The typical image of a hacker is wrong, writes WithSecure’s Tom Van de Wiele. This is an issue because many businesses could benefit from skilled, ethical hackers.
Pop culture has long been fabricating the image of a hacker in the minds of the masses.
According to popular movies such as The Girl with The Dragon Tattoo and The Matrix, hackers are usually teenagers wearing black hoodies, listening to techno music, and sitting in a dark room surrounded by screens flashing code. They are usually shown to be hacking high-level organisations like the FBI or CIA, which they seem to do in a matter of minutes.
Considering how movies portray hackers, it comes as no surprise that the word ‘hacker’ has been coined as a negative term.
However, what is more concerning is that businesses have bought into this stereotype without considering the full spectrum of what being a hacker means. Most businesses do not want to associate with the term as they perceive hackers to be an illicit group which will only tarnish an organisation.
Hacking, in reality, is a skill which takes practice and education to master. Like most skills, hacking can be used for good or evil. Just like being a locksmith, it depends on your knowledge of the law and your moral compass on knowing when and how to use your skills and not endangering others.
Unfortunately, someone who knows a lot about computers and networks and is able to channel their knowledge and experience for whatever purpose in a moral and ethical way is still portrayed as a caricature, because how else can one visualise the difference between an average and expert computer user.
After being a hacker for about 20 years, these stereotypes are slowly disappearing, but they are still present for media productions. The perception perpetuated by pop media is not only misleading to security professionals, but also to businesses that could benefit from the expertise of a hacker.
Who is a hacker?
Hacking requires knowledge and experience as well as preparation – whether it be criminal or ethical. Hacking as a skill is much more than buying a technical gimmick or a ‘hacking tool’ or being a technical expert or even being able to code. It takes a person to have a ‘hacker mindset’, which means being inquisitive, passionate and having a borderline obsessive interest in how things work.
The crux of what we do is to know the ins and outs of a system. Knowing where and how things are bolted together in a system lets us see where the obvious cracks are. While some individuals choose to use this knowledge to protect the system, some choose to profit from it by attacking.
Criminal hackers, or ‘threat actors’, are usually misportrayed as loners who are sitting in a basement carrying out criminal activities. What most people often don’t realise is that these hackers are usually employees much like us, with managers and budgets. They work as a team to initiate campaigns, research potential targets and plan different kinds of attacks.
In the cybersecurity industry, we have seen attack methods improve drastically while becoming more affordable. This is largely due to the fact that attackers do not usually practice specific skills in isolation, they instead work as a community. This means that they share and steal resources from each other, perfecting their skills and exploring different ways to utilise vulnerabilities.
What does the job of an ethical hacker entail?
One of the core responsibilities of an ethical hacker is to conduct threat modelling on a frequent basis.
This means analysing the systems and applications of a business to identify any structural vulnerabilities that can create a potential threat. They will also be able to map out a potential attack surface and identify how well the digital infrastructure is prepared to handle inevitable attacks, without disrupting the real-life IT environment.
This role involves a lot of analytical aspects, as it is their core responsibility to understand how efficient and controlled a firm’s defence is compared to their competitors.
Furthermore, ethical hackers engage in the interplay between threat modelling and editing to understand what an attacker might do based on the perceived attack surface – ie what can be attacked that could yield something interesting or valuable. This all contributes to preparing the organisation’s defences accordingly.
How can an ethical hacker add value to an organisation?
Criminal gangs have countless attacks in the industry every day, which has secured a permanent space for them in the limelight. Therefore, an employed ethical hacker will try to identify and understand the vulnerabilities in a system, using their skills to protect your organisation rather than destroy it.
Ethical hackers tend to walk the line between both the ethical and non-ethical worlds. They know the law and therefore understand what is acceptable and unacceptable. Ethical hackers understand how and what criminal gangs think, which is one of the most useful skills for any business to have.
Employing a skilled ethical hacker on the security team will put your firm in a better position to not only predict potential threats, but also align your defences accordingly. The primary aim of any ethical hacker would be to keep your business a step ahead before an online incident takes place.
The idea behind it is that if a criminal gang assesses your infrastructure and deems it too robust, meaning they would need more resources to carry out a breach, they are likely skip you. It is impossible to make an impenetrable system, however ethical hackers identify where the cracks in the system are and cease potential opportunities for attacks, thus reducing the possibility of a transgression. This is the true value of having a hacker on your side.
To sum it up, ethical hackers have an intense job that requires us to work with a team carrying out creative solutions to combat creative threat attacks.
There is still a lot of work that needs to go into getting rid of these previously imposed perceptions of what a hacker is. An ethical hacker has the power to make a difference in the security structure of an organisation and to protect the business and even the society at large.
Now is the right time to break the stereotypes and rise above them.
Tom Van de Wiele is principal threats and technology researcher at cybersecurity company WithSecure. He has an extensive background in offensive security, and is responsible for performing and validating threat research while exploring potential protection capabilities as part of current and new technology, privacy and other cybersecurity-related areas.