As is often the case in cybersecurity, good news and bad news are closely linked. In my last blog, we discussed the differences between white hat and black hat cybersecurity hackers, the different types of threat actors targeting today’s organizations and their various motivations.
At a time when many organizations are still struggling with the cybersecurity skills shortage, the opportunity exists for white hat, or ethical, hackers to showcase their value to organizations. In this post, we are going to shift the focus to the other side of the coin – the white hats helping to keep information safe and their importance as part of a business’ everchanging security posture.
The need for ethical hackers
There is no shortage of examples of how high the price can be for victims of cyberattacks. The cost of dealing with the SamSam ransomware attack, for example, has already cost the city of Atlanta millions of dollars. Studies have estimated the impact of cybercrime on the global economy to be hundreds of billions of dollars a year. Every day, social engineering, phishing and other attacks are being used in attempts to compromise organizations of all sizes. As the number of Internet-connected devices continues to grow and the attack surface widens for businesses, it is fair to surmise that both the complexity of securing IT environments, and the cost of failing to do so will grow as well.
The best way to see if your organization can stand up to hackers is to attack it. To this end, ethical hackers need to think like their counterparts on the other side of the law and adopt the tactics of their adversaries. This means leveraging everything from recon to social engineering to push your organization’s cyber defenses to their limits. By attempting to poke holes in security, white hat hackers are putting organizations in the position to identify any gaps in their security controls and address them before they are exploited by malicious attackers.
Renewed approach to defense
Over the years, many business and IT leaders have adopted the “assume breach” philosophy – meaning that organizations discuss security controls from the standpoint of assuming that they have been breached by a stealthy attack. This thought process moves security discussions beyond technologies like signature-based detection at the perimeter to more advanced detection and response methodologies focused on identifying threat actors based on their behavior within a compromised environment.
From a white hat’s perspective, this means focusing on testing within the perimeter as much as – if not more – than testing for remotely exploitable vulnerabilities. Understanding lateral movement vulnerabilities and possible avenues for data exfiltration and persistence becomes a more pressing concern.
In general, the arsenals of both groups are the same, as they both typically rely on extensive recon and exploiting known vulnerabilities to compromise systems and applications. While attackers, able to get their hands on zero-days, have an advantage against security defenders, white hats often have the advantage of not having to do reconnaissance on their target environments. A firm that is brought into a company to conduct a penetration test will often be given the topology of the company’s network and applications, while black hats would have to obtain that information surreptitiously.
Becoming an ethical hacker
Still, criminal hackers only have to be successful once, whereas those defending security have to be right every time. This perpetual race between the two groups is not slowing down any time soon. With so much on the line, there is a real opportunity for those interested in ethical hacking to do significant good.
For organizations, hiring and retaining cybersecurity professionals means offering competitive pay. It also means identifying and encouraging cybersecurity personnel interested in understanding the tactics and techniques of attackers in order to improve defense. Given the nature of the job, white hat hackers need the ability to think creatively and problem-solve their way around security defenses.
Supporting employees looking to broaden their skillsets with continued education or security certifications sends the signal that security expertise is valued. A good starting point is the Certified Ethical Hacking (CEH) certification, which can be obtained after a four-hour test. The CEH certification is widely known and demonstrates a general knowledge of security risks, countermeasures and common attacker techniques, like social engineering and conducting reconnaissance. Other certifications include the Offensive Security Certified Professional and the SANS Institute’s GIAC (Global Information Assurance Certification) Penetration Tester (GPEN).
Each of these certifications can bolster the resume of security professionals as they go deeper into their field of focus. Security is a wide world, and anyone interested in being an ethical hacker should look to specialize in a few areas of interest while keeping up to speed on cybersecurity at large.
While the tactics of black hats and white hats are largely the same, the lines between these groups are distinct. If a hacker is willing to follow the law and ethical principles, an ethical hacker can serve as a true force multiplier for today’s enterprises and organizations. As the world becomes more connected, the need to secure the infrastructure that connects us will grow.