Ethical Hacking – A new cottage industry

Ethical Hacking – What is it?

Ethical hacking – how can something bad be ethical?

If IT was a John Wayne film, hackers would be the bad guys in black hats.
Hackers cause immense harm to public confidence in data security and e-commerce. They also force organisations to spend large sums of money on IT security.

But what are ethical hackers? Well they are the good guys in white hats. John Wayne riding in to save the day.
Ethical hackers try to identify vulnerabilities or bugs in systems so that organisations can fix them.

Ethical hacking services have been available for some time. For example, companies such as Cyphra  and Cyberguraded provide penetration testing for networks. Ethical hacking is a well-established industry and seen by many organisations as an important part of their assurance processes.
However, large organisations now realise that individuals are also an important part of the assurance process.

Ethical hacking has become a new cottage industry.

What is going on and who is making money from it?

Users break software. Most of them don’t do it on purpose.
They use the software in a way the designer never intended or anticipated.
An ethical hacker tries to break the software on purpose. Ethical hackers are looking for a gap that gives them access to the most secure areas of a system

Many ethical hackers do it for the challenge. But increasingly, many are turning their hobby into a business.

There have always been stories of big organisations paying off people not to discuss flaws in their systems.
But big organisations, not just tech companies, are starting to realise that ethical hackers can provide a useful service. Small armies of technically literate users are generating useful feedback on the reliability of a product or website. Organisations can then take action to correct these problems.

For the ethical hacker, there is a financial reward, a ‘Bug Bounty’. Many organisations now run these schemes.
The size of payment varies from organisation to organisation and the nature of the bug that is identified.
Some ethical hackers are doing very well from such schemes.

It is estimated that an ethical hacker in India can earn 16 times the median salary for an Indian software engineer.
That is  £ 73,600.00 instead of £ 4,600.00 per year for just a few hours every week

And this isn’t some passing fad. Websites such as HackerOne and BugCrowd are acting as brokers between ethical hackers and organisations wanting their services .
This is a serious business.

Is there a downside?

If you have watched Star Wars you know there is a dark side to the Force.

Ethical hacking assumes the hacker will hand over details of the vulnerability that has been identified. But what happens if the hacker is not offered enough money? What happens if the vulnerability is not fixed quickly enough?Some ethical hackers aren’t just doing this for money. There is kudos in finding these bugs..
The ethical hacker has identified a bug. The bug can be exploited and someone else might find it. The ethical hacker wants it to be fixed.

Any form of hacking attracts criminals. If a tech company is prepared to pay $ 250,000.00 to an ethical hacker for a bug, what will a criminal pay for it?
By offering such large sums of money, do organisations tell the world how important a bug is? Are they advertising their perceived level of vulnerability and inviting attack?

There are potentially life changing sums of money on offer for the right vulnerability.
The Golden Ticket is an Apple vulnerability.

Conclusion

Initial drafts of the new Data Protection Act inadvertently made ethical hacking illegal. Parliament has this under review..
For now, the big tech companies, industry and government feel the benefits outweigh any pain.
But if ethical hacking cottage style grows, will it have to be regulated?
If you would like to read more, here are two really interesting articles.

Margi Murphy – Meet the new bounty hunters

Matthew Field – Bug Hunting

Leave a Reply