In 2018, we saw the rise of Hacking as a Service. It will be interesting to see how this develops in the future.
It is safe to say that ethical hacking is now here to stay. I recently read an article on enterpriseinnovation.net that discussed this issue.
The article points out that legend has it that the original definition of ‘hacker’ was “someone who makes furniture with an axe”.
Today, if you look up the word ‘hacking’ in the Cambridge English Dictionary, it is described as ‘the activity of illegally using a computer to access information stored on another computer system or to spread a virus’.
The article points out that neither definition is ripe for the 21st century. Today there is an army of white hat hackers who are acting as guards and protectors, and only a very small minority of them have even thought about making furniture.
‘White Hat’ hackers work with organizations and help them find vulnerabilities on their networks before cybercriminals can exploit them. Day in and day out these hackers are competitively hunting for security vulnerabilities and responsibly reporting them to organizations so they can be rapidly remediated.
The article points out that Keren Elazari called hackers “the Internet’s Immune System”. Often driven by a sense of curiosity, they are doing nothing illegal, and their ethos is that the Internet becomes a safer place every time a vulnerability is found and fixed.
Age of the hacker
The article adds that we’ve entered a digital age where every company connected to the internet needs to think about cybersecurity. Anyone who relies on software to run their business needs to ensure their systems are secure.
But cyberthreats can appear to be asymmetrical – the number of attackers far outnumber small security teams.
As more and more code is deployed, traditional security controls and even automation cannot possibly keep up. Instead, we must turn to a community of hackers, already keeping a watchful eye on the Internet.
The enterpriseinnovation.net article points out that tens of thousands of trusted hackers are invited and incentivized to test software everyday by organizations like Lufthansa, Shopify, the European Commission and others. These are called bug bounty programs.
Bug bounty programs involve engaging with a large community of hackers with diverse skillsets and in-depth knowledge, enabling them to test systems for weaknesses that often go unnoticed for months or even years. There is an old saying that “in the eyes of many, all bugs are small”, bug bounty applies this adage to security testing so that vulnerabilities can be looked for by the largest number of eyes, and fixed before criminals exploit them.
According to a recent report from HackerOne, its network of white hat hackers have already found over 72,000 valid vulnerabilities. This highlights the important role white hat hackers play in helping organizations mitigate security threats.
The article adds that the 2018 Hacker Report surveyed 1,698 ethical hackers to understand their key motivations. The study uncovered some very interesting drivers and below are the top ten ethical hacking facts to come from the report that, I’d wager, will be a surprise to many:
White hats have already made over $26m in the last five years
White hat hackers on HackerOne’s network have earned over $26 million in bug bounty money in the last five years. This demonstrates that white hat hacking can in fact be a legitimate and lucrative career choice.
Money is not the number one motivator
The article points out that while many people might think the main motivator for ethical hackers is money, this is actually not the case. The financial incentive is undoubtedly important, however, the key motivator for white hat hackers is the opportunity to learn tips and techniques. Other top reasons for hacking include career advancement, the opportunity to protect and defend and to do good in the world.
Hackers love to hack websites
Over 70% of hackers say their favorite types of product or platform to hack is websites and web applications, followed by APIs (7%), technology that has their data (5%), Android apps (4%), operating systems (3%) and IoT (3%).
One in four hackers donate bounty money to charity
The article adds that more than 24% of hackers from HackerOne’s network have donated bounty money to charitable organizations – talk about hacking for a good cause!
The top five hacker regions are India, the US, Russia, Pakistan and the UK
India (23%) and the United States (20%) are the top two countries represented in the HackerOne hacker community, followed by Russia (6%), Pakistan (4%) and the UK (4%).
One hacker used his bug bounty money to buy his family a house
The article points out that Ibram Marzouk, an ethical hacker in HackerOne’s network, used his bug bounty money to buy his family a house when they moved to the US. Other hackers have used bug bounty money to buy cars, school tuition, pay for holidays and even pay for college.
Top ethical hackers are making 2.7 times the median salary of a software engineer in their home country
The top hackers based in India earn 16x the median salary of a software engineer. And on average, top earning researchers make 2.7 times the median salary of a software engineer in their home country. This means white hat hacking can be a more lucrative career choice than software engineering for some.
Hackers spend an average of 20 hours a week hacking
The article adds that over 66% of hackers spend 20 hours or less per week hacking, with 44% spending 10 hours or less per week. More than 20% of hackers spend over 30 hours per week. Only 13% of hackers hack fulltime (40+ hours per week).
50% of hackers are aged under 25
Hacking attracts the younger generation. The majority (45%) of hackers are between 18 and 24 years of age. Over 90% of HackerOne’s bug bounty network are under the age of 35, with only 8% under the age of 18. While many hackers are young, nearly 29% have been hacking for six years or more, of which over 10% have been hacking since at least 2006.
Hackers by night, students and tech employees by day
The article adds that almost half (46.7%) of the hackers work fulltime in related areas – such as information technology (IT), software or hardware development. Over 44% of those working in an IT profession specifically focus on security or security research, and 33% on software development. Just over 25% of HackerOne’s hackers are students.
Increasingly legitimate
Hacking is increasingly viewed as a legitimate activity – both by the hackers whose actions are financially rewarded, but also the organisations looking to utilise their skills to secure their software and networks.
Since the 1980s, hackers have defined themselves as “One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations.”
Is it time the dictionary was updated to give this vital skill the credibility it deserves and banish the criminality association once and for all? I think so.
Sounding calls
What does the Marriott hack, the British Airways hack and the Cathay Pacific hack have in common? Data was the main target in every case. This is becoming a major sounding call for legitimising ethical hacking. I recently read an article on scmagazine.com that discusses this in detail.
As the idea of ethical hacking begins to resonate more with the general public, it has inspired more people ranging from aspiring hackers to seasoned security professionals to join the hacking community and seek out crowdsourced security testing programs to hunt bug bounties.
The article adds that judging by how 71 percent of cybercriminals can breach a perimeter within 10 hours, the need for people who can spot these flaws that allow access before the bad guys will only increase.
“It’s not just a single problem,” researcher Mehidia Afrin Tania said in the Bugcrowd: Inside The Mind of a Hacker report. “But when it comes to the most prevalent causes of breaches it could be users, devices, or access to applications. It could be Crime-as-a-service (CaaS) which will expand available tools and services.”
The year-end report from Bugcrowd found the top three reasons for bug hunting were for the challenge, professional development, and education.
The article points out that the bug bounty company conducted a study surveying more than 750 of its global community of whitehat hackers and pentesters, segmenting for statistics around demographics, motivations, and economics.
The study found that 22 percent of hackers consider bug hunting their full-time profession, 77 percent have a full time profession outside of bug hunting, 81 percent said their experience bug hunting has helped them get a job, and 72 percent said bug hunting helped land them a job in cybersecurity.
High aspirations
The article points out that Bug Bounty hunters have high aspirations as well, 31.56 percent of bug bounty hunters aspire to be a full time bug hunter, 24.96 percent aspire to be a penetration tester, 15.06 percent aspire to be a top security engineer at a highly esteemed company, 9.47 percent want to be a security consultant and 6.03 percent would like to be a CISO.
The article adds that the study also found bug hunters are often learn their skills from a variety of sources as 43 percent of hackers learned how to hack via online resources and blogs and 41 percent are self-taught. Bug hunters are also team players who learn from each other as 35 percent of the community say they currently collaborate with other hackers, and 50 percent expect to collaborate more in the next 12 months.
Bug hunters are also young, ambitious and eager to develop their skills as 72 percent of the hacker community are ages 18-29 and of all the respondents, 43 percent learned how to hack via online resources and blogs and 41 percent are self-taught.
As bug bounties increase in popularity, researchers are also seeing increased traction in vulnerabilities submitted in web applications, network pen testing, api assessments, social engineering, vehicle testing, mobile: bbry/winmo and IoT/ embedded devices.
Large recruitments
We all want to make use of ethical hackers, but what do we look for when it comes to qualifications? A recent article on information-age.com discussed this.
Ethical hacking is a young industry, just 15 or so years old, so it doesn’t have the typical professional safeguards and progressions that other professions have.
The article points out that luckily, hiring an ethical hacker doesn’t mean having to get your crypto wallet out and start wading through the dark web. There are some qualifications businesses can look for to assess the credibility of a candidate. A number of organisations, such as The Council for Registered Ethical Security Testers (CREST), Mile2, SANS Institute and the EC-Council all do tests and grant qualifications to ensure the right skills are being developed in the industry.
Keiron Shepherd, Senior Security Systems Engineer (UK&I) at F5 Networks, told information-age.com: “There are other security credentials that will help you find those qualified for the role, such as CEH, OSCP and GIAC. Their certifications in ethical hacking are relatively new so the number of qualified individuals in the talent pool will be relatively small.
“While they can be desirable qualifications from an employers’ perspective there will be a large number of experienced hackers who don’t agree with or see the need for such accreditation. This will change in the future as the perception around ethical hacking changes and the profession becomes more mainstream.”
“Indeed, there are university degrees,” argues Paul Mason, Head of Education at Secarma Ltd, but he says “some degrees are better than others, and the skills-set you need is really really vast.”
“With these courses, you end up with a chicken and an egg situation. You come out with a degree but you still don’t have a truly industry-recognised qualification. To do that you have to self-fund it yourself — a lot of hackers go down that route, they save up in their spare time. At the same time, some of the best people that I employ were kids that dropped out of school at sixteen.
“If a standard business wants an ethical hacker, they need to commit to really supporting them, so you might not be hiring people that are fully qualified yet but in the space of one or two years, as long as you commit to supporting them, you can really turn them into what you need.”