In Vogue: White Hats
In the light of the recent surge in targeted attacks, and the severe crunch of skilled digital security talents, many organisations and also governments are also rooting for these white hat hackers, to fight cyber-attacks
Massachusetts Institute of Technology has defined a hacker as the “one who enjoys the intellectual challenge of creatively overcoming limitations”. Despite this, the term is largely misconstrued as the very thought of being hacked can send a chill down your spine. But unlike the popular notions, not all hackers are inherently malevolent. There are ethical hackers, also known as white hat hackers, who look out for threats and vulnerabilities in computer systems, networks, applications, etc. and try to draw attention to them before their unethical counterparts, or black hats can spot and wreak havoc.If we hadn’t had those whitehat hackers, the world would certainly have drowned in fraud and malicious attacks.
A Growing Demand for Ethical Hacking
“Organisations are gradually moving towards ‘red teaming’-based security assessment of their technology environment. This approach helps them
Hackers were once a mystery. As organisations begin to understand what hacking is, our perceptions change from fear to understanding.” —Laurie Mercer, Security
Engineer, HackerOne “Industry estimates say that India will need 5 lakh cybersecurity professionalsby 2020. We have only 50 thousands of good hackers or white hat hackers. The skill deficit is quite clear.” —Sandeep Sengupta, Founder & Director -
Indian School of Ethical Hacking
to ascertain their preparedness for a security attack and how resilient they are. This also provides them inputs for improving their security monitoring capability,” said Vishal Jain, Partner, Deloitte India. This works on a pretty basic logic: ‘ To catch a hacker you must think like a hacker’. “For consultants like us, we help our clients pre- empt threat situations by the way of Ethical Hacking. At our Deloitte Cyber Intelligence Centre, for instance, the ethical hackers are putting themselves in the shoes of the hackers to show an organisation where their weaknesses lie.”
“There are young independent security professionals who closely watch the activities from the hackers’ perspectives and publish or provide inputs to different agencies/enterprises from the security perspective, including government bodies where they are engaged. These activities are sensitive to national security, hence not disclosed to public generally,” headded.
Laurie Mercer, Security Engineer at HackerOne said, “At HackerOne we see thousands of Hackers helping organisations prevent data and security breaches every day. Governments also continue to lead the way with their successful hacker-powered programmes. The US Department of Defense has partnered with HackerOne for several years, running pioneering programmes such as Hack the Pentagon and Hack the Army to great success. The European Commission partners with HackerOne as part of a framework created by the EU-Free and Open Source Software Auditing (EU-FOSSA) project, which aims to help EU institutions better protect their critical software.”
Bug Bounty
It may sound crazy, but organisations, as part of the vulnerability management strategy do pay out an insane amount of money as bug bounties to the security researchers and the ethical hackers every year. In the recently concluded Black Hat 2019 conference in the US, Apple announced opening up of its bug bounty programme to all researchers and sweetened the payouts by increasing it from the current $200,000 to $1 million. Microsoft also announced that it will add a $300,000 award to its Azure bounty programme to hack its public- cloud infrastructure service. Facebook’s bug bounty programme has paid out more than $7.5 million since its inception in 2011 and has also paid its biggest single bounty ever- $50,000, to one of its top contributors. Google’s Vulnerability Rewards Programmedates back to 2010 and has since paid out more than $15 million. The largest single payout was $41,000.
Ethical Hacking and India
The bug-bounty platform, HackerOne’s 2019 report says that it paid out over $42 million to the 300,000 hackers in its network alone, for reporting over 100,000 vulnerabilities. While, most of these bounties came from the US and Canada based organisations followed by the UK, Germany, Russia, and Singapore, etc. it’s an interesting fact that hackers from India continued to dominate the earnings scene by pulling in close to 12 percent of the total bounties paid, and remain the top hacker location too.
According to Mercer, “Over 10 percent of the HackerOne community is located in India. Of the 42 million dollars paid to hackers, nearly 5 million has been paid to India. Top Indian hackers have been paid hundreds of thousands of dollars.” Recognising the strong talent base, HackerOne now supports payments in Indian currency as well to cut down on the unnecessary fees and make the payout process hassle-free for the deserving hackers.
Although financial incentives attract a lot of bug bounty hunters, there’s more to hacking than money. The motivation could be self-serving, or altruistic, or even a mix of both. Some do it purely for fun or for an adrenalin rush, which they get by outsmarting others.
“Enterprises or security services companies do prefer professionals who have the mindset of hacking, provided they are matured enough to use their skills in a constructive manner and for the benefit of the enterprises.” —Vishal Jain, Partner,
Deloitte India
“A hacker needs to know the technology they are dealing with inside out. Thus, it’s the hunger to know what keeps them driving, thereby making this digital tech world secure.”
—Rahul Tyagi, CoFounder & VP, Lucideus
“The way I see it, it’s never-ending learning that motivates a hacker. When you keep learning, you end up creating a strong position for yourself in any organisation that you are a part of. Financial compensations are an eventual benefit of the on-ground work that you would be doing.” — ViditBaxi, Co-Founder & Lead ECS,
Lucideus
Some do it to hone their skills, while some do it to protect others and to do good for all.
Ethical Hacking Career
With companies hiring from within the hacker community, many are trying to build an effective career plan out of their interest and hacking skills. Conservative estimates say that an ethical hacker generally starts with a Rs 3.5 lakh per year salary, depending on the education, experience and the employer. “Good hacking skills would be a cherry on the icing for a company who is looking at hiring an individual for a cybersecurity role,” said ViditBaxi, Co-Founder and Lead ECS, Lucideus, a leading Indian cyber-security startup.
Depending on the expertise, ethical hackers get hired for a bunch of job roles such as Information Security Analyst, Security Analyst, Security Consultant, (Computing / Networking / Information Technology), Penetration Tester etc.
Many hackers are self-taught. There are no hard and fast rules to follow for anyone aspiring to be an ethical hacker. Usually, a bachelor’s degree in computer science and a fair understanding of operating systems, databases and networking with programming skills are good to start. Adding certifications like CCNA, CISSP, CEH, GPEN, CPTC, CPTE, OSCP, Foundstone Ultimate Hacking, etc. can certainly beef up your resume, and increase your chances of getting noticed by the prospective employers, but you need hands- on experience also to back those certifications up. Participating in bug bounty programmes is a great way to test and demonstrate your skills.
“If you are a programmer, you need to have the knowledge of OWASP (secure coding), so the application you make doesn’t get hacked. Similarly, network security needs the knowledge of CCNA and software security needs the knowledge of Java, HTML, SQL,” said Sandeep Sengupta, Founder and Director, Indian School of Ethical Hacking.
But the career advancement in this domain is dependent on proving your value at work. Creating a habit of self-learning is extremely important in this field to ensure that you are on top of the latest vulnerabilities and security trends. “An individual can have good hacking skills only if their understanding of technology is appropriate. And a technology enthusiast will always focus on learning and growth. Depending on the hunger for learning, you would see people investing time in self-learning and investing money in learning programmes,” said Baxi.
Cybersecurity is an evolving field and presents great opportunities ahead for the ethical hackers. The skills, certifications, and ethics are key for anyone looking to build a successful career, but you also need to be a self-motivated individual with a problemsolving mind, who canassess risks and think of resilient strategies to protect organisations against any cyber-attacks or breach.