Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/16/2017
10:30 AM
Amit Ashbel
Amit Ashbel
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Ethical Hacking: The Most Important Job No One Talks About

If your company doesn't have an ethical hacker on the security team, it's playing a one-sided game of defense against attackers.

Great power comes with great responsibility, and all heroes face the decision of using their powers for good or evil. These heroes I speak of are called white hat hackers, legal hackers, or, most commonly, ethical hackers. All these labels mean the same thing: A hacker who helps organizations uncover security issues with the goal of preventing those security flaws from being exploited. If companies don't have an ethical hacker working for them, they're in a one-sided game, only playing defense against attackers.

Meet the Hackers
Companies house both developer and security teams to build out codes, but unfortunately, there often is little communication between the two teams until code is in its final stages. DevSecOps — developer and security teams — incorporates both sides throughout all of the coding process to catch vulnerabilities early on, as opposed to at the end, when making updates becomes harder for developers.

Although secure coding practices and code analysis should be automated-  and a standard step in the development process - hackers will always try to leverage other techniques if they can't find code vulnerabilities. Ethical hackers, as part of the DevSecOps team, enhance the secure coding practices of the developers because of the knowledge sharing and testing for vulnerabilities that can be easily taken advantage of by someone outside the company.

Take, for example, Jared Demott. Microsoft hosts the BlueHat competition for ethical hackers to find bugs in its coding, and Demott found a way to bypass all of the company's security measures. Let that sink in for a moment — he found a way to bypass all of Microsoft's security measures. Can you imagine the repercussions if that flaw had been discovered by a malicious hacker?

Let the Hackers Hack
Security solutions (such as application security testing and intrusion detection and prevention systems) are a company's first line of defense because they're important for automatically cleaning out most risks, leaving the more unique attack techniques for the ethical hackers to expose. These could include things such as social engineering or logical flaws that expose a risk. Mature application security programs will use ethical hackers to ensure continuous security throughout the organization and its applications. Many organizations also use them to ensure compliance with regulatory standards such as PCI-DSS and HIPAA, alongside defensive techniques, including static application security testing.

You may be thinking, "What about security audits? Wouldn't they do the trick?" No, not fully. Ethical hacking is used to build real-world potential attacks on an application or the organization as a whole, as opposed to the more analytical and risk-based analysis achieved through security audits. As an ethical hacker, the goal is to find as many vulnerabilities as possible, no matter the risk level, and report them back to the organization.

Another advantage is that once hackers detect a risk, vendors can add the detection capability to their products, thus enhancing detection quality in the long run. For example, David Sopas, security research team leader for Checkmarx, discovered a potentially malicious hack within a LinkedIn reflected filename download. This hack could have had a number of potential outcomes, including a full-blown hijacking of a victims' computers if they had run the file. It's probably safe to say that just the audit wouldn't have identified this hidden flaw.

How to Hack
The good news for companies searching for someone to fill this role is that there are several resources for their own employees to learn more about ethical hacking and become a more-valuable asset.

The first step is to get certified. EC-Council has resources and certifications available, and if you want to continue brushing up on your ethical hacking skills, OWASP has you covered. While getting certified isn't a requirement, I highly recommend this, because getting the basics down will help to provide a foundation on which to build. After you have the basics down, there are many tools and automated processes that can be utilized, but ethical hackers usually use penetration testing and other, mostly offensive, techniques to probe an organization's networks, systems, and applications. In essence, ethical hackers use the same techniques, tools, and methods that malicious hackers use to find real vulnerabilities.

One Small Step for Companies, One Giant Leap for Hackers
What does this all mean for companies? Well, companies must first acknowledge how ethical hackers can help them. Strong application security programs need to focus both on the code security as it's being developed, as well as in its running state — and that's where ethical hacking comes into play. Nothing beats secure coding from the get-go, but mistakes do happen along the way, and that's where ethical hacking experts can make a difference in an organization.

At the next meeting on staffing, ethical hackers should be right at the top of the list of priorities to keep your company, and its data, safe. 

Related Content:

Amit Ashbel, security evangelist at Cognigo, has been with the security industry for two decades and has taken on multiple tasks and responsibilities, including technical positions and senior product lead positions. Amit has experience with a wide range of security ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSHAH
50%
50%
NSHAH,
User Rank: Apprentice
3/23/2017 | 6:00:06 PM
Offensive Security Mindset is Vital
Well written article articulating the importance of ethical hacking in light of the dynamic threat landscape. Resources cited are very useful. An effort to get a certification exposes one to structured approach and one can learn a lot from a fundamental knowledge perspective and continue to build on that with large number of on-line resources available. Things have dramatically changed over the course of last few years in terms of access to learning experiences. There are plenty of on-line resources to get a hands on learning experiences including but not limited to Kali Linux (https://www.kali.org/), Pentesterlab (https://pentesterlab.com/), vulnerability hub (https://www.vulnhub.com/), seminars (Defcon, Blackhat, local cons, etc.) webinars and local chapter meetings from professional security organizations (ISSA, ISC2, ISACA, HTCIA, etc.)

 
aashbel
50%
50%
aashbel,
User Rank: Author
3/22/2017 | 1:06:11 PM
Re: Blurry Lines, but Important Distinction
Hey MarkW35801,

I definitely agree with your point of viiew. I think that in a few years we will be seing ethical hackers more frequently employed by a wider variety of businesses. The work has to start though much earlier by creating proper formal education programs as part of comuter sciences degrees. I think that educating developers and creating a hybrid security and development engineer could also make the process more fluent especially considering the fast paced development environments we are seing today. I agree that good pen testing services are important but as you say, they are expensive. By having developers part of the security effort pen test cycles will shorten and become much more effective. 

 

Thanks

Amit
ramgopalvarma219
50%
50%
ramgopalvarma219,
User Rank: Apprentice
3/20/2017 | 2:46:37 AM
Re: Blurry Lines, but Important Distinction
 

 

 

    Hi , Thanks for the article regarding Ethical Hacking , It was informative :)
MarkW35801
50%
50%
MarkW35801,
User Rank: Apprentice
3/16/2017 | 11:22:19 AM
Blurry Lines, but Important Distinction
Being an ethical hacker since late 2000, I can't agree with you more that it's a very important job. And I say this not because I want to remain employed, but because of the places we've been able to break into, and resulting impact to the organization should an attacker have done what we were able to do.

For example:

- we were able to fully compromise a large Western city in a few hours. Complete control of everything - security cameras, badging system. We were able to remote open the police gun vault, the police holding cell...

- using an unauthenticated SQL injection attack over the Internet, we were able to download the entire database of a background check company. Every person they had ever conducted a background check on - all their gory personal details...

We find very serious vulnerabilities, most of which are NOT identified by a vulnerability scanner. We apply logic and reasoning to identify a vulnerability, exploit it, and see where it gets us. Often times when we gain "the keys to the kingdom", we exploit a series of vulnerabilities - it's never just one thing.

A good penetration test isn't cheap, and a cheap penetration test isn't good. But we often find issues that would put a company out of business, so in the end, I believe we are worth the cost.
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26814
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
CVE-2021-27581
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.