By Carlos Sanchiz (*)
Cybersecurity professionals see some threat actors or third parties as the enemy. However, it is important to challenge this mindset; a company shields itself better from third parties with malicious intentions if it knows better how they think and operate. That's why companies around the world use hackers to test their security infrastructure and develop stronger, more robust practices.
Before integrating the 'hacker test' into the security policy, it is important to understand the different types of hackers that exist. Each group has different motivations and it is necessary to know which of its capabilities can be used to benefit the company.
Black Hat Hacker
Black hat hackers are cybercriminals motivated by personal or financial gain. They can be teenage amateurs as well as experienced individuals or teams. However, in recent years, several black hat hackers have redirected their efforts to defend organizations. Kevin Mitnick, known as 'Condor', was only 16 when he accessed a United States Department of Defense computer. After this and countless other attacks, Mitnick was sentenced to five and a half years in prison. But after his release, he created the company Mitnick Security Consulting, which performs intrusion testing for clients.
Working with a black hat hacker is controversial. Some experts, including David Warburton, senior threat evangelist at F5 Networks, believes that hiring former hackers is critical for companies to stay at the forefront of the threat landscape. However, others are concerned that the group is allowed to access corporate systems and customer data. The latter should, however, consider other approaches to working with hackers.
White Hat Hacker
Commonly referred to as ethical hackers, white-hat hackers are hired by companies seeking to identify vulnerabilities in security defenses. Despite using the same tactics as black hat hackers, this group has permission from companies to carry out the intrusions. While using their knowledge to find vulnerabilities in defense, they work together with security teams to fix problems before others discover them.
Many of the world's largest companies, including General Motors or Starbucks, use white hat hackers to identify flaws and proactively enhance their security posture. This style of hacking offers an interesting and profitable path for these people, who have high technical skills. Attaching importance to the role of white-hat hackers is an incentive for these talented individuals to pursue a positive path rather than becoming malicious hackers.
There are many programs underway to find, encourage and support the next generation of white hat hackers. An example, supported by AWS, is the r00tz Asylum, a conference dedicated to teaching young people to become white hats. Participants learn how hackers work and how cybersecurity professionals can defend themselves. The aim is to encourage individuals with high technical knowledge to use them for the benefit of their professional career. By providing these aspiring cybersecurity professionals with knowledge and capabilities, it is possible to build security in the infrastructure from the beginning. AWS r00tz support is the opportunity to give back to future generations by placing young people interested in security in a safe learning environment with access to mentors.
Build solid foundations
For those responsible for customer trust and data protection, an end-to-end security approach is essential. Working with ethical hackers is a powerful way to view a security stance from a cybercriminal's perspective, identifying and addressing vulnerabilities. However, it is also important to remember that security needs to be built into the entire infrastructure of the organization. This is where partnering with a cloud platform can be beneficial, as the most advanced are designed to meet the needs of the most risk-sensitive companies. Cloud platforms also offer automated security services, which can proactively manage security assessments, threat detection and policy management. In doing so, these platforms take on much of the heavy lifting from security professionals, including ethical hackers.
(*) Manager, Solution Architect, Amazon Web Services Iberia