Massachusetts Institute of Technology has defined a hacker as the “one who enjoys the intellectual challenge of creatively overcoming limitations”. Despite this, the term is largely misconstrued as the very thought of being hacked can send a chill down your spine. But unlike the popular notions, not all hackers are inherently malevolent. There are ethical hackers, also known as white hat hackers, who look out for threats and vulnerabilities in computer systems, networks, applications, etc. and try to draw attention to them before their unethical counterparts or black hats can spot and wreak havoc. If we hadn’t had those white hats, the world would certainly have drowned in fraud and malicious attacks.
In the light of the recent surge in targeted attacks, and the severe crunch of skilled digital security talents, many organizations including governments are also rooting for these white hat hackers, to fight cyber attacks.
A GROWING DEMAND FOR ETHICAL HACKING
“Organizations are gradually moving towards ‘red teaming’-based security assessment of their technology environment. This approach helps them to ascertain their preparedness for a security attack and how resilient they are. This also provides them inputs for improving their security monitoring capability,” said Vishal Jain, Partner, Deloitte India. This works on a pretty basic logic: ‘To catch a hacker you must think like a hacker’. “For consultants like us, we help our clients pre-empt threat situations by the way of Ethical Hacking. At our Deloitte Cyber Intelligence Centre, for instance, the ethical hackers are putting themselves in the shoes of the hackers to show an organization where their weaknesses lie.”
“Enterprises or security services companies do prefer professionals who have the mindset of hacking, provided they are matured enough to use their skills in a constructive manner and for the benefit of the enterprises”
“There are young independent security professionals who closely watch the activities from the hackers’ perspectives and publish or provide inputs to different agencies/ enterprises from the security perspective, including government bodies where they are engaged. These activities are sensitive to national security, hence not disclosed to public generally,” added he.
Laurie Mercer, Security Engineer at HackerOne said, “At HackerOne we see thousands of Hackers helping organizations prevent data and security breaches every day. Governments also continue to lead the way with their successful hacker-powered programs. The US Department of Defense has partnered with HackerOne for several years, running pioneering programs such as Hack the Pentagon and Hack the Army to great success. The European Commission partners with HackerOne as part of a framework created by the EU-Free and Open Source Software Auditing (EU-FOSSA) project, which aims to help EU institutions better protect their critical software.”
“Hackers were once a mystery. As organizations begin to understand what hacking is, our perceptions change from fear to understanding.”
BUG BOUNTY PROGRAMS GET BIGGER
It may sound crazy, but organizations, as part of the vulnerability management strategy do pay out an insane amount of money as bug bounties to the security researchers and the ethical hackers every year. In the recently concluded Black Hat 2019 conference in the US, Apple announced opening up of its bug bounty program to all researchers and sweetened the payouts by increasing it from the current $200,000 to $1 million. Microsoft also announced that it will add a $300,000 award to its Azure bounty program to hack its public-cloud infrastructure service. Facebook’s bug bounty program has paid out more than $7.5 million since its inception in 2011 and has also paid its biggest single bounty ever- $50,000, to one of its top contributors. Google’s Vulnerability Rewards Program dates back to 2010 and has since paid out more than $15 million. The largest single payout was $41,000.
INDIA’S TRYST WITH ETHICAL HACKING
The bug-bounty platform, HackerOne’s 2019 report says that it paid out over $42 million to the 300,000 hackers in its network alone, for reporting over 100,000 vulnerabilities. While, most of these bounties came from the US and Canada based organizations followed by the UK, Germany, Russia, and Singapore, etc. it’s an interesting fact that India has been the top hacker location and the hackers from India continued to dominate the earnings scene by pulling in close to 12 percent of the total bounties paid.
According to Mercer, “Over 10 percent of the HackerOne community is located in India. Of the 42 million dollars paid to hackers, nearly 5 million has been paid to India. Top Indian hackers have been paid hundreds of thousands of dollars.” Recognizing the strong talent base, HackerOne now supports payments in Indian currency as well to cut down on the unnecessary fees and make the payout process hassle-free for the deserving hackers.
Although financial incentives attract a lot of bug bounty hunters, there’s more to hacking than money. The motivation could be self-serving, or altruistic, or even a mix of both. Some do it purely for fun or for an adrenalin rush, which they get by outsmarting others. Some do it to hone their skills, while some do it to protect others and to do good for all.
ETHICAL HACKING AS A CAREER OPTION
With companies hiring from within the hacker community, many are trying to build an effective career plan out of their interest and hacking skills. Conservative estimates say that an ethical hacker generally starts with a Rs 3.5 lakh per year salary, depending on the education, experience and the employer. “Good hacking skills would be a cherry on the icing for a company who is looking at hiring an individual for a cybersecurity role,” said Vidit Baxi, Co-Founder and Lead ECS, Lucideus, a leading Indian cyber-security startup.
“The way I see it, it’s never-ending learning that motivates a hacker. When you keep learning, you end up creating a strong position for yourself in any organization that you are a part of. Financial compensations are an eventual benefit of the on-ground work that you would be doing.”
Depending on the expertise, ethical hackers get hired for a bunch of job roles such as Information Security Analyst, Security Analyst, Security Consultant, (Computing / Networking / Information Technology), Penetration Tester, etc.
Many hackers are self-taught. There are no hard and fast rules to follow for anyone aspiring to be an ethical hacker. Usually, a bachelor’s degree in computer science and a fair understanding of operating systems, databases and networking with programming skills are good to start. Adding certifications like CCNA, CISSP, CEH, GPEN, CPTC, CPTE, OSCP, Foundstone Ultimate Hacking, etc. can certainly beef up your resume, and increase your chances of getting noticed by the prospective employers, but you need hands-on experience also to back those certifications up. Participating in bug bounty programs is a great way to test and demonstrate your skills.
“Industry estimates say that India will need 5 lakh cybersecurity professionals by 2020. We have only 50 thousands of good hackers or white hat hackers. The skill deficit is quite clear.”
“If you are a programmer, you need to have the knowledge of OWASP (secure coding), so the application you make doesn’t get hacked. Similarly, network security needs the knowledge of CCNA and software security needs the knowledge of Java, HTML, SQL,” said Sandeep Sengupta, Founder and Director, Indian School of Ethical Hacking.
“A hacker needs to know the technology they are dealing with inside out. Thus, it’s the hunger to know what keeps them driving, thereby making this digital tech world secure.”
But the career advancement in this domain is dependent on proving your value at work. Creating a habit of self-learning is extremely important in this field to ensure that you are on top of the latest vulnerabilities and security trends. “An individual can have good hacking skills only if their understanding of technology is appropriate. And a technology enthusiast will always focus on learning and growth. Depending on the hunger for learning, you would see people investing time in self-learning and investing money in learning programmes,” said Baxi.
Cybersecurity is an evolving field and presents great opportunities ahead for the ethical hackers. The skills, certifications, and ethics are key for anyone looking to build a successful career, but you also need to be a self-motivated individual with a problem-solving mind, who can assess risks and think of resilient strategies to protect organizations against any cyber-attacks or breach.
(The story first appeared in PCQuest magazine September, 2019 edition)