White hat hacking, gray areas, and a misunderstood approach to cybersecurity
Make no mistake about it: there is an ongoing battle between the good guys and the bad guys when it comes to internet security, and the good guys are losing. They’re losing to the tune of 4,000 ransomware attacks per day, $5 billion in ransomware damages in one year, record breaking numbers of data breaches, and record-breakingly huge DDoS attacks.
It isn’t the good guys’ fault. The men and women that make up the cybersecurity industry are overworked, overwhelmed and outnumbered in the face of a growing onslaught of hacks, attacks, intrusions, extortions, malware, phishing scams, social engineering and insider backstabbing, to name a few of the issues cybersec professionals are up against.
Thus the cybersecurity industry has had to get innovative when it comes to fighting back against the criminals taking aim, and a major part of that is using the services of white hat hackers, otherwise known as ethical hackers.
However, there is perhaps no aspect of cybersecurity as misunderstood as white hat hacking.
What it’s all about
A white hat hacker, also known as an ethical hacker, is a cybersecurity specialist who uses hacking skills to break into target systems or networks. Doing so assesses and tests existing security measures and identifies vulnerabilities, all of which the white hat hacker will report to the company that owns the target system or network.
The idea behind white hat hacking is to do what black hat or unethical hackers do before they can do it in order to keep those black hat hackers from doing it. White hat hackers are often employed by organizations as members of an in-house security operations center or cybersecurity team, though white hat hackers can also work freelance, chasing down so-called bug bounties – large sums of money offered up by major companies (think Apple and Facebook) to cybersecurity professionals who can identify vulnerabilities, making it possible for them to be patched.
White hat hacking is a recognized profession, with many even earning ethical hacking certifications. Regardless of which career trajectory white hat hackers take, they tend to pull down the cash, with certified ethical hackers making an average salary of $101,581 and top bug bounty hunters looking at salaries in the six figures as well.
And yet, the biggest issue facing these do-good hackers is a misunderstanding about their motives and ethics. This misunderstanding coming from the general public is annoying, but from law enforcement agencies like the FBI? Well, you could call it criminal.
When it comes to perception and misconception, for many the issue is simple: it’s a misunderstanding of the term hacking. In the media, the term hacking has a negative connotation, and as a result many people associate it with the criminal activities undertaken by black hat hackers. Not all hacking is unethical, but that isn’t widely understood.
The issue is complicated by the fact that white hat hackers use some thoroughly malicious means to accomplish their objectives. They have to. In order to beat black hat hackers at their own game, white hat hackers have to play that game. How can a company know their system is protected against SQL injections if someone has never tried to execute an SQL injection on it? White hat hacking routinely entails creating malware, writing malicious code, and even vicious social engineering meant to test the security awareness of an organization’s employees. It’s all in the name of cybersecurity.
From black to white
Some of the highest paid, most fiercely sought after white hat hackers have less than ethical backgrounds, some even including stints in prison for their previous hacking activities. One of the most notable is Hector Monsegur, the founder of the Lulzsec group that famously hacked the CIA and Sony. Knowing the skills Monsegur possessed, the FBI agent who arrested him convinced him to go straight, first working for the FBI and now for a security firm. Even with Monsegur’s infamous black hat past, only one of his firm’s clients has asked Monsegur to not be involved in a project. Many value the wealth of black hat skills he possesses, knowing he can do everything a criminal looking to steal and sell data would do.
This is a tidy example of the challenges facing white hat hackers. The number of ex-cons and former black hat hackers working as white hat hackers doesn’t do much to improve the profession’s reputation amongst those who don’t fully understand cybersecurity or the pressing need for innovative methods of stopping cybercriminals, but for those who get it, white hat hackers – regardless of their backgrounds, and sometimes because of their backgrounds – are invaluable.
The most pressing need
While further education on just what white hackers do and how ethical it actually is would obviously be appreciated, as would more leeway from law enforcement agencies that have to understand the malicious tactics that have to go into white hat hacking, the most pressing need of all is the need for more white hat hackers. Some experts are predicting a cybersecurity workforce shortage of two million by the year 2019. Organizations ranging from small businesses to major enterprises to governments need to level the playing field however they can, and that translates to innovative cybersecurity measures.