A special thanks to the helpful computer security expert who wants remain anonymous due to his work.
When you read the title of this article you probably thought something like: ‘Come on, hackers, benefactors? Well … that’s bullshit!’. The reason is that when we think about ‘hackers’, the first thing that comes to mind is more likely the one of a solitary teenager shut off in his garage trying to hack the web. These script kiddies, however, represent only a tiny fraction of active cybercriminals in the world. As the cybersecurity specialist James Lyne, highlighted ‘cybercriminals are wonderfully professional and organised’ today, like the cyber espionage group Fancy Bear.
WHO ARE THEY?
The term hacker is a term that can mean anything and nothing at the same time. It does not apply only in the field of computing (but this will be the purpose of a future article) but also generally negatively perceived. You know that it was possible to distinguish several types of ‘hackers’?
The first one, the black hats, who scare us, the one we mistakenly think about by saying ‘hacker’. They steal identities, data and illegally enter the systems. This is a person who ’violates computer security for little reason beyond maliciousness or for personal gain’1. You have probably heard about the cyberattack against Ukraine in December 2015 with the spreading of the ‘BlackEnergy’ malware that has disrupted the electricity for many homes or the Facebook hack in September 2018 that has allowed hackers to access 50 million user accounts thanks to the ‘View as’ feature., or
Then, the grey hats, who illegally use systems’ vulnerabilities to send a message or defend a cause. For those who know the famous television series Mr Robot, Elliott Alderson is a good example and for those who do not know it yet, it is a good reason for watching it.
Lastly, the white hats, are the ethical computer hackers, that we will rather call the computer security experts. They are the ones we are going to focus on in this article. They work to find vulnerabilities and fix them to improve the systems’ security for the greatest number.
WHY DO WE NEED THEM?
In 2017, the cybercrimes represented 172 billion euros and reached 44% of consumers in the world according to the 2017 Norton Cybersecurity Insights Report. But these are just the numbers we can measure. For example, you are responding to a call to tender, but you lose the contract for an unknown reason. Maybe one of your competitors had access to your data, discovered your proposal to make a better one, stole the contract, and you would not even know it! This is not to make you paranoid but to show you that some things are difficult to trace….
Today, cybercriminality not only makes individuals, businessess or states, lose a lot of money, but also impacts real life. The control of the web obviously governs the ratio of power. This is why, it raises economic and strategic issues (political, technological, military…). Remember Snowden’s revelations about the NSA’s use of cyberattacks to detect vulnerabilities in other countries’ systems to take a strategic lead. This is a good example of the industrialization of the espionage process and high level of cyberattacks’ technicality.
As the cybersecurity expert Keren Elazari rightly pointed out in her TED talk ’hackers are a force for social, political and military influence. As individuals or in groups, volunteers or military conflicts, there are hackers everywhere. They come from all walks of life, ethnicities, ideologies and genders, I might add. They are now shaping the world’s stage.’ You know, in all good crime TV series, there is the caricature of a geek with his laptop and glasses, using incomprehensible vocabulary, having social difficulties and who helps the team to find the culprit.
So, cybersecurity has unquestionably become one of the biggest international stakes and a core business issue. Consequently, cybersecurity experts (our ‘white hats’) are a key resource of our worldwide ecosystem.
WHAT DO THEY DO?
There are two types of practices that the largest groups or organisations are using more and more.
The first practice, used by a lot of companies like Facebook, Microsoft or Google is called ‘bug bounties’. They pay cybersecurity experts, who operate in a legal framework to find zero-day vulnerabilities according to their criticality. These vulnerabilities are the ones that have not been published or have no patches. Such a vulnerability implies that no protection exists, it is therefore essential that it be identified before malicious hackers (our previously mentioned black hats) get their hands on it. It can be very costly for the company who is the victim… Some exploit acquisition platforms buy and sells vulnerabilities like Zerodium who offers 1 million dollars to the person succeeds in hacking iOS 9.
The second practice is to hire a cybersecurity company that will use several testing methodologies like penetration testing or code audits to ensure the security of your organisation. In this case, what’s going to happen? As a simplification, we will talk about three key points:
- Compose the teams
The cybersecurity company will make available an aggressive team, the red team, which will be in charge of finding the vulnerabilities in your systems and make recommendations.
Your Security Operation Center (SOC) or administration team will be the defensive team, the blue team.
- Define a scope of action
In which framework do they will operate? What should they test?
You would like to use white box testing. This means that the red team knows how your internal systems works. It will surely find more quickly vulnerabilities, but you will also have more chances to contest the results of the test, since you had given them information about your systems.
You can also use black box testing. The red team does know anything about your internal systems. It is therefore more difficult for them to enter but it is often a much more important experience for you (Damn … how did they get access to the boss’ mailbox ?!).
- The time of the restitution meeting
The red team, the blue team and the decision makers of your company meet each other. The red team will explain how they proceeded, the vulnerabilities they found and possibly how to correct them. It is the touchiest part of the job because cybersecurity experts have still complicated relations with their recruiters. Obviously, it is always difficult to admit the existence of vulnerabilities in its systems especially when one hires an entire team (the blue team) to deal with it…
This is why, as Keren Elazari says, these ‘ethical hackers’ are ‘the immune system for the information age’. In fact, they have ‘an evolving effect on technologies we use every day’, because they allow to perfect each day our security systems. We need them as much as we need to become knowledgeable and concerned about the security of our data!
I hope that this article will have changed the way you think about ‘hackers’ and that it will have increased your interest on cybersecurity.