Naked Security is reporting this week from Cloud Expo, Europe’s biggest digital transformation show.
In a bijou booth at London’s CloudExpo, BlackBerry, the much-diminished former behemoth of the mobile sector, was quietly plying its trade. BlackBerry describes itself as “a mobile-native security software and services company” and was there to promote its professional cybersecurity services, which it acquired following the February 2016 acquisition of Encription Ltd, a specialist in penetration testing.
So now, should you wish, you can get BlackBerry round to mess with your systems, while paying for the privilege. They’ll get up to no good, then write you a report telling you all the stuff you’re doing wrong. This, then, is the odd world of the ethical (or “white hat”) hacker, a somewhat shady-sounding occupation that uses penetration-testing techniques to assess IT security and identify vulnerabilities.
Sure, it serves a useful purpose, but it’s a bit weird still, isn’t it? It’s basically analogous to paying an “ethical burglar” to break into your house, or a “white hat mugger” to have a go at stealing your phone. You never hear about those, though, which is something of a shame. There must be thousands of charmless chancers out there desperate to get certified by the council and go out thieving for the greater good. Or, better still, much like that old Kate Bush song, set up in the faithfulness-testing racket, put on a white hat and run around propositioning spouses.
It doesn’t happen though, does it? Or maybe it does, somewhere. Perhaps in the higher echelons of society that we don’t ordinarily get to hear about there are ethical burglars paid for by the likes of the Candy brothers to test the security of plutocrats’ pads. But, on the whole, in the round, the concept of attaching “ethical” to a criminal activity seems only to apply to cybersecurity. As I say, it’s odd.
You can even get a degree in it: in 2016, Scotland’s Abertay University established what it described as the world’s first undergraduate degree in Ethical Hacking, a surely useful and practical course of study that aims to provide students with experience “investigating, analysing, testing, hacking and, ultimately, protecting real-life systems through the development of countermeasures.” Its primary aim, the university states, is “for someone to arrive on this programme as a student and leave as an ethical hacker”.
For the less committed there is the option also of a number of a few more modest qualifications, including the Certified Ethical Hacker (CEH) certification from the EC-Council. And much like the banal suggestion that one should “set a thief to catch a thief”, a canard that clearly implies the police’s refusal to recruit exclusively from the criminal community is entirely misguided, the EC-Council states that, “To beat a hacker, you need to think like a hacker.” Well, no, not really.
It pays quite well though. PayScale states that the median salary of an ethical hacker is around $72,000, rising at the top end to well over $100,000. So why not? And calling yourself an ethical hacker means you get to signal not only virtue, but a certain edginess also. It doesn’t get better than that.
Do you agree with Paul’s opinion on this? Let us know in the comments
Vot
That’s just called penetration testing and has been around for a while, the “ethical hacker” label is just a marketing stunt by the people who offer courses on it.
Also yes, there is an equivalent of “ethical burglar” – namely “physical penetration testing” (although now that I mention it that’s probably the reason for the “ethical hacker” label).
Guy
A mate of mine was thinking of getting out the banking industry, and got quite excited at an advert he saw for ‘penetration tester’. We had to tell him that no, it wasn’t what he thought it was.
Sally Ferguson
Intentions (whether one means to do harm or good) and outcomes (whether one actually does harm or good) both matter when it comes to evaluating the moral value of an action. Ethical hacking meets the standard for good behavior by both criteria.
Sincerely,
An Ethics Professor
Wilbur
No, I don’t agree with Paul on this, not even a little. I think it makes a tremendous amount of sense for a company to hire outside experts to look for holes in network defenses that have been overlooked by day-to-day staff. I think more companies should do the same thing. By definition hackers do things other people don’t think about so why shouldn’t a company hire experts to investigate how vulnerable their site might be? From all the reports of unsecured data bases and servers parked on the Internet it sounds to me like more companies should be doing the same thing. And why isn’t it ethical if the pen tester has permission from the owner to test the system?
No, I’m not a hacker – white hat or otherwise – I don’t have the skills. But I think it’s pretty bogus to compare pentesting a corporate network to hiring a mugger to steal your phone. Frankly, this piece reads like Paul had to write a column about Cloud Expo but couldn’t find anything interesting.
Allie Andrews
This is penetration testing and is a fairly mature industry. Ethical hacking just another name. There is also an accreditation body for the industry (link removed) CREST provides accreditation for companies that provide penetration testing services, so buyers of these services can be assured that they are of the highest quality and are backed by an enforceable code of conduct. It also provides professional qualifications for individuals.
Worth checking out CREST’s guide to procuring penetration testing (link removed)
Dean
The key aspects are 1. Whitehats should never have been “unethical” so you can trust them. ECCOUNCIL does a background check before certification. 2. Ethical hackers never do anything without a contract first, unlike bug bounty hunters or black hats that may hack without permission and then tell the company.
Mark Stockley
Bug bounty hunters do have permission. You won’t get the bounty unless you follow the rules.
Mark Stockley
Yes. In essence the question is “should you test your software?”.
Alternative analogies might be banks doing financial stress tests, militaries running red flag exercises, sparring in martial arts or even the scientific method.
Mark Man
This article is full of misinformation. I’ve been a penetration tester for several years and I can tell you that you do indeed need to think like a hacker to do this job. If I present my findings to a CEO showing a screenshot of a shell, he or she is not going to be impressed. If I present a screenshot showing the shell and sensitive data such as credit card numbers or sensitive proprietary data, I will have their attention. Post exploitation is as important as the technical skills and yes, you have to think like a criminal to determine what would cause the client financial loss.
I do physical penetration testing as well, so the idea that this only applies to the cyber world is also inaccurate.
White hat / ethical hacker / penetration tester they’re all the same job. Also, if you’re doing it for 70k, youre getting ripped off. Look for a new job.