Tackling Serious Organised Crime
How can a Hacker be Ethical?
This is a question that I am often asked as the Chief Ethical Hacker for SBRC. That and “What’s ethical about hacking”. Hopefully I can answer these questions and the work that we do at SBRC will show how important this field is to the resilience of businesses.
With what seems to be an increasing regularity we are seeing more and more press reports of organisations losing data in hacks, for instance only last month it was revealed that Equifax, the large American consumer credit reporting agency, had been breached and 143 million users had had their data compromised. The data lost included the all important Social Security Numbers of millions of Americans along with many other personal identifiable information. Not only is this a huge embarrassment for the company causing large reputational damage, but they will also likely now face a number of law suits as people look to get some compensation from the company. The real damage however is faced by the people who have had their data stolen in this hack. The details of the 143 million will likely be sold on the dark web for years to come, allowing criminals to steal identities and credit cards, with many victims not noticing until it is too late.
What needs to be remembered though, is that it is not only large organisations that are targets of criminals or “black hat” hackers. We are all targets. Although some “black hats” will look to compromise large companies, either for financial gain, or just to prove that they can, most will go after any target. Generally speaking it is much easier to target a smaller business or organisation than it is to go after one of the “big” guys. The reason being smaller companies can not afford to spend as much on their defences or think they are not a target so do not spend as much time on cyber security.
Often it is said that attack is the best form of defence and in terms of cyber security this adage rings true. How can an organisation or individual really know how good their cyber defences are without testing them? This is where a “white hat” or Ethical hacker comes in to help.
An Ethical Hackers role is to test the systems of an organisation to find the weak points and vulnerabilities that may be exploited. They then report these findings to the organisation to allow them to fix the issues and help protect themselves. An Ethical Hacker will have the permission of the organisation prior to commencing any work on their behalf. Included in this permission will be a “scope”. The scope outlines the areas in a system and the type of work that the Ethical Hacker can test. The work carried out by the Ethical Hacker will emulate the way in which a black hat hacker will gather information and attack a victim and remains confidential between the two parties.
There are many companies out there that can provide these services.
In addition to the testing that the Ethical Hacking team carries out at SBRC we also do our best to raise awareness of the issues around Cyber Security and try to educate people and organisations in the types of things that they can do to help secure themselves and their data. There is no one product or service that will make you 100% secure online, but there are many simple steps that can be taken to help make you safer.
In my opinion, it is vital that we all take steps to secure ourselves online. Not only to protect ourselves but also to protect our customers, suppliers and reputation. The introduction of GDPR (General Data Protection Regulations) will see a focus put on organisations to protect the data of the public. I believe that orgainisations have a responsibility to protect the information that we trust them with. So, how can it be Ethical to NOT employ the services of a hacker?
The SBRC works closely with Police Scotland and Scottish Government in trying to make Scotland a more resilient and safer place to live and work online. To find out more about the work of The SBRC visit our website www.sbrcentre.co.uk or email the Cyber team firstname.lastname@example.org.