which ethical hacking has successfully prevented a potential attack, but because of the sensitive nature of such information, few cases are made public. This anonymized example highlights the type of issues that can be uncovered by an ethical hacker, which can then be addressed by the client.

Putting on your hacker hat

There are typically three types of hacker: “black hat,” “grey hat” and “white hat.”

Black hat hackers are typically malicious; they operate illegally and attempt to breach or bypass security controls. Their motivation can be for personal, political or financial gain, or simply to cause havoc.

Grey hat hackers also try to find vulnerabilities in an organization, and may then alert the organization or publish the vulnerability.

Grey hats can sometimes sell the vulnerabilities to government or law-enforcement agencies, who may use them for questionable means in conflict or enforcement. The activities of a grey hat are not only questionable, but also seen as illegal because they are not given permission to conduct their operations.

White hat hackers use the same tools and techniques as their black and grey hat counterparts, but they are engaged and paid by organizations to find vulnerabilities. That’s why they are known as ethical hackers.

A contract and non-disclosure agreement (NDA) is usually signed between the ethical hacker and the organization. This ensures that what they are doing is legal and that both parties are protected.

The ethical hack-attack

Ethical hackers will typically follow a phased approach to conducting their tests. Depending on their methods, this will usually begin with a reconnaissance phase in which information is gathered and potential target systems are identified.

From there the computer network will be scanned (externally, internally or both, depending on the engagement) to examine it in more depth so as to identify any known vulnerabilities.

If vulnerabilities are found, an attempt to exploit them may follow, and ultimately access may be gained. An ethical hacker would also attempt to break into system that don’t necessarily have a known vulnerability, but are simply exposed.

Ethical hackers will then document their work and capture evidence to report back to the client. Hopefully they will find any vulnerabilities first, before they are exploited by others with less beneficent aims.

Becoming an ethical hacker

Ethical hackers gain their skills mainly through experience.

There are also many courses and certifications that teach ethical hacking, including the CREST Certified TesterEC-Councils Certified Ethical HackerGIAC Penetration Tester and Offensive Security Certified Professional

But these courses can’t teach everything. Organizations can differ vastly from one another, and the way to penetration-test each organization is different and by no means prescriptive.

A good ethical hacker requires a great deal of skill and experience, not just the ability to blindly run a tool or script (also known as “script kiddie”).

Ethical hackers, like any other hacker, may also venture into the dark web to gain intelligence and learn about new exploits.

Asking for trouble

One of the frustrations over this month’s ransomware attack on Microsoft’s Windows systems is that the software giant had already issued a patch in March, to protect PCs from this type of attack.

Despite the warnings, several organizations had not installed the patch, and others were running old Windows XP systems that Microsoft stopped supporting back in 2014. Windows 2003 systems were also vulnerable, having been unsupported since 2015.

This left these systems open to attack by ransomware known by a variety of names, including WannaCrypt and WannaCry. It encrypts files on infected systems, requiring a ransom for their unencryption.

Another attack

It has now been revealed that the same vulnerabilities that allowed this ransomware to infect systems has allowed the spread of a new threat, the Adylkuzz Cryptocurrency Mining Malware.

This ransomware is thought to have gone largely undetected until now because it isn’t destructive. Instead, it mines a cryptocurrency called Monero, which can generate income for the attackers.

Both outbreaks highlight the importance of practicing diligent security and making sure that unsupported systems are upgraded or decommissioned.

The majority of advice so far has focused on appropriate defenses such as the Australian Signals Directorate’s Essential Eight. This covers issues such as patching, application white-listing, appropriate firewall configuration, and using vendor-supported platforms.

But having a vigilant IT department that follows such guidance may not be enough.

Some focus should be given to how an ethical hacker can be used to help protect organizations against malicious attacks.

More than just an IT check

This approach to using an ethical hacker differs from the traditional internal IT team approach, as the focus is shifted from a defensive to an offensive mindset.

While the importance of solid defenses can’t be understated, augmenting this with ethical hacking can greatly increase the resilience of an organization’s networks. This approach tests the effectiveness of the controls in place and may identify previously unknown exposures.

But this approach is fairly limited to organizations. Engaging the services of an ethical hacker can cost tens of thousands of dollars, depending on the size of the job.

A typical home user would not have the resources to hire such help. In that case, adequate security controls and awareness would still be the best way to stop many attacks.

Microsoft’s Windows 10, for example, installs updates automatically, which can’t be deferred like previous versions. Windows 8 and 10 also come with Windows Defender pre-installed.

People should also make sure not to open suspicious emails, including those from unknown recipients. This will go a long way towards preventing infection.

The future of hack attacks

Telstra’s latest security report says that 59.6 percent of future potential attacks in Asia and 52.6 percent in Australia will be due to external hackers. These attackers will use vulnerabilities (known or unknown) to carry out their attacks.

So there is merit in further research to determine how an ethical hacker can help organizations prevent attacks and infections from unknown vulnerabilities. The ability for a penetration test to identify vulnerabilities in advance before software vendors are aware and can release any patches would be invaluable.

But there are certain ethical issues that need to be considered, given that an ethical hacker often needs to use questionable means, such as through the dark web. There is a fine line between what constitutes an ethical approach and an unethical one.

NEXT STORY: ‘WannaCry’ ransomware attack raises alarm bells for cities, states

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.