how do we hire a white hat hackers safely

Introduction：

1、White Hat Hackers： Inside the World of Ethical Hacking

2、What Is A White Hat Hacker And Why Do We All Need Them？

White Hat Hackers： Inside the World of Ethical Hacking ♂

　　Matt Jakubowski’s journey from hacker hobbyist to cybersecurity specialist began during adolescence, when he spent countless hours digitally dissecting and rejiggering video games. At one point he succeeded in giving Mario of "Super Mario Bros." new jumping heights. Wahoo!

　　Later on, and far more important to his professional development, he began hacking friends. But they were fine with it and hacked him right back. It was 2008 and they’d all entered into what Jakubowski (aka “Jaku”) calls a “gentleman’s agreement" that permitted them to invade each other’s computers whenever and however they chose. The group even gave a presentation about it at the Washington, D.C. hacker convention ShmooCon. Without realizing it, Jakubowski and his friends became White Hat Hackers.

　　In most cases, Jakubowski and his mates exploited known security vulnerabilities to gain initial access to each other’s machines. And since nothing can happen prior to access (he compares accessing a company's network, for instance, to being "almost like a kid in a candy shop — everything's there"), the looming threat of that possibility prompted each participant to make sure his system was always “patched” and shielded from attacks.

　　Matt Jakubowski (third from left) and his Uptake cybersecurity team (Courtesy of Matt Jakubowski)

　　“A lot of times a computer system can be un-patched and vulnerable to something and not get hacked until it becomes a target,” explains Jakubowski, who for three years has led cybersecurity operations at the Chicago-based industrial analytics company Uptake. “We were constantly targeting each other, so we couldn't play it safe and hope that those systems just went unnoticed.”

　　Sitting in a small meeting room at Uptake’s corporate headquarters, Jakubowski recalls how he and his fellow gentlemen also built phishing sites with the goal of baiting each other to open destructive web links (e.g., Hey, check out this tweet) during the course of otherwise run-of-the-mill email and chat exchanges. The exercise kept them on their toes while also teaching them to notice minor — sometimes almost imperceptible — differences between legitimate sites and malicious ones. As you might know from personal experience, the web is rife with booby traps.

　　“We learned how to secure ourselves better, but we also learned new tricks that really helped us advance in a completely legal way,” Jakubowski says.

　　A tech “unicorn,” Uptake employs hundreds of people and is valued at more than $2 billion, so it’s a theoretically high-profile target for cyber intruders bent on causing mayhem one way or another. Jakubowski’s job, in concert with his crew, is to prevent or at least mitigate that mayhem. He credits his deeply formative days of friendly hacking with giving him a solid foundation from which to learn and grow.

　　“A bunch of us are now off doing much bigger roles in security than back then, and I think a lot of us owe it to that,” Jakubowski says. “Without those few years of us learning off each other, I don’t know where we would’ve gotten that knowledge.”

　　During that period, Jakubowski notes, breaching corporate networks in the same way he and his pals breached each other’s personal computers was an illegal act that could land violators in lawsuit hell or worse.

　　"There was a line that I didn't want to cross, because I don't like prison. I've never been, but I assume I don't like it."

　　Ethical Hacker Jack Cable (Courtesy of U.S. Digital Service)

　　These days, intruders around the world have permission to infiltrate networks. It's called ethical hacking, and those who practice it are growing in number. Just as vaccines guard against diseases by introducing a weakened form of the offending biological agent, companies and government organizations invite these non-malicious hackers to penetrate their systems in order to pinpoint security gaps and develop stronger defenses.

　　While ethical hacker types had begun to emerge (the New York Times wrote about some “mischievous but perversely positive” ones in 1981), they were still viewed as anomalies and outlaws of a sort.

　　Now, nearly a decade later, as cybercrime costs companies billions of dollars and is predicted to exceed $6 trillion worldwide by 2021 (the worst cyber attack in history, a particularly nasty strain of malware dubbed NotPetya, cost FedEx alone at least $300 million), ethical hacking is catching on in a bigger way than ever before. Within two years, U.S. companies are expected to spend $1 trillion annually on proactive cybersecurity procedures to safeguard their valuable data.

　　While lots of businesses — especially big ones like Uptake — have in-house security staffs, they’ve also begun to rely more on outsiders who make money by participating in what are known as “bug bounty” programs (Uptake partners with a few) that offer ethical hackers monetary rewards for finding and reporting — rather than illegally exploiting — cybersecurity issues.

　　Stanford University freshman Jack Cable has carved out a lucrative niche in the bug bounty racket, placing first in a 2017 program called "Hack the Air Force" that paid out $130,000 for more than 200 vulnerabilities that were ultimately uncovered. He now has a global reputation.

　　Cable became interested in ethical hacking during his sophomore year of high school. While exploring a financial website, he discovered a potential cyber hazard: users could send negative amounts of money to anyone else on the platform, effectively lowering or depleting balances. Fortunately for Cable — and even more fortunately for the company — a bug bounty program allowed him to report the vulnerability and get paid for doing so. His interest and involvement grew from there, and he even helped launch a program at Stanford.

　　Though many businesses remain skittish about publicly divulging, or giving strangers free reign to uncover, their cybersecurity flaws for fear of exposing sensitive data to the wrong eyeballs, an increasing number of them see the value in doing so through vulnerability disclosure policies that provide guidelines for those in the bug bounty business. There are even Congressional bills in the works that would require American federal agencies, including the Pentagon and the State Department, to hop on the bug bounty bandwagon.

　　“Companies are seeing that everyone is vulnerable and the only way you can become more secure is by first acknowledging where you are vulnerable and looking for a way to improve,” Cable says.

　　But improving from the outside in requires an extraordinary amount of trust. That’s becoming less of a sticking point than it once was, but it’s still a significant impediment to progress.

　　“Security companies have a battle for themselves to prove that they are a valuable asset,” Jakubowski says of firms that provide services such as penetration testing and vulnerability assessments. “They’re going to have to show that they’re capable of preventing attacks and will be secure with your data. Because at the end of the day, that’s what’s really important.”

　　Hacker House Co-Founder and CEO Jennifer Arcuri (Courtesy of Jennifer Arcuri)

　　Though still somewhat shackled by its pejorative past, the term “hacker” is nonetheless applied both to those who perform sanctioned services and those who wreak havoc. The former are often referred to as “white hats,” the latter as “black hats” — handles that harken to Old West cowboy days and mean exactly what they appear to mean: good and bad. There are also “gray hats” who hack at will but usually without malicious intent.

　　Besides technical prowess, the best black hats have well-honed “soft” skills that allow them to “socially engineer” people over the phone, online or in person. In other words, they’re practiced manipulators with a solid understanding of human psychology who trick targets into unwittingly divulging private information that’s then leveraged to inflict trauma of one kind or another. Cases involving techniques like phishing, vishing and on-site shenanigans are reportedly on the rise.

　　“You can have the most robust online system, spend all that money on encryption and a firewall,” says Jennifer Arcuri, CEO and co-founder of Hacker House. “But if I dress up as a UPS delivery dude, come to the front door and talk to your receptionist, I can very easily socially engineer my way in.”

　　“There is,” she emphasizes, “always a way in.”

　　Social engineering has become such a problem, in fact, that some white hats specialize in preventing it. Here’s how one of them, SocialProofSecurity CEO Rachel Tobac, has explained her process:

　　“Before I do any type of social engineering, I have to collect a lot of information about how I would want to penetrate that system. This is called ‘OSINT collection’ – Open Source INTelligence collection. I choose my targets based on how much information I can find on them online. If I know who they are, who their friends are, who their bosses are, what their job is, what type of language or verbiage they use in their everyday life, it makes it more likely for me to choose them as a target because I can create a believable pretext and when I give them a call, it would be easier for me to build trust with them and get them to do what I need them to do.”

　　Regardless of team affiliation, experts say, the best hackers are hyper-curious, eager to show off their technological talents, at least borderline obsessive and employ many of the same techniques – including SQL injection and spear phishing, among others. Their goals, however, are vastly different.

　　And though there are plenty of top-notch ethical hackers who’ve come by their skills legally, insiders say, having dabbled in the dark arts can be beneficial — assuming, of course, the transformation from devious to virtuous is genuine not simply a ruse. Infamous former black hat Kevin “Condor” Mitnick donned a lighter-colored lid after spending five years in prison on federal offenses that included computer and wire fraud. Others have broken good, or good-ish, as well.

　　“If you’re a black hat that becomes a gray or white hat, you’re probably going to be better than someone who has been a white hat the whole time,” says veteran cybersecurity specialist and ethical hacking instructor Dean Pompilio. “Because you know what it’s like to break all the rules without caring, and now that you have to play by all the rules, it changes your outlook and it changes your knowledge of tactics, techniques and procedures of your adversary. If you were a black hat who became a white hat, I would think you would have a much deeper understanding of what black hats are capable of because you have been there and done it.”

　　“Most of them have never committed actual crimes. They were just the kid who smoked pot and wore hoodies and thought it was cool to be on servers and break code. They didn’t actually think this was a career.”

　　While Jakubowski thinks it’s possible to learn black hat methods without having gone all Darth Maul, the ethical angle is more challenging.

　　“There’s definitely a disadvantage to the white hat side, because we will always [have] a different approach [to hacking],” he says of his white hat ilk. “We want to prevent it. So we’re going to think in a more defensive way, and they’re going to think more offensively.”

　　Asked if he has ever dabbled in the dark arts, Jakubowski says doing so never appealed to him.

　　"There was a line that I didn't want to cross, because I don't like prison," he says. "I've never been, but I assume I don't like it."

　　Vocal white hat though she is, Arcuri says that possessing black hat know-how is undoubtedly advantageous.

　　“It’s all about, How does your adversary think? You want somebody who is not going to just run a few scans and check all of your ports and tell you what needs to be patched. You actually need somebody who is going to sit there and [study] your security landscape, who will actually take the time to penetrate each and every attack vector into your organization.”

　　That’s the value of disinterested third parties. Companies can run automated tools and implement basics like port scanning on their own, but those defense mechanisms aren’t nearly enough to thwart inevitable and potentially catastrophic intrusions. Fresh eyes and unbiased minds are key.

　　“Our team has a really good idea of how our stuff works,” Jakubowski says, “but having an outsider that has no idea how our stuff works is invaluable.”

　　Unswayed by internal politics, prejudices or complacency born of comfort, outsiders focus solely on the task at hand and on pouring over minute but critical details that might otherwise be overlooked. Not that they’re always allowed inside.

　　When Hacker House launched four years ago, Arcuri says, companies were far more reluctant to trust sensitive information to her ragtag crew of “miscreants” despite their legitimate skills and knack for spotting suspicious patterns in online activity.

　　“Most of them have never committed actual crimes,” she says, singling out a hacker (charged in the U.S., alleged in the U.K.) named Lauri Love as the exception. “They were just the kid who smoked pot and wore hoodies and thought it was cool to be on servers and break code. They didn’t actually think this was a career.”

　　Security researchers at the 2018 DEFCON hacking conference in Las Vegas (Shutterstock.com)

　　That has more than a little to do with the fact that formal educational programs for hackers have until recently been scarce. And while today there are ample opportunities to learn ethical hacking and become officially certified in the field, doing so requires a good amount of hands-on experience. Which is to say it’s still not kid-conducive. Many think it should be.

　　Schooling young kids in the basics of ethical hacking, proponents argue, is the best way to ensure a more cyber-secure future — especially considering a projected shortage of cybersecurity professionals by 2022. The U.S. Army has even taught white hat methods to children as young as toddlers at the yearly hacker conference Def Con.

　　“There is a critical national shortage of hackers, and it’s because we’re failing to attract students early on to the field,” David Brumley, a computer science professor at Carnegie Mellon University, wrote in 2017. “More than four in five organizations lack sufficient computer security skills within their organization to protect themselves, according to a recent study by Intel. That means four in five organizations that want to secure their computers simply cannot find the talent to do so.”

　　Among several things that can help meet that “critical shortfall,” Brumley added, is the promotion of hacking from kindergarten through high school.

　　“Think about it: teenagers are picking passwords, agreeing to privacy policies, and sharing information online. Cybersecurity and privacy education are as essential as basic math today.”

　　But it’s one thing to learn hacking techniques and another to use them responsibly — ethically.

　　“In middle school and high school, you’re going to have students that want to break the boundaries,” Jakubowski says. “Teenagers are rebellious. You teach someone how to do something as a teenager and their first thought might be, ‘How can I have some fun with this?’ So you want to be careful. Even more than [cyber]security, we need to teach them how to be ethical with knowledge.”

　　After all, knowledge is power.

What Is A White Hat Hacker And Why Do We All Need Them？ ♂

　　The mere sound of the word ‘hacker’ can send most people into a panic state and in the world we’re living in today who could blame them. However, there are hackers that are beneficial to us all. Those hackers are known as White Hat or Ethical hackers. White Hat hackers are computer security experts who specialize in penetration and other types of testing to make sure an organization’s information systems are secure.

　　Before we get into the nuts and bolts of what White Hat hackers do, it’s important to know the types of hackers that are out there. There are three main types – Black Hat, White Hat, and Gray Hat – and if it sounds like something out of an old western movie it’s because that’s where the references come from. In the old westerns, bad guys wore black hats and good guys wore white. It’s the same when it comes to hacking.

　　White Hat/Ethical Hackers

　　As stated in the opening paragraph, White Hat hackers are the good guys. They are information systems security experts who perform various tests on an organization’s systems to find out where the inefficiencies and weaknesses are. This is done so that an organization can take a proactive stance and correct those weaknesses in their information systems before the bad hackers get a chance to take advantage of it.

　　White Hat hackers use many methods of testing the systems including what is called Penetration Testing. Penetration Testing is basically when the White Hat hacker hacks into the organization’s systems using methods used by the bad guys in order to see what methods work in getting through. By doing this, they can find the flaws in the system and provide a recommendation on how to fix the weakness in order to prevent an actual attack.

　　It is also fair to mention here that sometimes a White Hat hacker starts out as a Black Hat hacker but due to their extensive knowledge they start working as consultants or employees of organizations in order to protect the company’s systems.

　　Black Hat Hackers

　　Black Hat hackers are the bad guys. These are the people who are doing all the nefarious activity that is in the news today. Black Hat hackers illegally violate individuals’ and organizations’ computer security for no other reason than to be malicious or for their personal gain. There is no honor in what they are doing. Everything they are doing is illegal and for the wrong reasons. They are the exact opposite of a White Hat hacker.

　　Black Hat hackers are also known as crackers or dark-side hackers and they have extensive knowledge of computers and how they work. They are very skilled to say the least and their purpose is to breach or bypass internet security so that they can retrieve the valuable information that they seek. Sometimes a Black Hat hacker’s only goal is to create a virus or worm and set it loose. However, most times there is a personal upside or benefit they are after as well.

　　Gray Hat Hackers

　　As you probably have already figured out, Gray Hat hackers tend to fall somewhere in between White Hat and Black Hat hackers. Although their intentions are not usually evil or geared towards the nefarious, they aren’t usually complete angels either.

　　Basically Gray Hat hackers are computer security experts who sometimes violate laws or ethical standards without the malicious intent of a Black Hat hacker. Many times Gray Hat hackers will illegally access a system just to see where the vulnerabilities are and figure out a fix. However, they generally don’t share this information with others for it to be exploited like Black Hat hackers do. Gray Hat hackers sometimes do this type of hacking just for the knowledge it gives them. They also may do it for purposes of getting themselves or their friends hired by the organization to fix the security issue.

　　There are generally less Gray Hat hackers these days due to the willingness of businesses to prosecute anyone who illegally accesses their systems, no matter whether their intentions were good or not.

　　Other Types Of Hackers

　　Now there are other types of hackers such as Blue Hat, Elite, or Script Kiddies but for the purpose of this article the main ones are Black, White, and Gray.

　　If your business is serious about it’s information system’s security and decide to hire a security firm to make sure everything is at its optimal state then you are going to meet a White Hat or Ethical Hacker. It is their job to do what is called penetration testing to find your system’s vulnerabilities and flaws before the bad guys do. He or she will then suggest ways to fix and lock down the system so the chances of being hacked are very minimal.

　　So what is penetration testing? It is a simulated hacking attack on a computer system that is authorized by the person or business who’s system is being attacked. The test will look for all the ways that a system can be hacked at its current status and then actually hack into it to prove it can be done and to see how easy it was to do it. This then gives the tester information on what the issues are and allows them to find a way to fix them.

　　After finding the vulnerabilities, the White Hat or Ethical hacker then compiles a report on what issues were found and what needs to be done to correct them. It is usually after this report is presented to the company that they decide to hire the firm to then shore up the systems and make them secure.

　　As you can see White Hat or Ethical hackers serve a very important role in the security of a company’s information systems and are an invaluable resource for all of us. They are experts in what they do and are here to help set up protections against the malicious activities that are running rampant in today’s technological world. If you have never had your company’s systems tested then it would be wise to do so right away before the Black Hats come and make life miserable.