What is Ethical Hacking

by Darwin on March 22, 2017

Since 2011, Facebook has paid an aggregate of more than $4 million to freelance hackers and bug-finders who scour the social network’s software to find flaws and weaknesses that other hackers might breach for more nefarious purposes. Facebook and many other companies routinely pay out bounties to hackers whose motives are more ethical than those of the stereotypical cybercriminal.

The term “hacker” has evolved with increasing levels of negative connotations. In its original generic sense, “hacker” refers to coding specialists that work in coordinated environments on network and other computer operations. Organizations routinely host “hackathons” where hundreds of programmers collaborate and compete to solve coding problems. Cybercriminal activity likely sprouted from ethical hacking when a subculture of programmers coalesced to exploit enterprise weaknesses for their own personal gain.

A number of one-time rogue hackers have reformed their ways to join the ethical hacking community. Kevin Mitnick’s name typically tops that list. Mitnick served a federal prison sentence for hacking into several Fortune 500 computer systems. Upon being released, he formed Mitnick Security and now consults with the same companies he once hacked to improve their defenses against network breaches.

Another reformed hacker, Adrian Lamo, once broke into networks at the New York Times, Microsoft, and Yahoo, but came clean after an arrest. More recently, Lamo used his skills to expose Chelsea Manning as the source of the release of a number of classified documents from the US government.

Hackers are often characterized according to whether they use their coding skills for legitimate or criminal purposes, but the hacking community is not readily classified into binary “white hat” and “black hat” categories. That community is better defined along a continuum in which many coders take on the mantle of “grey hat” hackers. From an enterprise perspective, keeping grey hat hackers on the right side of the law is a matter of making ethical hacking at least as financially attractive as cybercriminal hacking.

Industry associations are forming to advance this effort. Hackerone, for example, was founded by executives from Microsoft, Facebook, and Google as a clearinghouse to list ongoing “bug bounties” under which companies offer financial rewards to hackers who can find flaws in their software or security systems. Firebounty publishes similar lists that ethical hackers can scan to find open offers for compensation in exchange for security flaws that freelancers are able to uncover.

For all the potential value that ethical hackers might have to offer, some critics argue that current industry efforts to rein in the hacking community are misplaced. Bug bounties and similar efforts give hackers a platform to boast of their skills and network-breaching achievements but do little to reduce the allure and market value of black hat hacking. As long as cybercriminals are able to profit from exploiting network and system vulnerabilities, enterprises will continue to be at risk of having their systems frozen by ransomware, or of losing valuable data to a hacker that successfully breaches a network.

When that network breach does happen, cyber risks insurance can help an enterprise to recover from direct and third-party losses that flow from that breach. That insurance can provide compensation to replace internal servers and equipment that is damaged by the breach. An enterprise that loses third-party customer data can face fines, legal costs and damages that run in to the millions of dollars. Again, cyber risks insurance can help an enterprise cover those expenses. Hackers, whether ethical or otherwise, will not be concerned over the extent of the losses that their actions might cause. Cyber risks insurance is the solution when all else fails.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: