What color hat is the hacker that just penetrated your organization without your permission wearing? Gray? Black? White?
Hacking is often perceived as a dichotomous matter, with two distinct sides: either you are a malicious hacker who intrudes into systems for personal gain, or you are an ethical hacker who tests security for the greater good. However, what if you are a cybersecurity expert who hacks into a client’s network without their consent? Does that still qualify as ethical hacking, or does it cross a boundary? According to South African law, ethical hacking necessitates authorization from the target. “There is no middle ground; you are either an ethical hacker or not,” asserts Stephen Osler, Co-Founder and Business Development Director at Nclose.
Osler elucidates, “It is not viable to have a white-hat individual infiltrate a company without notifying them of an imminent attack. This blurs the line and ventures into the realm of black and grey-hat activities, where hackers discover and report network vulnerabilities without permission. Typically, this type of hacking endeavor culminates in hackers demanding payment to resolve or disclose the issue.”
White-hat hacking endeavors to identify and address weaknesses and problems within a customer’s system, enabling both the cybersecurity experts and the organization to fortify their security and detect vulnerabilities. Skilled hackers employ techniques such as phishing, social engineering, security scanning, and penetration testing to identify the weakest links in an organization’s security framework. This approach ensures that a company’s systems are robust and secure, and safeguard against costly mistakes perpetrated by black-hat hackers.
“This is an entirely distinct approach that ensures comprehensive security across a customer’s platform and business,” Osler affirms. “When a group of hackers suddenly goes rogue and attempts to breach a company’s system without consent, they are attacking the company and venturing straight into the realm of cybercriminals.”
Osler continues, “There exists an approach wherein a red team of attackers and a blue team of defenders are employed, with the red team attempting to breach the company’s defenses. Some cybersecurity experts argue that informing the blue team about the attack defeats the purpose, as they believe that the true value lies in testing their ability to promptly detect a cyber incident. Testing efficiency is undermined if people are forewarned. However, we believe that the optimal approach is to merge the two teams, creating a method known as purple teaming.”
This collaborative approach combines the expertise of both teams, facilitating mutual learning and the development of robust security skills that benefit both the organization and the cybersecurity service provider. The blue team defends the network and challenges the red team to intensify their efforts to breach it, while the red team explores new methods to overcome the blue team’s defenses. With this cooperative approach, everyone benefits, and unauthorized hacking is avoided.
Osler concludes, “This is a far more effective method of maintaining skills, evaluating defenses, and bolstering a company’s security compared to hacking without permission. Unauthorized hacking not only damages trust, leaving the company feeling violated rather than supported, but it also raises concerns regarding ethics, access to private company information, regulations, and the law, which are too crucial to disregard. It is preferable to adopt a collaborative approach that benefits all parties involved while keeping the hacking hats as white as possible.”
By Stephen Osler, Co-Founder and Business Development Director at Nclose.
