Bad vs. Good Hackers: Your Guide to Ethical Hacking

/0 Comments/in , /by

Hacking has actually been around since before there were computers. In the early 20th century, hacking was used to crack codes during war times or even to hack telephones to be able to make free phone calls or cause other people to have huge phone bills.

The 1980’s saw a more modern view of hackers, with “white hat” hackers doing the same thing but using this information to help companies fix their software to stop unscrupulous people from hacking into the software.

Today, this is considered ethical hacking and, when done properly, can be very beneficial for just about any enterprise.

What is Ethical Hacking?

Ethical hacking is using hacking for a good cause. Instead of hacking into a computer system to steal information or cause issues for a company, the hackers learn about security vulnerabilities in order to help the company fix any issues that might be present to improve the security of their network.

The idea is to help enterprises prevent hacking-related issues, not to cause them, and to help them learn what they need to know to prevent issues in the future.

How Does Ethical Hacking Work?

Ethical hacking works basically the same way “black hat” hacking works, though the person doing the hacking is working with the enterprise, not against them. Basically, the “white hat” hacker will try to get into the company’s computer system and see what information they can access or steal.

They’ll use a variety of different methods to attempt to gain access to the system to see what works and what doesn’t.

Once they are in the system, they will see what kind of information is available to them and try to find out if they can access all of the company’s information. They’ll let the company know what they find, as well as how they found it and what can be done to fix any issues or to prevent others from being able to gain access to the system.

Why Should Enterprises Look into Ethical Hacking?

Any enterprise can take advantage of ethical hacking to learn about their own vulnerabilities and their chances of someone being able to illegally access their data. In the long run, being better protected from hacking can save enterprises significant amounts of money as well as reduce the chance of their business suffering from issues related to the hacking that could lead to a loss in customers or a loss of trust by their customers.

Ethical hacking gives enterprises the chance to learn about potential issues before something occurs and gives them the chance to do what they can to prevent issues from occurring in the future. It can be very educational by showing exactly what could go wrong if someone were to successfully hack into the company’s network.

How Can Hacking Help Companies?

An ethical hacker will not just find out if there are security vulnerabilities, they’ll figure out how they can be exploited to gain access to confidential information. They’ll then let the enterprise know what they found out and how they were able to get access to the information. From there, the ethical hacker will show the enterprise how to correct the issue and what they can to do prevent issues in the future.

For instance, if the issue that enabled the ethical hacker to gain access to the system was because of passwords being too easy to guess, the enterprise will want to train their employees to use stronger passwords. If phishing was the issue, they’ll want to teach their employees about the possibility of phishing and why they should never give out personal information.

Prizes for Hacking into Google

Today, Google offers multiple Security Reward Programs for ethical hackers to use to gain a reward if they find any vulnerabilities in Google’s products. The VRP (Vulnerability Reward Program) is for any content on google.com, youtube.com and blogger.com as well as the Google Cloud Platform, hardware devices, and more.

With this program, those who find a qualified vulnerability are able to earn a reward. The amount of the award varies from $100 to over $31,000 depending on what is discovered and what can be done by using the vulnerability. For instance, remote code execution vulnerabilities that permit taking over a Google account are eligible for a reward of $31,337.

Google has other rewards programs as well geared toward different parts of their business. Those who want to try their hand at hacking into Google or their products have the ability to receive a significant amount of money if they are successful. Additionally, Google periodically holds contests with higher prizes being offered so there is the chance for ethical hackers to receive a significant reward for their time and effort.

Hacking into Government Data

The Pentagon, as well as the Army and the Air Force, have offered rewards for those who can hack into their data. These contests were designed to determine if there are any vulnerabilities that needed to be addressed as well as to make sure the data is as protected as possible from hackers.

The Army contest was intended to review the recruiting websites. In less than a month, ethical hackers found 118 vulnerabilities that needed to be patched.

Though these contests have ended, they were touted as being incredibly successful. Government data is already well protected, but the contest gave various parts of the government and military the chance to make sure the data is as secure as possible and fix any vulnerabilities they might not have found before the contest occurred.

Other Examples of White-Hat Hacking

Hacking contests and rewards are known as “bug bounties.” Many different high-profile companies have offered rewards to those who can find vulnerabilities in their computer systems or data, helping the companies make sure the data is as secure as possible against any cyber attacks. Enterprises that offer rewards or have offered them in the past include Yahoo, Microsoft, Facebook, and WordPress. They’ve paid out millions of dollars in bug bounties.

Contests and other reward programs for ethical hackers are often incredibly successful and can help significantly boost the security for the enterprise. Even when the enterprise employs security professionals to help protect their data, having outsiders look through everything more carefully can help the company make sure they’re doing as much as possible to prevent a cyber attack or a loss of data due to a breach in their security.

This also helps protect them from new threats as those who are helping an enterprise will be able to find vulnerabilities that may not have existed in the past but that could be a serious issue today.

The Ethical Hacking Community

Currently, there is a large community of people who work on white-hat hacking. Professionals who make this their job and those who just enjoy the challenge all have the chance to attend workshops, classes, and conferences to boost their skills and to learn more about what is changing in the world of security and how they can continue to help protect companies from any issues.

Conferences are held around the world and typically include guest speakers, demonstrations and more that the ethical hacking community might be interested in. One of the top conferences right now is DEF CON, which is held in Las Vegas, Nevada each year. Other conferences include ShmooCon in Washington, DC, Nuit du Hack in Paris, NorthSec in Canada, and ToorCon in San Diego.

These conferences are attended by thousands of people each year, with tickets selling out quickly for many of them. It is common for ethical hackers to attend multiple conferences to ensure they stay as up to date as possible with today’s security issues.

ShmooCon, for instance, has 2200 tickets available each year and sold out in 10.26 seconds in 2017. The conference includes contests, labs, talks by experts in the field, and more each year.

Are Ethical Hackers Certified?

It’s important for enterprises to make sure they are working with an ethical hacker they can trust. Unfortunately, there are people who may claim to be an ethical hacker, but who do not intend on being ethical in the end.

Instead, enterprises will want to look for a properly trained and certified ethical hacker. Certification is not easy to obtain and certified ethical hackers are more likely to be careful with making sure they help the companies they work with and will not end up causing more issues for the company. They understand the laws, how to hack ethically, and how to use what they know to help enterprises improve.

Contact PeopleSec Today

Enterprises that want to work with an ethical hacker they can trust should first look to the team here at PeopleSec. Our team of ethical hackers works with many different enterprises and organizations to help them find and correct security vulnerabilities within their networks. We provide all of the services needed to help business be as protected as possible against hacking and other cyber security issues.

The secret sauce for IT to Manage Risk – You would never guess it!

/0 Comments/in , /by

Over the last thirty years, the prevailing belief has been that process, technology and technique, manage risk. While it is true that processes and engineering & technology controls play a significant role in our risk strategy, it is ultimately people that manage risk. The dilemma is that people are very complicated; we don’t always act logically, and we can’t simply be poked once to produce the desired outcome. We have all sorts of quirks that persist in our heads and gut responses. When presented with uncertainty this will cause us to act or behave differently. Sometimes it is just raw emotion that drives our actions, choices, and responses. For example, road rage – compliant and safe on paper, but a major risk to others at the moment. If we do not factor people into our risk models, it will translate into a process that is very ineffective.

So how do we get our people to manage risk more effectively?

Well, it all starts with first educating the individual and group to recognize and understand the risks that they come across – overcoming risk blindness. From here there is an opportunity to shape their attitude towards those risks, which in turn affects behavior; and behavior shapes the risk culture of the organization.

An industry that illustrates risk management through people the best, in my opinion, is the health and safety programs. For instance, the construction industry (this is mainly because failure is quite tangible and visible). Companies with a strong risk posture operate with regular safety orientations, safety training, daily hazard assessments, incident reports, near miss reports, daily safety toolbox or team meetings, safety meetings, safety audits, etc. The purpose behind the frequency and repetitiveness of this process, which is to help the individual and group identify, assess, and manage the risks they see – or in other words, take ownership of the risks they encounter. The successful companies (which can be large or small) are those who strategically use the near miss reports, or reports of an incident that did not cause damage or injury but could have resulted in one.

Individualized Reports

These reports tell a story and allow for a tailored discussion with individuals and groups to help overcome the frequency and flawed thought process leading into the near miss. Now some companies in the construction industry will argue that they have all those meetings and forms and still have a weak risk posture. Well, the problem is they are going through the motions of safety compliance, but have failed to reach the individual.

Full disclosure, I think this industry is a leader in risk management it is also rife with bureaucracy. The system can get caught up in the process of compliance. Creating a false sense of security and can lose the spirit of the main objective – keeping people safe. Again it is people that manage the risk and not the process.

The notion of people managing risk should not be a surprise in the IT world. As many technologists are employed just to manage the aftermath of end users, despite the technology solutions in play.

We need to do a better job at seeing and understanding where people are coming from. The psychology of human thinking, and more importantly how bias plays a role in risk assessment. This will make our processes way more effective – and yes, keep our IT people sane.

Teachable Moment to Employees: Enterprise Cyber Leaders: IOS 9.3.5

/0 Comments/in /by

If not for an ordinary, non-technical computer user, the urgent IOS 9.3.5 security patch of 25 August 2016 would not have happened.  Researchers assert that hackers have been exploiting this zero day vulnerability in the wild for over a year.  Yet, the vulnerability was not detected via technology.  A pro-democracy activist, Ahmed Mansoor, received a text with a link he considered suspicious and sent it to experts to analyze.  Anecdotes such as this are growing in number.  Motivated, informed users are spotting what technology misses, and at the beginning of the kill chain. This is what I like to call a teachable moment.

 

phishingTeachable Moment  

Enterprise cybersecurity leaders can use stories such as this teachable moments to better prepare for future scenarios. Cybersecurity is ultimately a people problem.  Training alone motivates few to change and to learn.  ‘Teachable moments’ bind a relatable or actual experience to what otherwise seems an estranged abstraction to employees.   They also yield plausibility to the notion that they too can make a meaningful impact.  Again, cybersecurity is a people problem, and people react to change much like Newtonian physics – unless motivated by an outside force, they tend to stay put..

 

This particular story has many different interesting elements that it is difficult to stay focused on just this one ‘teachable moment’.  Here are a few essential highlights you can point out to your employees:

  • An ordinary, non-technical user received a text with a link he considered suspicious
  • Experts (Citizen Lab) analyzed it (also analyzed by LookOut)
  • The researchers found that the link exposed iPhone/iPad users to scary malicious code that exploited a vulnerability unknown to Apple
  • The researchers reported their findings to Apple
  • Apple released the 9.3.5 security patch within weeks
  • We are all a little safer

Employees can make a meaningful impact, without their becoming an expert and without buying them expensive tools with steep learning curves.  But this won’t happen without motivating them.  Why not use this IOS 9.3.5 security patch as a teachable moment?  Mention doing so at your next board of directors briefing on cybersecurity risk management.  Motivate employees to be human sensors instead of liabilities.