how to hire a hacker(How to Hire Hackers)

Introduction：

How to Hire an Ethical Hacker ♂

　　By Ryan O’Leary, WhiteHat Security

　　If your company develops web applications, I hope you aren’t the nervous sort when I tell you that your website is most likely being targeted for hacking as you read this. If you’re a security manager, it really shouldn’t come as a surprise, though. Web apps are the most exploited means of illicit entry by hackers.

　　The Verizon 2016 Data Breach Investigations Report says that web application attacks represented 40 percent of all data breaches in 2015. The total global cost of data breaches today is $360 billion and, according to the Ponemon Institute, the average total cost of a single breach is $4 million.

　　I tell you this not to ruin your sleep but rather to let you know you that there is a solution: hire a good-guy hacker to find vulnerabilities before the bad guys do, and then have your developers fix them.

　　You and your customers will be spared what could be truly enormous losses. The best way to discover your application vulnerabilities is to hack yourself.

　　However, hiring a competent, ethical hacker on your own isn’t the easiest thing to do, because supplies are limited. And you have to be sure they are reputable. After all, hackers are trained in the dark arts, so you need to be confident that not only are they skilled but also that they won’t use what they find on your website for nefarious purposes. At the very least, they need to pass a stringent background check, like any security employee.

　　Ethical hackers are an unusual breed. They have the same skills as bad-guy hackers, but they choose to use those skills for good. And they’re up against a formidable array of troublemakers:

　　Hacktivists, whose motivation may be politics, exposing wrongdoing or exacting revenge

　　Organized crime hackers, who want to steal your money, data and computing resources

　　Nation-state and terrorist hackers, driven by politics or religion

　　When I hire potential application security engineers, I look for a certain mindset: “How can I break something?” The hacker personality likes to figure out how something works and then try to reverse engineer or otherwise subvert it. It’s a point of view you can’t teach.

　　I remember once we had a group of hacker applicants in the lobby and one of them whiled away his time figuring out how to hack the lobby soda machine. He was successful — and then he put the soda can back, because he wasn’t after a free Coke; he just wanted to see if he could do it. I didn’t have any hesitancy in picking that guy to hire.

　　The other vital quality I look for is the drive to learn new things, because being a successful hacker is all about keeping up to date with the latest trends. And there is always something new coming along. Right now potential vulnerabilities include:

　　Information leakage

　　Predictable resource location

　　Directory indexing

　　Insufficient transport layer protection

　　Zero-day vulnerabilities such as POODLE, HeartBleed, Shellshock and Java

　　And there are many potential ways that cybercriminals can exploit those vulnerabilities, such as:

　　Cross-site scripting

　　Filter evasion for XSS

　　Social engineering

　　Content spoofing

　　URL redirector abuse

　　One place to look for good-guy hacker hiring recommendations is a local chapter meeting of the Open Web Application Security Project. Find one, attend and make friends; the application security community is a small but tight-knit and helpful group. There are also companies that will provide safe, certified experts as well as software tools to hunt down the vulnerabilities in your websites and apps.

　　When the security expert arrives, you’ll tell him or her your priorities and he or she will get to work, most likely vetting your flagship website first. Once you find out where the vulnerabilities lie — and there always are some, in my experience — you’ll develop a plan to fix them. And remember, bugs and vulnerabilities may be lumped together as “defects,” but vulnerabilities –with their greater potential for disaster — should get first priority in the repair queue.

　　Going forward, you need to make AppSec an embedded part of the development process. It’s much cheaper to fix vulnerabilities in development than in QA. Among other things, that means security and development must become a tightly bonded team.

　　You may find your developers initially resist or resent the security expert’s involvement. Developers are all about speed of release and quality of code, and they may have little or no security training or mind set. They often view security experts as roadblocks.

　　The solution is a companywide emphasis on security and secure coding training for the developers. It’s true that security testing will slow down the development process a little, particularly at first before people get used to it. But eventually security is just seen as another part of QA, with everyone striving toward the same goal: a secure product.

　　Sometimes security managers or their leadership are leery of employing their own good-guy hacker, because they don’t want to know the bad news. It’s like staying away from the doctor to avoid hearing that you have medical problems. That’s human nature, maybe, but not wise. The hacker mindset, however, is an invaluable addition both to the security team and to the DevOps team the hacker (hopefully) collaborates with.

　　Remember, each vulnerability you eliminate is one less chance of being hacked. Corny or not, “knowledge is power.” The more you know, the more you can prevent your organization from experiencing a potentially devastating breach. A good-guy hacker could make the world of difference in your security posture.

How to Hire Hackers ♂

　　*Content includes branded mentions of our sponsor ZipRecruiter.

　　According to multiple recent studies, not only are company data breaches becoming more prevalent, but they're also getting more expensive. With such high stakes, finding the most effective way to prevent hacks is a critical task. One potential solution is to hire an ethical hacker.

　　This article covers what these white hat hackers do, why you might want to hire one and how to protect your company from data breaches by hiring an ethical hacker, either by posting a job listing or searching for a professional online.

　　Ethical hackers, or white hat hackers, are hired to help organizations identify and mitigate vulnerabilities in its computer systems, networks and websites. These professionals use the same skills and techniques as malicious hackers, but with the organization’s permission and guidance and with the goal of improving the organization from a security standpoint.

　　Even if your company has a highly competent IT department, there are good reasons to hire a hacker. First, ethical hackers are aware of the actual methods hackers are currently using — techniques that may not be on the radar of your company's IT professionals. Ethical hackers share the same curiosity as malicious hackers and will be up to date on current threats. Second, any established department can benefit from the approach of an outsider, who comes in with fresh eyes to see weaknesses you didn't know were there.

　　If you get pushback on hiring an ethical hacker, explain that the point of hiring one isn't to test the competencies of your IT department. Rather, it's an additional, temporary measure to build a secure infrastructure that can withstand whatever cyber threats malicious hackers might throw at it.

　　Ethical hackers attempt to get unauthorized access to company data, applications, networks or computer systems — with your company's consent.

　　A professional hacker follows this basic code of conduct. They:

　　Stay within legal guidelines, obtaining approval before attempting a hack. Define the project’s scope, so their work stays within your company's specified boundaries and doesn't venture into illegal territory. Report weaknesses, making your company aware of all vulnerabilities they discover during their hack and providing solutions to fix them. Respect your data and are willing to sign a nondisclosure agreement.

　　Below are steps you should follow for hiring white hat hackers and avoiding black hat hackers.

　　In your quest to find a hacker, you might think to turn to the dark web. After all, if television and films are to be believed, hackers — even reputable ones — work in the shadows. But what is the dark web, and is it safe to hire a hacker from it?

　　The "visible" layer of the web is the surface web — all public-facing websites that you can access through browsers like Chrome, Internet Explorer and Firefox. This is the internet everyone's familiar with, and it makes up only about 5% of the entire internet.

　　The deep web below the surface accounts for the vast majority of the internet and contains private data such as legal files and government databases. The dark web refers to sites that you can only access via specialized browsers and it’s where most of the illegal online activities occur.

　　The dark web is a dangerous place to find hackers for hire because you don't know who the person you're speaking to really is or whether or not they're a scammer. Also, since there is much more malicious content, it’s also likelier your computer picks up computer viruses using the dark web.

　　For this and many other reasons, it’s not advisable to look for an ethical hacker on the dark web. Instead, use professional organizations that have directories of certified ethical hackers, or hire a vetted professional from a cybersecurity firm.

　　Look for a hacker who has a solid understanding of the software or systems you need them to hack. They should also be able to show familiarity with the tools they'll need to carry out their attacks. You want someone with experience, but keep in mind that veteran white hat hackers will be more expensive.

　　When hiring a hacker, consider both the depth and breadth of their skills. Some hackers only perform surface-level attacks but have a wide variety of capabilities (things they can hack). Other professional hackers are specialized and focus on specific kinds of advanced attacks.

　　For example, if you need professional hacking of your applications, find someone with experience in that. If you want to test the security of your company’s cell phones, hire a cell phone hacker. But if you want someone to test as many security systems and devices as possible, look for a generalist. Once a generalist identifies vulnerabilities, you can hire a specialist later on to dive deep into those weak points.

　　Do your research before you begin interviewing candidates such as checking out industry forums or even request reviews from a candidate’s past clients.

　　Conducting a thorough interview is important to get a sense of a hacker’s abilities as well as their past experience. Here are some sample questions you can ask potential candidates:

　　What techniques do you employ to find surface-level vulnerabilities?

　　How do you ensure you've tried all possibilities for hacking into a system?

　　Can you tell me about a time you successfully hacked into an advanced system for a company in our industry?

　　For technical questions, you could have someone from your IT department come up with more precise queries, conduct the interview and summarize the responses for any nontechnical members of the hiring team. Here are some guidelines for technical questions that your IT people can dig into:

　　Is the candidate proficient with the Windows and Linux operating systems?

　　Do they understand both wired and wireless networks?

　　Do they understand file systems and firewalls?

　　Do they know how file permissions work?

　　Do they have strong coding skills?

　　Do they understand what motivates malicious hackers?

　　Do they understand the value of the data and systems you're trying to protect?

　　When interviewing candidates, consider including a test of their skills as part of the process. For example, you can carry out paid tests of your final round of candidates that show their expertise with a specific coding language.

　　If it’s your first time conducting an interview, you should read up on how to interview someone, research candidates, create an interview structure and identify the right questions to ask.

　　Establishing goals for hackers to meet is a good way to assess each candidate’s competency within a structured project framework while also giving them some leeway to use and develop their own (allowed) methods.

　　You should first identify the top security priorities for your organization. These should be the areas where you already know you could have weaknesses and areas you want to keep secure.

　　Follow that by setting up defined milestones in the project. Ideally, you'll tie each milestone to a payment to keep the candidates motivated.

　　Finally, impose as few rules as possible on the hackers. After all, malicious hackers won't have those rules, and you're trying to get as close to a malicious hack as possible. Let the hacker have as much free rein as they need, as long as they don't negatively affect your security systems, deteriorate your services or products or harm your relationships with customers.

　　There are three basic types of hacks you can ask online hackers to do:

　　White-box engagements are when you give the hacker as much information about the target system or application as possible. This helps them find vulnerabilities quicker than it would typically take a malicious hacker.

　　Black-box engagements are when you don't give any inside information to the hacker, which makes it more like what an attack would look like in the real world.

　　Gray-box engagements try to simulate a situation where a hacker has already penetrated the perimeter, and you want to see how much damage they could do if they got that far.

　　Decide what systems you want the hacker to attack. Here are some examples of different types of ethical hacking you could propose:

　　A website attack, such as a SQL Injection attack

　　A distributed denial of service (DDOS) attack, which is when a hacker uses a "zombie network" to overwhelm a website or server with traffic until it crashes

　　A social media hack of your company's accounts

　　A cell phone hack to see if your company's cell phones are vulnerable — a big problem if your employees store sensitive data on their company phones

　　A corporate email hack to see if your employees can recognize phishing or other cyber attacks

　　Request a report after the hacking exercise is completed that includes the methods the hacker used on your systems, the vulnerabilities they discovered and their suggested steps to fix those vulnerabilities. After you've deployed fixes, have the hacker try the attacks again to ensure your fixes worked.

　　Make sure everyone from your company who is involved in this process is ready to act quickly on the results. If there’s a committee that needs to read the report and make decisions, consider scheduling a meeting as soon as possible after receiving the report. Have everyone read the report and decide on next steps during the meeting. This will prevent the process from dragging out while your company remains dangerously exposed due to security weaknesses.

　　Consider candidates with ethical hacking certifications, of which there are several, such as the Certified Ethical Hacker (CEH) certification from the International Council of E-Commerce Consultants (also known as the EC-Council).

　　You can start looking for hackers to hire on freelance sites like Upwork, Fiverr or Guru. Look for candidates who have reviews from their previous clients and at least a year of work history on the platform.

　　There are also specialized services that match hackers with people who want to hire them for small jobs. To use the service, you typically first post your job requirements. Then hackers send you proposals, and you choose one based on skills, availability and price. The benefit of a specialized service like this is that it screens hackers to keep scammers away. Employers can also post ethical hacking jobs on professional sites such as .

　　You can seek out candidates through a professional hacking firm. While this option tends to be more expensive, it should also make it easier to verify the hacker’s track record and references, ensuring you’re working with a trustworthy partner.

　　There are two main ways to make sure you hire someone trustworthy. First, look for client reviews and, if possible, get references and call them. This can be time consuming but will provide you with direct knowledge of a candidate's ability and work history.

　　Second, search ethical hacker forums to find information about the hacker you’re considering hiring. There are many online forums to look at, so make sure you’re searching on legitimate websites.

　　According to ZipRecruiter, as of February 2023, the average salary for an ethical hacker is $135,269 a year, which translates to around $65 an hour. This could be used as a baseline to understand how much a hacker would charge for a job.

　　Costs for ethical hacking depend on the amount and type of work needed and your company’s size. Hacks that require more time and effort are understandably more expensive than simple jobs. That’s why it’s important to request a quote before committing to a hire.

Here's What You Should Do Instead:

Use Instagram’s Official Recovery Tools:
- Go to the Instagram login page and click "Forgot Password?".
- Follow the steps to reset your password via email, phone number, or linked Facebook account.
- If your email/phone was changed by a hacker, use the "Need More Help?" option to contact Instagram support.
Report the Hacked Account:
- Visit Instagram’s Help Center (help.instagram.com) and report the issue through their "Hacked Account" support form.
- Provide proof of ownership (e.g., a photo of your ID, previous emails from Instagram).
Enable Two-Factor Authentication (2FA):
- Once recovered, turn on 2FA in settings to prevent future breaches.
Beware of Scams:
- Avoid "hackers for hire" services—many are scams that steal money or data. Stick to official channels.
Contact Law Enforcement:
- If your account is being used for fraud or harassment, report it to authorities like the FBI’s IC3 (ic3.gov) or your local cybercrime unit.