Hackers: Scourge of the Internet, or Information Superhero?
Kyle Gonzalez
ENDE LLC
Introduction
“And then it happened... a door opened to a world... rushing
through the phone line like heroin through an addict's veins, an
electronic pulse is sent out, a refuge from the day-to-day incompetencys
is sought... a bored is found.” – Hackers Manifesto
It can be seen all over the news. Visa and PayPal taken offline by hackers, Sony’s PlayStation Network brought to its knees, a cyber defense contractor named Stratfor had its servers hacked and corporate emails leaked. Everything that people know about hacking can be summed up in news articles written by the uninformed. Hacking is bad, and there is no arguing that… Or is there? Most of what people know of hacking comes from the news or Hollywood movies such as Hackers and Swordfish. What they see is only one facet of this fascinating, yet misunderstood world. Hacking is not the evil act that some make it out to be. Hacking can also be a good thing. Enter the White Hat, or Ethical Hackers. These are the network security professionals in which no movies are based. Ethical hacking is used to help analyze networks for security flaws, stop attacks in progress and help keep companies in compliance with government regulations such as PCI or SOX.
What is Ethical Hacking?
Ethical hacking sounds like an oxymoron, but it does exist and is a very handsomely paying career field. The average ethical hacker can make anywhere from $24,760 a year to $111,502 (InfoSec Institute, n.d.). It does not stop there however. Some contracts can net an ethical hacker up to $17,500 in bonuses. (Computer Hope, n.d.). The main role of the ethical hacker is to penetrate a business network in order to recognize and fix security flaws before a “Black Hat” hacker can get to it. There is no such thing as a “fully secure” network, and often times it’s a race against time to beat Black Hats and Crackers at their own game.
Key Definitions
Ethical Hacker- An ethical hacker attempts to bypass way past the system security and search for any weak points that could be exploited by malicious hackers. (EC Council, n.d.).
Black Hat Hacker- A black hat hacker is a person who attempts to find computer security vulnerabilities and exploit them for personal financial gain or other malicious reasons. (Technopedia, n.d.).
PCI Compliance- The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. (PCI Compliance Guide, n.d.).
SOX Compliance- The Sarbanes-Oxley Act (SOX) requires that all publicly held companies must establish internal controls and procedures for financial reporting to reduce the possibility of corporate fraud. (TripWire, n.d.).
Ports- Ports allow software applications to share hardware resources without interfering with each other (About Technology, n.d.).
Why is Hacking Looked At So Negatively?
Hacking in general is looked at in a very negative light. When people think of hacking, they think of corporate financial losses, stolen data, privacy breaches and reputational dings. Most of these views are pressed into our minds by coverage within the mainstream media. For example, in July of 2011, a hacker group known as Lulzsec hacked into Sony’s PlayStation Network. This hack lead to lengthy downtime of the gaming servers, the loss of over 24.6 million users private data, and caused a rather large “black eye” for the reputation of Sony. As a result, not only did they lose users and have to face the public’s questions about how it happened, but they also incurred a rather large financial loss when Sony decided that the only way to make things right with the customers that decided to stay was to give them all two free games (Arther, 2013). Do the math, 24.6 million x approximately $20+ = way more than it would have cost to hire an ethical hacker!
With that being said, Sony could have taken more proactive steps to prevent this from happening. Ethical hackers could have helped lessen the chances of this occurring by finding the flaws Lulzsec used to gain access, and fixing them before they even had a chance to exploit the vulnerabilities. An ethical hacker in the end could have made recommendations regarding their security flaws that could have been used to make the network near-impenetrable to these happy hackers.
Are Hackers Bad? Looking at the Opposition
One could say that hackers are a counterculture of basement dwelling kids whom seek to destroy web assets and steal private data. Surprisingly, hackers can be exactly the opposite. This “counterculture” consists of people from all walks of life. Steve Jobs and Steve Wozniak were some of the most notable hackers. In the early 1970’s, Steve Jobs and Apple co-founder Steve Wozniak created a device called the “Blue Box”. This box allowed hackers to override phone charging systems, as well as bypass any restrictions set forth on the phones (Linge, 2014). Several years later, these two created one of the most successful and recognizable companies in the world, known as Apple Inc.
Some people could say that hackers do not serve any real purpose in the “real world”. In order to stop a hacker, one must be able to think like one. Penetration testing is one career within information security which employs hundreds of hackers. These hackers are tasked with attacking their client’s networks using the same methods as a malicious cracker would (Rouse, n.d.).
A lot of people could argue that hackers are all criminals, whom should serve lengthy prison sentences. While this statement could apply to some hackers, this should not be an across-the-board statement. Aside from the legitimacies of the usages of hacking, even the most malicious of hackers can be reformed. While throwing them in prison for their crimes could solve a short term problem, it is not a long term solution. While the justice system may lock up a few, there are many more waiting to step into their place. Rather than throwing them all in a cell, hackers should be utilized to help stop attacks.
In the summer of 2011, Lulzsec went on an online rampage, hacking dozens of companies. Eventually, one of the group’s leaders, Hector Xavier Monsegur, a.k.a. Sabu, was caught and charged with computer crimes. However, the FBI seized the opportunity to use the hacker as a tool to bring down the rest of the group. For three years, Sabu helped draw in the remaining members of the group, and was eventually released from custody with “time served” (Greenburg, 2014).
Although most arguments against hackers are fairly solid, hackers have proven to be a valuable asset in securing digital data. Hackers have been demonized due to the recent waves of cyber attacks, and the one-sided nature of mainstream media. Rather than being treated as criminals, hackers should be utilized to help control the level and scope of cyber crimes. Without hackers, many of the technologies that we use today would not only be unsecure, but also non-existent.
Ethical Hackers Analyze Networks for Security Flaws
The main purpose of an ethical hacker or penetration tester, is to expose and exploit a network for security flaws. This can be done by analyzing the networks services, running applications, and even the people utilizing it. One of the ethical hacker’s first steps that they must take in order to hack a network, is to gather information on it. This can be done in many ways. They can scan the network using tools such as Nessus, Qualys or NMAP to find application versions, operating systems, open ports and other vulnerabilities that can be used as entry points for crackers. Another way that ethical hackers can analyze a network is by use of social engineering, or the exploitation of people. Using such a process, a hacker can convince an employee to simply tell them sensitive information about the network. All of these methods can expose security flaws that a malicious hacker would use, so that the company can work towards a resolution before they face a bigger issue (Giri, 2012).
Ethical Hackers Can Stop Attacks in Progress
Although it is not the typical role of an ethical hacker, they can be utilized to stop network attacks in progress. Professional penetration testers can be an enormous asset to a company due to one key reason. Ethical Hackers are trained to think like hackers. A penetration tester knows how to exploit weaknesses within a network or a system, which means they also know what targets a cracker is more likely to select. By having intimate knowledge of a network, a penetration tester can often times locate the weak point that is being attacked and defend it by counteracting the methods of a malicious actor. Hackers by their very nature are lazy and will select the weakest targets first in order to cause maximum damage. By fighting back against hackers, penetration testers can annoy the attackers into submission (Strand, 2013).
Ethical Hackers Keep Companies Compliant with Government Regulations
Just like with any other service, the government has regulations to help mitigate attacks. Payment Card Industry, or PCI Compliance, is a government regulation that states how any merchant accepting online payment must secure their networks to prevent data loss. Part of that compliance is a requirement that merchant’s who decide to utilize such a service, must have their systems tested annually. This requires not only a test, but proof of the test and any fixes that have been applied due to its findings. Hired penetration testers will use the same tactics as less-friendly hackers, and help a company determine where their weaknesses are and recommend ways to fix them. Sarbanes-Oxley (SOX), is a similar compliance regulation, but is more geared towards internal threats rather than external threats.
Conclusion
Hacking is not the evil act that some make it out to be. Hacking can also be a good thing. Enter the White Hat, or Ethical Hackers. These are the network security professionals in which no movies are based. Ethical hacking is used to help analyze networks for security flaws, stop attacks in progress and help keep companies in compliance with government regulations such as PCI or SOX. Hackers can be one of the greatest asset a company has ever had when it comes to protecting sensitive data.
References
Nigel Linge (2014) Lifehacker IT Pro. In How Steve Jobs and Steve Wozniak Started Their Career as Hackers. Retrieved October 23, 2014, from http://www.lifehacker.com.au/2014/04/how-steve-jobs-and-steve-wozniak-started-their-career-as-hackers/
Margaret Rouse (n.d.) Tech Target. In Ethical Hacker. Retrieved on October 23, 2014, from http://searchsecurity.techtarget.com/definition/ethical-hacker
Andy Greenburg (2014) Wired. In Lulzsec Leader and Informant ‘Sabu’ Let Off With Time Served. Retrieved on October 23, 2014, from http://www.wired.com/2014/05/hector-monsegur-sabu-sentencing/
Loyd Blankenship (1986) University of South Carolina. In The Hacker’s Manifesto. Retrieved on October 10, 2014, from http://www.usc.edu/~douglast/202/lecture23/manifesto.html
Computer Hope (n.d.) In Ethical Hacking. Retrieved on October 10, 2014, from http://www.computerhope.com/jargon/e/ethihack.htm
PCI Compliance Guide (n.d.) In What is PCI? Retrieved on October 10, 2014, from https://www.pcicomplianceguide.org/pci-faqs-2/#1
EC Council (n.d.) In Certified Ethical Hacker. Retrieved on October 8, 2014, from http://www.eccouncil.org/Certification/certified-ethical-hacker
InfoSec Institute (n.d.) In Average C|EH Salary. Retrieved on October 8, 2014 from http://resources.infosecinstitute.com/certified-ethical-hacker-salary/
Technopedia (n.d.) In Black Hat Hacker. Retrieved on October 7, 2014, from http://www.techopedia.com/definition/26342/black-hat-hacker
Tripwire (n.d.) In SOX Compliance for IT. Retrieved on October 7, 2014, from http://www.tripwire.com/regulatory-compliance/sox-it-compliance/
Morse (n.d.) In The Negative Effects of Hackers. Retrieved on October 7, 2014, from http://science.opposingviews.com/negative-effects-hackers-2867.html
Arther (2011) In Lulzsec Hacks Sony. Retrieved on October 7, 2014, from http://www.theguardian.com/technology/2013/may/16/lulzsec-hacking-fbi-jail
Mitchell (n.d.) In (Computer) Port. Retrieved on October 10, 2014, from http://compnetworking.about.com/od/basiccomputerarchitecture/g/computer-ports.htm
Bipin (2012) In Ethical Hacking. Retrieved on October 7, 2014, from http://www.mustbegeek.com/ethical-hacking/