FeatureEthical hackers: putting on the white hat
Section snippets
Starting out
The barriers to entry to becoming an ethical hacker are pretty low, according to Chris Larsen, senior malware researcher at Blue Coat Systems. “Buying or building a cheap computer and putting Linux, Apache, MySQL and PHP on it will get you started,” he says. “Just set up a simple website on your box, hook it to the Internet, and start watching your server logs. You'll see the hackers coming to you in no time.”
He adds: “Ethical hackers have a valuable role to play
Training
Enterprises must address network security concerns and – almost as important – must be able to show a world full of regulators and auditors that they are doing so. James Foster, principal consultant at Acumin Consulting, points out that recent regulations such as the Sarbanes-Oxley Act and the UK's Code of Connection have provisions that require networks (wired and wireless), firewalls, databases, servers, applications and mobile devices to be checked thoroughly for vulnerabilities. For this
Bedroom to boardroom
White hats have come out of the back bedroom and are heading for the boardroom. Ian Glover, president of CREST, a not-for-profit organisation that offers certification training, says: “The term ethical hacker still has negative connotations associated with someone working alone in a bedroom on a computer and skirting on the fringes of legality and ethics. The reality is very different. The penetration testing or ethical security testing industry is well organised, with highly professional
White hat skillsets
Jeff Schmidt, executive global head of business continuity, security and governance at BT Global Services, believes effective ethical hackers need a range and depth of skills. “Becoming a white hat is more than just taking a few classes and getting a CEH accreditation. To be an effective white hat, you must learn the fundamental systems and tools that they work and interface with on a daily basis. It is more than using just tools. Tools are good for a baseline analysis, but to be effective one
Employment
The increasing number and complexity of threats facing enterprise networks is creating a rising demand for ethical hackers either on staff or under contract. BT's Schmidt says: “Today's networks are a myriad of systems, applications, hardware and end points. On top of a heterogeneous environment, add in the rate of change in technology, frequent updates and patches that happen inside the production environment, compression of the IT workforce, multi-person developed applications and a continued
Web application vulnerabilities
Researchers at WhiteHat Security found that the average website has serious vulnerabilities more than nine months of the year. The latest threats are to web applications. HP carries out regular research tracking the activities of black hats and its ‘2010 Top Cyber Security Risks Report’ identified a significant increase in the volume of organised cybercrime targeting datacentres and networks.1
The report indicates that while the majority of attacks are against known and patched security
Starting points
Today's ethical hacker needs to work within the business case of the enterprise, assessing the value of the assets being protected and the costs of protecting them. John Stock, senior security consultant at Outpost24, says three key questions must be asked to ensure that an effective test is carried out. What is the company trying to protect? What is the company trying to protect against? And how much time, effort and money is the company willing to expend to obtain adequate protection? Once
Career development
Ethical hackers need to invest considerable time in keeping up with the world of network security, including architectures, devices and communication protocols, multi-vendor operating systems, applications and security software. There is also a need to keep up to date with how the technology is applied within different industry sectors and evolving standards and approaches to security.
Mick Scott, security director at Deloitte, specialises in cyber-threats and penetration testing. “It requires a
About the author
Tracey Caldwell is a freelance business technology writer who writes regularly on network and security issues. She is editor of Biometric Technology Today, also published by Elsevier.
References (1)
‘2010 Top Cyber Security Risks Report’. HP TippingPoint DVLabs
Cited by (24)
Ethical hacking for IoT: Security issues, challenges, solutions and recommendations
2023, Internet of Things and Cyber-Physical SystemsHacker types, motivations and strategies: A comprehensive framework
2022, Computers in Human Behavior ReportsCitation Excerpt :These types of hackers are known for garnering public and media attention by targeting high profile victims, posting on their social media accounts (Conger & Popper, 2020) or leaving boastful and demeaning messages on social media accounts/dark web forums/targeted devices' displays (Sussman, 2019). Old guards use customized codes/scripts/penetration testing tools to reveal vulnerabilities in existing systems such as websites, software, and servers/computers/devices, find new malware using professional honeypots, and track malicious hackers using cyber forensic techniques (Caldwell, 2011; Palmer, 2001). They may take over the vulnerable system and inform their owners about the vulnerability directly, or report the vulnerabilities to concerned companies, security researchers or relevant authorities, or decide to make the vulnerability public.
The simulated security assessment ecosystem: Does penetration testing need standardisation?
2016, Computers and SecurityCitation Excerpt :A study by Guard et al. (2015) assessed the characteristics of students most suited to conducting penetration tests within testbed environments. Skillset requirements and career development of penetration testers were discussed at a high-level by Caldwell (2011). Qualifications were explicitly referenced, which include three of the UK bodies, namely CHECK, CREST, and the Tigerscheme, along with the more internationally focused EC-Council Certified Ethical Hacker (CEH) and ISC2 Certified Information Systems Security Professional (CISSP).
It takes a pirate to know one: ethical hackers for healthcare cybersecurity
2022, BMC Medical EthicsEnacting social engineering: the emotional experience of information security deception
2022, Crime, Law and Social Change
About the author
Tracey Caldwell is a freelance business technology writer who writes regularly on network and security issues. She is editor of Biometric Technology Today, also published by Elsevier.