When you hear the words “hackers” or “hacking,” what comes to mind? Do you picture faceless people in hoodies, or Guy Fawkes masks? Or maybe bank robbers wearing gloves hiding in dark basements behind glowing laptops as they wreak havoc on governments, businesses, and healthcare systems? If you do, you’re not alone. Unfortunately, that’s probably what most people imagine due to the bizarre depictions used by media and various marketing departments.
Despite these strange portrayals, it’s important to remember that hackers are regular people in regular clothes. And it’s even more crucial to realize that not all hackers are bad! In view of this, the November SENewsletter, will introduce you to another type of hacker. Security-focused professionals, women and men who consider themselves “white hat” or “ethical hackers.” They’re the good gals and guys working to protect private and public entities. In fact, their tireless work impacts nearly every aspect of your life.
This month’s newsletter also includes exciting news about our upcoming Social Engineering Capture The Flag (SECTF) Webinar, and The Human Hacking Conference.
Black Hat, Grey Hat, White Hat
The security community typically recognizes three overarching types of hackers: ‘black hat’, ‘grey hat’, and ‘white hat’. Although these labels can also be seen on a sliding scale, generally, hackers identify most strongly with one category on a day-to-day basis. Are you wondering, “Which color hat represents the ethical hackers?” We’ll break it down for you. Let’s first look at the black-hat hacker.
Black Hat
The black-hat hacker has malicious intent and is willing to engage in illegal activity. Simply labeling these people as “hackers,” is a misnomer. Since they use their hacking skills for illegal action they are “criminals.” They may be an amateur working alone, they may belong to a gang or underground organization, or they could even be working under a nation-state. In any case, they could be highly skilled and have knowledge of computers, hardware, software, networks, along with the ability to bypass both protocols and people. They may also write malware and create other means of exploiting systems.
Their goal usually is to steal login credentials, financial data, and personal information. They may also seek to deceive people and systems, deny or disrupt services, and modify or destroy data. What’s their motivation? Money is the big incentive for most. Thrill-seeking also plays a part, as do strong beliefs and sometimes, direct orders. These people don’t gain permission to hack, and therefore act as black-hat hackers and become criminals. Next, there is the grey-hat hacker. Because, as you know, life is not always black and white…
Grey Hat
The grey-hat hacker pokes around for weaknesses and vulnerabilities without proper approval or permission. Once this hacker finds an issue, they’ll typically report it and sometimes request a fee to fix the issue. If the owning entity doesn’t agree to pay or refuses to acknowledge or address the issue themselves, the grey-hat hacker may threaten or actually post the vulnerability publicly online for all the world to see and potentially exploit maliciously. Their activity is usually considered illegal, because of not receiving permission to act in the first place. Unfortunately, for some well-meaning hackers, finding flaws and reporting them have led to serious legal action. This internal dilemma on whether to even report a finding for fear of undue consequences can tear at a grey-hat hacker. Finally, we arrive at white-hat hackers.
White Hat
White-hat hackers are the good gals and guys; they are security experts also known as ethical hackers. Often, white-hat hackers use similar hacking methods as black and grey hats with one very important exception—they have permission to hack. As is the work Social-Engineer, LLC performs for its clients, the white-hat hacker’s actions are 100% legal. Organizations hire them to test security systems, perform penetration tests, execute vulnerability assessments, run phishing campaigns, and more.
From Black Hat to White Hat
Once a bad actor always a bad actor, right? Thankfully, we can say, “No.” Some hackers have taken off their “black hat,” so to speak. For instance, Eric Taylor, aka CosmoTheGod, describes his personal journey on our January 2018 SEPodcast. And he’s not the only hacker to change from black to white hat.
Ethical Hackers Are Necessary
Ethical hackers fill a vital role in security—and society—in various ways. For example, they search for system flaws or serious vulnerabilities. They then make repairs or patches before criminals can exploit the system and its users and stakeholders. The software industry greatly benefits from the skills of ethical hackers, among every other major vertical. For instance, during 2018, ethical hackers found software vulnerabilities that averted crises in ten major companies.
Government agencies and corporate industries have taken note of white-hat hacker programs’ success and benefits. For example, there was a 26% increase in organizations running bug bounty programs to bolster their applications and systems. A bug bounty program, also known as a vulnerability rewards program, is a crowdsourcing initiative. Cash rewards are paid to software security researchers and ethical hackers who find and report on software vulnerabilities that could be exploited.
For example, the Pentagon now routinely runs bug bounty programs to strengthen its security posture. During the September 3-18, 2019 Hack the Proxy program, the Pentagon gave 81 ethical hackers from around the world access to probe the department’s Virtual Private Networks (VPN), virtual desktops, and proxies. The Pentagon released its results on October 14, 2019. What did the ethical hackers find? They discovered 31 vulnerabilities; nine considered high severity, and 21 with medium/low severity. As a result, the Pentagon now has actionable data to shore up its security defenses.
The popularity of implementing ethical hackers in general is greater than ever before. As can be seen, the concept is being adopted by commercial and other government entities worldwide.
More Ethical Hackers Needed
Now, some scary numbers. Cybercrime is forecasted to cost the world $6,000,000,000,000 by 2021. Additionally, it’s projected there will be 3,500,000 unfilled security positions by 2021. These unfilled jobs are partly ascribed to the gender gap shortfall, as women represent just 20% of the global security workforce. In view of these stats and forecasts, it’s clear that there are simply not enough security experts, nor helpful technology or education, to keep pace with the threats and attacks targeting commercial and government sectors. This sounds bleak, however, there’s another way of looking at the situation. If you’re searching for a career with job security, look no further! Ethical hacking is a vital career path now, and for years to come.
A Path to Ethical Hacking
It may surprise you to know that ethical hacking does not require strong technical skills to start with. If a person has a desire to learn, technical skills can be taught and developed along the way. Strong verbal and written communication skills, as well as interpersonal skills, and the ability to stay cool under pressure are pluses. Security expert, social engineering pioneer, and CEO of Social-Engineer, LLC, Chris Hadnagy notes that critical thinking and the ability to adapt, flex, and change methods is necessary. He also says that although he needs his employees to think like the black hats, he wants them to care about the clients and end users. With that in mind, Hadnagy’s motto is, “Leave others feeling better for having met you.”
Does this field interest you? If so, try hacking (legally) in your spare time. In fact, there are many online free Capture the Flag sites that allow people to learn and practice legally. A quick search for “vulnerable vms” and “online ctf” will provide a wealth of resources. Make a hobby of poking around and exploring ways to “do better,”—whatever it may be that you’re examining. Challenge yourself to not only break things – but to fix and defend them. Perhaps today’s problems could be tomorrow’s solution, thanks to you. Dive in and get your hands dirty to see what really clicks for you—hardware, software, systems, applications, awareness, architecture, intel, analysis, response, blue, purple, or red teaming. A career in security and ethical hacking can mean a hundred different things. And, like the motto of Social-Engineer, LLC, find the reasons, or things to keep yourself hacking ethically.
Reach out to the Community
To learn and appreciate the history of security, its current state of affairs, and its future outlook, we encourage you to engage in-person or online with security folks. Many hackers are present on Twitter. Almost every major city internationally hosts a hacker conference within the BSides network. There are plenty of other events for security folks, too. Plus, for as over-worked as they always are, many security folks and hackers are surprisingly available and willing to talk to anyone (given that you inquire in a thoughtful, respectful manner).
If you want a potential boost among candidates when job-searching, you can also look into obtaining security-related certificates. Popular ones include the beginner-to-mid-level’s Security+ and CEH, the hands-on OSCP Certification, and the professional’s CISSP.
Human Hacking
There’s another discipline within hacking that focuses on human vulnerabilities in addition to system vulnerabilities, called human hacking.
Criminals discovered it’s often easier to target people within an organization, rather than to implement a technical attack. For this reason, a growing trend within security is to study how criminals use social engineering. You may be wondering, “What exactly is social engineering?” We define it as, “The act of influencing a person to take action that may or may not be in the person’s best interest.”
The growing relevancy of social engineering led to a specialized group of hackers. Some of these people are white-hat hackers who study and implement social engineering techniques to influence humans. These human hackers ultimately use their skills to help strengthen people and organizations!
Social Engineering Awareness
A core objective at Social-Engineer.org is to educate organizations and individuals about the threat malicious social engineering poses. With this goal in mind, since 2010, we have been hosting The Social Engineering Capture The Flag (SECTF) at DEF CON.
This event provides a live demonstration of the techniques and tactics that potential malicious attackers use. Security professionals and corporate leadership see first hand how employees within an organization can be hacked—i.e., influenced, to give up sensitive information that could potentially be used to launch a cyber attack.
Now, some exciting news! The results from this year’s SECTF, will be discussed by @humanhacker and @joemontania, on November 13, 2019. You can register for the free webinar here. Please, sign up quickly! In the meantime, check out this newsletter and blog for fun facts and details about the SECTF history.
Learn More at the Human Hacking Conference!
Does social engineering appeal to you? Would you like to learn how to “read” minds? Would you like to understand how to decipher key body language signals? Or, perhaps you want to understand how people make decisions, as well as, how to influence their decisions. If your answer is “Yes” then The Human Hacking Conference is for you! It aims to teach anyone, including business, security, technology, and psychology professionals, the latest techniques in hacking thoughts, actions, and other humans.
At The Human Hacking Conference, you’ll learn the advanced art and science of social engineering from renowned leaders in behavior, physiology, deception, technology, and psychology. You’ll also learn from world-class speakers, including former FBI agents, con artists, criminal investigators, TV consultants, and best-selling authors, as they share their knowledge and experience in all things relating to social engineering.
Register now and join us in Orlando, FL, for this cornerstone educational event!
Have We Broadened Your View of Hackers?
At the beginning of this newsletter, we asked, “What comes to mind when you hear the words ‘hackers’ or ‘hacking’?” The next time you hear those words, will you think beyond the stereotype of faceless bodies in hoodies and comical attire? We certainly hope so. As you’ve seen, ethical hackers are filling a vital role in society affecting each one of us!
Written by: Social-Engineer
Sources:
https://www.social-engineer.org/category/newsletter/
https://www.social-engineer.org/sevillage-def-con/the-sectf/
https://www.sevillage.org/
https://us.norton.com/internetsecurity-emerging-threats-what-is-the-difference-between-black-white-and-grey-hat-hackers.html
https://www.paloaltonetworks.com/cyberpedia/what-is-malware
https://www.social-engineer.com/
https://www.social-engineer.org/podcast/ep-101-flash-bangs-reformation-social-engineer/
https://hub.packtpub.com/10-times-ethical-hackers-spotted-a-software-vulnerability-and-averted-a-crisis/
https://www.hackerone.com/sites/default/files/2018-07/The%20Hacker-Powered%20Security%20Report%202018.pdf
https://whatis.techtarget.com/definition/bug-bounty-program
https://www.businesswire.com/news/home/20191014005056/en/30-Security-Vulnerabilities-Surfaced-33750-awarded-Hackers
https://cybersecurityventures.com/jobs/
https://cybersecurityventures.com/jobs/
https://whnt.com/2018/10/01/fraud-summit-held-in-huntsville-officials-warn-against-caller-id-spoofing/
https://www.social-engineer.org/general-blog/women-needed-in-cybersecurity/
https://www.social-engineer.org/newsletter/social-engineer-newsletter-vol-05-issue-61/
https://www.social-engineer.org/framework/general-discussion/code-of-ethics/
http://www.securitybsides.com/w/page/12194156/FrontPage
https://infosec-conferences.com/
https://www.comptia.org/certifications/security
https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/
https://www.isc2.org/Certifications/CISSP
https://www.social-engineer.org/framework/general-discussion/social-engineering-defined/
https://www.wsj.com/articles/the-man-who-hacks-your-people-1429499479/a>
https://www.social-engineer.org/
https://www.defcon.org/
https://www.social-engineer.org/newsletter/social-engineer-newsletter-vol-09-issue-118/
https://www.social-engineer.org/general-blog/sectf-8-years-review-2010-2017/
Image:
https://empresas.blogthinkbig.com/ethical-hacking-continuo-las-buenas/
Ethical hakers will be out only hope in the future.