Experts Explain the Importance of Ethical Hacking (Part 1 of 2)

This is part one of a two-part cybersecurity series.

When you think of a modern-day hacker, you probably think of a hooded figure maliciously working on a computer in a dark room. What probably doesn't come to mind is a completely different type of hacker — the ethical hacker. Ethical hackers, unlike the stereotypical illegal hackers, are the good guys. Typically, they are legally hired to hack into areas like private data systems to determine the system's weak spots. This weak spot knowledge is used to strengthen the system's security so it can't be illegally hacked.

Dan Desko, currently a senior manager of IT Risk Advisory Services at Schneider Downs, explained that "ethical hacking is a process of finding organizations' security weaknesses before the bad guys do. It is all about offering up a service that comes as close to the tactics of a malicious hacker in order to offer a realistic threat scenario and then learn from it. My team invests heavily in training and stays very in touch with the latest in the industry to make sure we deliver this."

How did a professional like Desko get into ethical hacking in the first place? Desko explained that each step in his career combined with his personal interests was what led him to his current profession as an ethical hacker:

"I started my career working in computer operations in a data center for a large steel manufacturer. That job allowed me to enhance my technical skills at a young age and I really got to understand networking and systems management. It turns out that the skills I learned there translated well into the consulting industry. I have spent a lot of time consulting on IT risk and also IT audit, and during that time I noticed a very large gap in the information security space for value-added hands-on services. In information security, there is often a lot of talk, but not enough action. This led to the building of our ethical hacking team within our organization, which we have had for over two years now."

Although ethical hackers are the good guys, some people may see them in a somewhat negative light due to the hacker stereotype. Desko observed that many people don't know that there are ethical hackers in the world:

"I often tell people about what we do and they often seem surprised that a career like that exists. After explaining what we do a bit more, they always seem to understand. I think the general public should know that there are people out there that do care about the privacy and security of their personal data and work very hard every day in order to protect it."

With the advancement of technology, comes the advancement of a variety of cybercrime like identity theft. Although people should be aware of cybercrimes, Desko added that people should "focus on phishing, ransomware, and poor passwords; or a combination of all those!" In regards to his team, he said: "we typically incorporate phishing into our ethical hacking exercises and we are usually successful at breaching an organization's defenses with a simple phishing exercise."

Desko explained that since "people are so vulnerable to social engineering because it is in our nature to trust and to want to help, phishing often plays on these tendencies and we let up our guard." He added that "it is important to not put blind trust into email and be wary of every single message you receive."

Even though being aware of potential phishing situations is important, Desko said that "good password creation and password management is also very important. We often use tactics that will simply guess passwords on our client's websites. I can recall an organization where we used this tactic and were able to compromise close to 10 percent of their user's authentication credentials just because they had simple passwords in place. This led to a full-scale compromise of their network and many applications with sensitive customer data."

In addition to general phishing and password creation/management, Desko said that people should know more about ransomware threats.

He claimed that "ransomware is at epidemic proportions right now. This threat, which is usually delivered via a phish, will encrypt or lock your data until you pay a ransom. So many organizations are highly vulnerable to ransomware and are also unable to react or recover from it. Having some simple strategies in place as well as practicing these types of scenarios is key to recovering."

The sheer amount of cybercrime is enough to make anyone worry and feel extremely vulnerable. However, you can take action to reduce your risk of becoming a victim of identity theft, a mass data breach, or other cybercrime. Desko advised that you "limit the amount of information you share about yourself online or on forms, to the extent possible. The less data you put out there, the less likely it is to be breached. Also, if you use a password for one website, don't use it elsewhere. We call this password reuse. Password reuse is an easy way to lead to more compromises of other data because if one site gets hacked, they can all be hacked."

Keep in mind that there isn't a way to completely avoid cybercrime, even if you are a professional, ethical hacker. Desko explained that he has been a victim of a major data breach and that he continues to learn from it.

"Like most of America, my personal data was exposed as part of the Equifax data breach. I often do breakdowns of Equifax's breach response and lay out a timeline in presentations. It is an interesting case topic to study as there are many learning opportunities that we can glean from that example. From patching vulnerable systems timely, how and when to communicate with customers, there were many interesting facts in that breakdown."

Not only can ethical hackers like Desko learn from major data breaches like the Equifax breach, but the general public can as well. Whether it's a wide-spread breach that affects millions of people or an individual hacking situation, you can learn to take precautions to avoid becoming a cybercrime victim again. Although ethical hacking isn't the ultimate solution to preventing cybercrime, it has reduced organizational and individual cyber risks. If you are interested in ethical hacking, Desko advises to explore the ins and outs of ethical hacking as soon as you can.

Desko advised, " the information security community, in general, is very much unlike other professional communities. There is a big emphasis on sharing data, tools, and resources for the greater good. If someone is an aspiring infosec superstar, all the tools and guidance necessary to do that is freely available for the most part. So, my recommendation is to dig in and get your hands dirty and it will pay off."

Overall, white hat hacking or ethical hacking is what allows you to input your personal information on a company website without much worry. Even if you aren't pursuing an ethical hacking profession, you should focus on keeping your sensitive data secure by following Desko's advice above and doing security research of your own in order to fight against current cybercrimes.