Security
-
January 6, 2020

White or black hat?

Pablo Blanco is Full-Stack developer on the Rootstrap team and writes about his experience with ethical hacking and information security. You can also follow Pablo on LinkedIn.

Ethical hacking and how organizations can get value from being hacked.

When we hear the words hacker or hacking, we tend to have a negative association. In truth, that makes a lot of sense as it conjures up the idea of a threat. According to a report published by the White House in 2018, it is estimated that due to information security incidents, in both the public and private sectors, the cost to the US economy is 100 billion dollars annually.

On the other hand, there are reports that estimate that 28% of online businesses, regardless of size, will have a security issue in the next 2 years.

That being said, can hacking be considered as positive?

What is ethical hacking and how does it differ from other types? Should companies or organizations be willing to be hacked?

We define hacking as the actions taken to gain access to a system, network or application in an unauthorized way. Having said that, hacking can also have a different purpose, with good or bad intentions.

With information traveling at the speed of light these days through a fiber optic cable and being dispersed at different points, the statistics mentioned above will alert any organization as well as users in general. However, there is a variant of hacking that is increasingly recognized and provides immense value: ethical hacking.

How can hacking be ethical?

At first glance it seems like a contradiction, but the ethical hacker or "white hat" aims to help to detect failures and improve the security of the systems and applications we use every day. On the other hand, there are the "black hat" hackers whose purpose is to use the same technical skills to exploit vulnerabilities for personal profit.

Ethical hacking is based on two fundamental principles. First, the organization or entity to be hacked must be aware and explicitly allow this action. Secondly, the objective should be to detect vulnerabilities and find a mechanism to improve them, allowing them to be resolved before being exploited maliciously.

Given the fundamental difference between black and white hat, how can organizations benefit from allowing their products or services to go through an ethical hacking process?

Beyond the expected functional characteristics of an application, the chances of having vulnerabilities from a security point of view are high. Whether due to an error in the code, a failure in the testing stage or an incorrect configuration in a production environment, there are plenty of reasons to achieve a high degree of vulnerability. The real thing is that these types of vulnerabilities can cause large losses to an organization, both financial or reputational.

For these reasons, organizations should carry out constant VA (vulnerability assessment) on the products they launch, as well as recognize this process as extremely valuable in the software development and systems maintenance chain.

It is true that in terms of security there is no absolute guarantee, and that any system, with the necessary time and resources, may eventually be compromised. In any case, the application's security requires constant effort and any action in this regard can prevent the failure of our systems.

In general, the main assets of organizations are related to the data of their users, the integrity/availability of their systems or their own reputation. Given these factors, there are several reasons why companies should purchase ethical hacking services.

  1. Credibility and responsibility: Whether a company uses a standard (HIPAA, PCI, ISO, etc.) or not, the credibility of an organization and its responsibility to its customers' data can be seriously affected by a security problem. It is for this reason that companies that have services that may be attacked tend to open their products to ethical hacking in a modality known as “bug bounty”, in which they offer a reward for failures found in the security of their systems or applications.
  1. Face sophisticated attacks: The ethical hacker tends to think like a hacker and is prepared to implement defense mechanisms for possible attacks that a professional hacker could deploy.
  1. Defensive strategy: By having an ethical hacker, necessary actions can be taken to detect the vulnerabilities of our systems, since they will be able to find weaknesses and fix them.
  1. Damage reduction: The damages caused by hacking manoeuvres are visible; just think what would happen if someone obtained a database with sensitive customer information. Having a security specialist can greatly prevent the possible effects of an exploited vulnerability in systems.

Summary

Ethical hacking processes and vulnerability assessments can help us expose threats and weaknesses reducing business risks in a controlled way.

The strategic decision to use an ethical hacking service can be extremely beneficial for an organization, resulting in increased awareness of unknown vulnerabilities and the implementation of stronger security measures and network protections.

Ultimately, whether or not a company takes a chance on hiring these kinds of services will be for them to decide - but it is certainly an option that businesses should at least consider as part of their efforts to build more secure solutions and avoid cyber attacks.

Interested in working with Rootstrap on your cybersecurity project? Reach out via the links below, or drop by our Los Angeles location. We also provide virtual services for dozens of tech companies in tech centers like Austin and Dallas.