A Look Inside the World of Ethical Hacking to Benefit Security

Ethical hackers can go by different names: white hats, penetration testers, and pen testers among them. The big differentiator between ethical hacking and malicious or criminal hacking is intent. The process of hacking remains the same: Find ways to gain access to a computer system or network.  

“Ethical hackers don't maliciously trigger exploits on vulnerabilities that they find. Their goal is to notify the company or the organization that they have a problem in hopes that they'll fix it,” explains Jason Kent, hacker-in-residence at Cequence Security, an API security and bot management company.  

InformationWeek spoke to cybersecurity leaders about what it takes to become a hacker and how these people can strengthen enterprise security.  

What Makes a Good Hacker? 

If you had to boil down hacking to a foundational trait, it might just be curiosity. Hackers want to break something apart to figure out how it works.  

“Hackers are curious people that are looking to solve problems in interesting ways. The more elegant, the better the hack,” says Kent. 

For many people who build careers in hacking and cybersecurity, that curiosity is apparent from a young age.  

As a child, Nabil Hannan took apart toys, electronics, and computers. “I would constantly be breaking them and destroying them, but inherently, I was interested in learning how things work,” he shares. Today, he is the field CISO at cybersecurity company NetSPI.  

Related:Anatomy of an Effective Tabletop Exercise

Eivind Horvik always liked to see behind the scenes of movies and TV shows. That curiosity turned to hacking early on. During his childhood, he discovered a laptop left on top of a dumpster. “I ended up working with a family friend, and he taught me how to break Windows passwords,” he tells InformationWeek.  

Together, they tried to piece together who the original owner of the laptop might be, and eventually turned the laptop over to the police. After that early introduction, Horvik was all in on hacking. In his teen years, he attended cybersecurity conferences, showed his high school IT department how to fix a blue screen bug, and mentored other kids through CoderDojo.  

The connections he made at cybersecurity conferences when he was a teen helped him land his first job in cybersecurity. Now, Horvik is a contracted cybersecurity engineer with SunStream Business Services, a managed IT provider.  

Over the course of his career, Hannan has managed a lot of hackers. NetSPI even offers a paid training program for people who want to become penetration testers: NetSPI University.   

Related:How to Get IT and Security Teams to Work Together Effectively

“What I've learned over that time is I can't teach someone to be clever,” he shares. Knowledge can be taught, but that cleverness Hannan refers to is an innate ability to think outside of the box when approaching problem solving.  

Is Ethical Hacking Misunderstood? 

Outside of the IT and cybersecurity communities, hackers often conjure images of criminals behind keyboards. Kent knows from personal experience that an ethical hacker’s attempts to help may be met with outright suspicion.  

Roughly 10 years ago, Kent bought a new garage door opener that he could operate with his phone. In keeping with the curious nature of a hacker, he picked apart its API. A friend of his who lived thousands of miles away had the same garage door opener, and Kent exploited a vulnerability to remotely open that friend’s garage door.  

If Kent could do this, someone else with malicious intent could, too. He attempted to explain the problem and ask for a fix on the company’s customer support line to no avail. He eventually Tweeted about the issue, which finally elicited a response.  

“It wasn't somebody from their security team, wasn't somebody from their product management team. It was someone from their legal team,” he says. “They thought I wanted to extort them in some way.”  

Related:How Should You Manage Cyber Risk in 2024?

His motivation was not extortion; he wanted to prevent that vulnerability from being exploited and leading to unauthorized open doors. Eventually, Kent was able to show the company’s engineering team how to recreate the flaw so it could be fixed. But it was clear that the immediate reaction was one of suspicion.  

“For one reason or another, hacking is intrinsically linked in people's minds with criminal activity, even though I think the vast majority of the interest in hacking is completely unrelated to organized crime,” says Horvik.  

In his experience, Horvik has found that ethical hackers tend to be people who simply love computers. “We aren't villains, and we aren't scary. And a lot of us are really, really passionate. We don't bite. We just like computers,” he shares.  

What Can Ethical Hackers Do for Enterprises? 

Hacking is a broad term, and the people who operate in this sphere often have different specializations. Hackers may focus more on testing networks or web applications, for example. While there can be many different siloes and areas of focus within the ethical hacking community, enterprises tend to interact with these experts in a few different ways.  

Penetration testing is a common connection between enterprises and ethical hackers, often one driven by compliance requirements. Larger, more mature organizations may employ penetration testers internally in addition to contracting with third parties. While many organizations rely solely on third parties.  

Enterprises may also engage ethical hackers to participate in red teaming exercises, simulations of real-world attacks. Typically, these exercises have a specific objective, and ethical hackers are free to use whatever means available to achieve that objective.  

Hannan offers a physical security assessment as an example of a red teaming exercise. “Walk into a building, find an unlocked computer, and plug a USB device into the computer,” he details. “That might be one of your objectives. How do you get into the building? Do you impersonate a delivery person? Do you impersonate an HVAC person? Do you just show up in a yellow vest and a hard hat and walk into the building? That's left up to you.” 

Enterprises can also run red teaming exercises around phishing and social engineering.  

Kent’s frustrating experience trying to report a vulnerability to a company isn’t always the case. Today, many organizations have bug bounty programs that actively invite hackers to probe their systems for vulnerabilities.  

Bug bounty programs can be public or private, operated internally or outsourced to a third party that runs the initiative for an enterprise. The bounties are typically paid at a flat rate or via a tiered system: the more severe the bug, the higher the pay.  

The ethical hackers who participate in these programs might be people who hold regular 9-5 jobs and chase bug bounties as a hobby or for supplemental income. There are even some people who successfully turn bug bounty participation into a full-time gig. Bug bounty programs can also be a gateway for hackers just starting out. 

“Bug bounties are a great way for aspiring ethical hackers to get into the mindset, to get into that side of the business,” John Price, CEO at SubRosa, a cybersecurity testing and advisory services company, tells InformationWeek. 

When establishing a bug bounty program, enterprises need the budget for not only the bounties but also to manage the program and triage the bugs discovered.  

While bug bounty programs can help strengthen an organization’s security posture, it is important that security leaders clearly define the scope of the initiative and communicate that to the hackers who participate.  

“Set expectations clearly as to what you're looking for and make sure that the relationship you have with the people out there trying to find the bugs is as well-maintained and strong,” Price recommends.  

How Can Enterprises Get the Most Out of Ethical Hackers? 

Ethical hackers can be a valuable resource for enterprises, and like many valuable resources they can be limited in availability. “For what we see right now, especially at the senior or advanced level, the demand is very high, and the field is very small in terms of who's in it,” says Price.  

With a limited talent pool and a high demand for the skills in that pool, how can enterprises best leverage the skills of ethical hackers?  

Hannan recommends enterprise leaders attempt to remove emotion from the equation when they engage with an external firm hired to test for vulnerabilities and weaknesses or with independent hackers who engage in a bug bounty program.  

“When I come to an organization … I'm essentially calling their baby ugly as my first course of business,” he explains. “I'm showing up, I'm breaking something, and telling them, ‘Hey, you did this incorrectly.’ This is where you really need to check the emotions at the door.” 

No enterprise is 100% secure, and ethical hacking can show you where those vulnerabilities are before an attacker does. But simply finding vulnerabilities is just the first step toward improved security. Enterprise leaders need to actually remediate those weaknesses. 

“Fundamentally, the best thing you can do is actually use the information they give you to fix the problems they identify. It is very shocking to me how little that actually happens,” says Horvik. 

As enterprises make use of ethical hacking, allowing it to become a stale, check-the-box routine can erode the potential value. “Rotate resources. Don't have the same consultant doing the testing, doing the ethical hacking each time. You want a fresh set of eyes,” Price recommends.  

Hacking can be about more than just breaking things. Hannan sees opportunities to involve ethical hackers in more of the product life cycle so enterprises can leverage their skills to fix what can be broken. 

“Truly [make] ethical hackers part of the engineering DNA for any organization and the overall product lifecycle, so that there's more collaboration happening,” he says. “Identify vulnerabilities earlier … [and] effectively work to remediate them faster.”