Q&A: White Hat hackers: Are they ethical?

As concerns around cyber security increases for enterprises, it’s no surprise that more companies are choosing to hire white hat hackers, or “ethical hackers.”  The main concept behind this movement is for highly skilled hackers to work on behalf of enterprises to discover vulnerabilities that might otherwise go undetected. While many support this approach to improving cyber security measures, a few companies are hesitant to the idea of allowing hackers to find flaws in their network. Although, at the end of the day, ethical hackers are a key asset to organisations who are willing to take a close look as their security measures and address security flaws accordingly. This can help prevent major security breaches from occurring down the road, and can also be an opportunity for enterprises to have ethical hackers train employees on signs to look for when it comes to cyber security vulnerabilities. 

In today’s ever-changing landscape, the sophistication of cyber-attacks is increasing, and more companies are being targeted. This is why the topic of ethical hacking is so timely. Shimon Noam Oren, Head of Cyber Intelligence at Deep Instinct, weighs in on the topic of ethical hackers in today’s cyber security environment.  

At a high level, how would you define “ethical hacking”?

Ethical hacking can be defined as any use of hacking methods, penetration techniques, vulnerability research and exploitation that are conducted as part of an effort to secure networks, products, endpoints, software etc. and improve users trust and usage thereof. The important differentiator to highlight is that white hat hacking finds vulnerabilities in order to secure company assets as opposed to stealing information for personal gain. 

From your perspective, have you seen an increase in companies hiring ethical hackers to help protect against cyber threats? (either full time employee or a contracted worker)?

There has absolutely been an increase in this trend. More and more companies are hiring skilled and experienced ethical hackers, as well as penetration testers with hacking skills, to improve their products’ security posture and as part of their internal cyber security efforts. Senior level management is also becoming more aware of cyber risks, and they are willing to put additional money and resources into hiring the right kind of professionals, in this case, white hat hackers. It’s important for management to be on board and involved throughout the hiring process to make sure priorities are aligned. 

How are companies implementing white hat hackers into their everyday IT routine?

We’re seeing an increase in the amount of companies using red teams built on white hat hackers both internally within the organisation or externally (as a service) to evaluate weak spots and risks in their IT posture and where relevant, on their products as well. Enterprises will oftentimes add such professionals to their response teams, as many response and remediation team leaders find it extremely helpful to have people with the skills and mindset of a hacker to offer advice when dealing with a crisis or cyber security event. They can offer valuable insights into the problem at hand and how to address the issue using the best course of action.

What are a few ‘best practices’ companies should keep in mind when it comes to hiring white hat hackers?

It’s critical to understand the candidate’s background and ask about how and where they were trained, and with whom they’ve worked with in the past. Another key component to keep in mind when hiring an ethical hacker is to assess their social and team working skills. Oftentimes white hat hackers will be required to work closely with a handful of individuals, and it’s important that they have the ability work in group settings and collaborate when needed. 

What type of resources does an ethical hacker need in order to be successful in his/her job?

As a start – any kind of resource you’d want to have available in any malware research or cyber-intelligence team should also be available to ethical hackers. For instance, threat intel feeds, secure proxies, VPN for safe, anonymous internet connections, dynamic and static analysis tools for files and malware, host and network forensic tools, a separate physical and virtualised environment for research and malware analysis, and lastly – deep and dark web cyber forum access. All of these tools can be a major plus for hackers and will set them up for success. 

How can companies implement their own training to better arm employees against cyber threats?

They key is hiring the right people, such as those who are willing and excited about training others, and sharing knowledge and insights from their firsthand experience. Other than that, companies need to understand that keeping people trained and knowledgeable is an ongoing process and not a “one-off.” Threats are constantly changing, malware is evolving, new attack vectors and surfaces appear all of the time, so keeping teams updated, aware and informed of the changing threat landscape is very important even with the most cyber-savvy and tech-oriented workforce. 

Are there any downfalls to hiring an ethical hacker?

In my opinion, as long as the hiring and vetting processes are done right, there aren’t any major downfalls. In order to make this a positive experience for both the hacker and company, managers need to keep in mind that hackers are hard to keep in one position within an organisation for long periods of time. The more they are challenged and feel that they are moving forward professionally, the more they will be motivated and encouraged to stay with a company for the long-term. 

How do you see this trend evolving over the next five to ten years?

We will likely see more people trying to acquire certificated and official education for ethical hacking, as more companies and organisation strive to include such professionals in their workforce. The overall direction we’re heading in means more standardisation and regulation of knowledge, skills and experience for ethical hackers, or at least for an official certification. The challenge for employers will be choosing the right and most qualified people for their organisational needs. 

Shimon Noam Oren, Head of Cyber Intelligence, Deep Instinct
Image Credit: Welcomia / Shutterstock