Ethical Hackers: Cyber Security Masterminds or Potential Criminals?

01 January 2022 12:00

Some call them ethical hackers, others – to-be criminals. But who are they in reality? RT Documentary looks at penetration testers – the masterminds of cyber security. To learn more, tune in to the premiere of the sixth episode of I Am Hacked on Monday!

In recent years cyber security has evolved to become a highly complex endeavour

Today’s cyber security is a highly complex endeavour involving specialists with different academic and professional backgrounds. Penetration testers, or pentesters, seem to be the most mysterious characters.

Their job is identical to hackers: they look for vulnerabilities in computer systems and launch cyberattacks aimed at these vulnerabilities. The only difference is in their goals. While hackers do it for the sake of inflicting damage and making a profit, pentesters seek to reinforce an organisation’s cyber security.

The work of a pentester is very similar to that of a hacker

Sceptics suggest the difference in goals is elusive: they say it may be difficult for a human to stay on the good side when the stakes on the wrong side are increasing. However, cyber security experts sound more positive. They insist most pentesters have nothing to do with cybercrime and say the stakes on the good side are also tempting. According to Cyberseek, a job market portal for IT specialists, the average salary of vulnerability testers is $100,000.

RT Documentary talked to cyber security experts from different countries to get their outlook on pentesters.

Ivan Botanov is a penetration and vulnerability tester

Good guys or bad guys?

Legally, the main difference between pentesters and hackers is that the latter violate the law, while the former, in contrast, help protect the cyber world from unlawful activities.

“Certainly, it’s all romanticised!” says Ivan Botanov, a pentester. “I don’t call myself a hacker! I think of a hacker as a person engaged in illegal activities. I call myself, well... a pentester! I don’t break the law. On the contrary, I help make the internet a better place.”

Ethical hackers have access to abundant resources to study and master their skills and even find high-paid jobs. For example, online laboratories like HackTheBox, give vulnerability testers access to internet servers used by hackers. Such platforms enable pentesters to look for holes, stop hackers from hacking and destroying infrastructure, steal users’ data, and so on.

Pentesters enjoy access to abundant online education resources

“There are job offers for pentesters of hacker level and higher,” continues Ivan Botanov. “There’s a chance of being offered a job based on your HackTheBox record of hacks. If you’re an absolute beginner and don’t know where to poke around, HackTheBox’s academy teaches you for free. That’s how to get into pentesting and hacking. Which path to choose is up to you. A pentester’s skills can most probably open the doors to cybercrime. I think you can say so. It depends on your ethics, your upbringing, and why you need that.”

White hackers VS black hackers

According to Cyberseek – a job market portal for IT specialists lists the average salary of vulnerability testers at $100,000

“Regarding the difference between white and black hats, they’re both eager to find vulnerabilities,” says Anastasia Tikhonova, head of the Complex Threat Monitoring Department at Group-IB. “It’s just that some want to help a company, while others want to cause damage!”

‘White hackers’ or ‘white hats’ are another metaphor used to describe penetration testers. According to cyber security experts, these guys seem to be playing the role of cyber border guards, protecting organisations’ cyber facilities from intrusions. Like real-life military personnel, penetration testers have regular training that allows them to perfect their skills in practice.

Training, for example, might involve a team simulating an unspecified attack with a target and an undisclosed launch time. The members of the cybercrime world believe such training makes it impossible to separate pentesters from hackers.

Penetration testers participate in regular training that may involve, for instance, a team simulating an unspecified attack with a target but an undisclosed launch time

“Authorised guys from InfoSec have two teams: Red and Blue. Red attacks, Blue defends,” says a practising hacker interviewed by RT Documentary. “It’s about how you develop: either in offence or defence. These are different directions, no matter how absurd that sounds. A defender can’t necessarily attack, and vice versa.

A hacker is what exactly? Being a hacker means having freedom and a free hand to dig around, plus a desire... to, well, destroy the system! There’s really no such thing as a hacker in today’s reality. Everyone says they’ve died out. So, they’re all information security specialists, as we usually term them.

There aren’t many researchers left, those interested in the hackers’ philosophy and its romance. Many cross the line and become tougher, more wicked. Others become whiter. This depends on the personality and their situation. Most do it for the money. But some work for fun. It’s just an attitude that professionals should stick to.

‘True hackers’ are said to be dead

“Whether it’s IT or not, you’re a pro, investing time in it, and that’s the most valuable resource. You do it to be able to say: ‘Guys, look! I did it!’ There are definitely those kinds of people. They get very excited when they manage to mess with the system. That’s cool... really cool! But you must rise to that. A year or two of hard work won’t cut it. It’s a very difficult path.”

“Not everything’s as romantic, nice and lovely as people think... that hackers are filthy rich. Yes, there are millionaires, but earning your first million requires a huge effort, lots of hardware and so on.”

While both the art of a pentester and a hacker are time, energy, and talent consuming and require the same skills, the choice between the two professional paths depends on one’s personality and moral standards.

“By the way, it’s important to note that the psychology of an information security specialist is different. It’s contrary to that of a hacker or an attacker,” says Dmitry Gradar, head of a bank IT security department.

“What’s a hacker? First, an explorer... But those who explore information systems differ from those protecting them because it’s enough for them to explore a system, find a hole and penetrate it.

The psychology of ‘black’ and ‘white’ hackers differs dramatically

In security, there’s an unknown number of variables, a significant number of holes on the internet, exploits appear and so on, and you need to prioritise risks properly. Hiring hackers is risky. A hacker’s someone who’s already on the dark side. Who knows what he’ll do if he finds a breach in an organisation. If he’s broken the law, he’s likely to do it again, especially when teased by information security breaches.”

Сyber security experts insist that pentesters play the crucial role in cybercrime prevention

To learn more about the world of cyber security, see the premiere of the sixth episode of I Am Hacked on Monday!

Subscribe to get stories the mainstream media ignores: Subscribe RTD's Youtube