Ethical Hackers: Cyber Security Masterminds or Potential Criminals?
Some call them ethical hackers, others – to-be criminals. But who are they in reality? RT Documentary looks at penetration testers – the masterminds of cyber security. To learn more, tune in to the premiere of the sixth episode of I Am Hacked on Monday!
Today’s cyber security is a highly complex endeavour involving specialists with different academic and professional backgrounds. Penetration testers, or pentesters, seem to be the most mysterious characters.
Their job is identical to hackers: they look for vulnerabilities in computer systems and launch cyberattacks aimed at these vulnerabilities. The only difference is in their goals. While hackers do it for the sake of inflicting damage and making a profit, pentesters seek to reinforce an organisation’s cyber security.
Sceptics suggest the difference in goals is elusive: they say it may be difficult for a human to stay on the good side when the stakes on the wrong side are increasing. However, cyber security experts sound more positive. They insist most pentesters have nothing to do with cybercrime and say the stakes on the good side are also tempting. According to Cyberseek, a job market portal for IT specialists, the average salary of vulnerability testers is $100,000.
RT Documentary talked to cyber security experts from different countries to get their outlook on pentesters.
Good guys or bad guys?
Legally, the main difference between pentesters and hackers is that the latter violate the law, while the former, in contrast, help protect the cyber world from unlawful activities.
Ethical hackers have access to abundant resources to study and master their skills and even find high-paid jobs. For example, online laboratories like HackTheBox, give vulnerability testers access to internet servers used by hackers. Such platforms enable pentesters to look for holes, stop hackers from hacking and destroying infrastructure, steal users’ data, and so on.
“There are job offers for pentesters of hacker level and higher,” continues Ivan Botanov. “There’s a chance of being offered a job based on your HackTheBox record of hacks. If you’re an absolute beginner and don’t know where to poke around, HackTheBox’s academy teaches you for free. That’s how to get into pentesting and hacking. Which path to choose is up to you. A pentester’s skills can most probably open the doors to cybercrime. I think you can say so. It depends on your ethics, your upbringing, and why you need that.”
White hackers VS black hackers
‘White hackers’ or ‘white hats’ are another metaphor used to describe penetration testers. According to cyber security experts, these guys seem to be playing the role of cyber border guards, protecting organisations’ cyber facilities from intrusions. Like real-life military personnel, penetration testers have regular training that allows them to perfect their skills in practice.
Training, for example, might involve a team simulating an unspecified attack with a target and an undisclosed launch time. The members of the cybercrime world believe such training makes it impossible to separate pentesters from hackers.
“Authorised guys from InfoSec have two teams: Red and Blue. Red attacks, Blue defends,” says a practising hacker interviewed by RT Documentary. “It’s about how you develop: either in offence or defence. These are different directions, no matter how absurd that sounds. A defender can’t necessarily attack, and vice versa.
There aren’t many researchers left, those interested in the hackers’ philosophy and its romance. Many cross the line and become tougher, more wicked. Others become whiter. This depends on the personality and their situation. Most do it for the money. But some work for fun. It’s just an attitude that professionals should stick to.
“Whether it’s IT or not, you’re a pro, investing time in it, and that’s the most valuable resource. You do it to be able to say: ‘Guys, look! I did it!’ There are definitely those kinds of people. They get very excited when they manage to mess with the system. That’s cool... really cool! But you must rise to that. A year or two of hard work won’t cut it. It’s a very difficult path.”
While both the art of a pentester and a hacker are time, energy, and talent consuming and require the same skills, the choice between the two professional paths depends on one’s personality and moral standards.
“What’s a hacker? First, an explorer... But those who explore information systems differ from those protecting them because it’s enough for them to explore a system, find a hole and penetrate it.
In security, there’s an unknown number of variables, a significant number of holes on the internet, exploits appear and so on, and you need to prioritise risks properly. Hiring hackers is risky. A hacker’s someone who’s already on the dark side. Who knows what he’ll do if he finds a breach in an organisation. If he’s broken the law, he’s likely to do it again, especially when teased by information security breaches.”
To learn more about the world of cyber security, see the premiere of the sixth episode of I Am Hacked on Monday!