Advancements in technology are accompanied by constantly evolving attack methodologies used by hackers that are becoming more and more sophisticated. The definition of a hacker is someone who utilises their technical knowledge to creatively break into a computer device or network, regardless of intention. Hacking itself is not illegal unless the hacker is compromising a system without the owners’ permission, resulting in good, bad, and questionable hackers. Hackers are motivated by many reasons including curiosity and challenge, profit, recreation, protest, or their job.
The type of hacker most people are familiar with are the ‘black hats’. These are malicious calculated criminals who usually exploit a computer system or network for their own personal or financial gain. They may not only seek to steal personal data such as credit card details, user credentials, and personal information for blackmailing, but may also modify or destroy data. To prevent the inevitable attacks from these hackers, newer and advanced protection methodologies need to be implemented to protect our data, requiring research and the reporting of flaws.
Not only must companies have extensive security measures in place, they may also enlist the help of a ‘white hat’, or ethical hacker, or at the very least have a channel of disclosure for hobby hackers who find holes in their systems. Unfortunately, many companies do not yet have a channel to disclose a vulnerability, and in this case, it is safer to keep quiet. Ethical hackers use their power for good, performing penetration testing, testing in-place security systems, and performing vulnerability assessments. They are here to protect our data, identifying vulnerabilities, exposing the problem, and repairing the flaws before the black hat hacker finds and exploits them. Some of the most critical vulnerabilities in the internet’s history have been discovered and resolved thanks to the efforts of ethical hackers fuelled by curiosity and selflessness.
Ethical hackers may work independently, be directly employed by a company or government agency to test their systems or to hack developing products, or are hired by security companies which either develop their own tools or are subcontracted to companies. Communities of ethical hackers also exist, such as HackerOne, and these people may take part in bug bounty programs for profit. An increasing number of companies are now offering these programs, allowing hackers to attack a specific device or network for a substantial reward for any flaws they find and disclose. Apple, for example, are offering rewards of up to $200,000 for hackers that find and report vulnerabilities in their systems. The pentagon also opened to hackers and fixed over 3000 bugs, paying out over $300k, and the Department of Defence has invited white hat hackers to find flaws in their systems.
Many skills required for hacking overlap with the skills required by a data scientist. Whilst they may not have expertise in maths and statistics, they tend to have a broad set of skills including excellent programming skills, and use creativity and ingenuity to build things and find clever solutions. In addition to ethical hackers, data scientists are also doing their part to fight the black hat hacker. Data science is being used in a positive way in the areas of intrusion and virus and malware detection, building a more predictive approach for detecting breaches. An automated approach developed by data scientists has also been devised for analysing activity on underground cybercrime forums.
However, with data science and automation, come new areas of attack for the hacker. Artificial intelligence and machine learning are perfect tools for the hacker, where they are used to make decisions about what to attack, who to attack, and when to attack. Hackers can also “game the system” by learning the code used for creating automation, manipulating the model and changing the outcome in their favour. An example of where this could be used is in predicting risks or serviceability for bank loans.
Many breaches across the years have been either covered up or played down, with many companies not disclosing hacks to clients until months after the breach has occurred. Sometimes a flaw is not disclosed until a fix is available, but in many cases a company wants to protect its reputation and maintain its customers trust. It is not a question of if a company will have security breach, but when, and businesses must be prepared for when it occurs. However, before a business can think about defending themselves, they need to be aware of the data they have, identifying the most crucial and sensitive data in their systems, and know where it is stored.
For countries within the EU, the imminent General Data Protection Regulation (GDPR) means that regulations on data protection and privacy are tightening and ethical hackers agree that it is an important step towards companies becoming more secure. GDPR is complex. It means companies must have a handle on the data they hold, and requires measures to be put in place to protect the data including how data is collected, how you prove it, and how you handle access management. If a company is not doing all that they can to protect their data and a breach occurs because of negligence, or if they try to conceal an incident and do not report it to authorities within 72 hours, they risk being hit with sky-rocketing fines and their brand image could also be destroyed.
Whilst ethical hackers agree that GDPR is an important step towards helping companies become more secure, the fines associated with a breach of GDPR mean that the data will become both a business’ biggest asset and risk. Hackers are now going to target this data with more force than ever before, and companies are going to be more susceptible to ransomware or extortion threats with the hackers using the hefty GDPR fines as leverage. It costs more to recover from a hack and causes more stress than it does to prevent a hack from happening in the first place. GDPR will hopefully make more companies realise the value of the ethical hacker community by allowing them to find and report vulnerabilities, joining companies such as Google, Facebook, and PayPal. Only prioritising security will give a company the best chance.