Contributed by Edwin Doyle, Global Security Strategist, Check Point Software.
The word “hacker” has long-held the negative connotation of theft, but is often glamorized by Hollywood as the underdog fighting against an evil empire. Whenever you hear about hackers in the news, it’s normally connected with a breach, resulting in personal data/monetary losses. But what about ethical hackers, or white hat hackers, who help companies find vulnerabilities and safeguard against malicious actors? They investigate system components, such as websites, firewalls, and network communications, but rarely receive the limelight of the press.
Using the appeal of Hollywood’s glamorous hacker profile, but focused on the ethical law abiding role of the white hat hacker, would it be possible for corporations to use ethical hacking awareness, in partnership with cyber conferences, cyber awareness training & blogs, such as this one, to increase employee vigilance against social engineering attacks?
The onset of cyber attacks
The need for ethical hacking is obvious in most industries because of the high level of interconnectivity we have today. If not managed properly, the design of the infrastructure itself may provide many points of entry for threat actors. And, unfortunately, data breaches have grown consistently in the past few years. In 2019, there were over 1500 data breaches in the U.S., compared to about 500 in 2009. One of the biggest data leaks had Yahoo as the target, and it compromised 3 billion accounts.
Ethical hacker education
Ethical hacker education covers a variety of topics, including, but not limited to:
- Wireless network and mobile platform vulnerabilities
- Malware and denial of service attacks
- Security evasion tactics
The Certified Ethical Hacker (CEH) certification covers these subjects. CEH holders perform a variety of functions within an organization, including:
- Information Security Analyst
- IT Auditor
- Risk Analyst
- System/ Network Admin
Ethical hacking simulations
Besides the theory, practical work in the form of hacking simulations is an important part of employee education. These simulations are also an attractive way of spreading the word about white hat hacking. Consequently, you can find hacking booths at many cyber conferences. Some of these simulations cover common/hot topics, such as voter fraud, while others involve active battles, where one team is trying to hack a test-system while the other one is trying to defend it.
One of the main focus areas of ethical hacking is SCADA (supervisory control and data acquisition) systems. These systems serve as the backbone of Critical Infrastructures (CI), providing automated control and monitoring capabilities. Modern SCADA systems are no longer isolated networks – they are geographically distributed systems having sophisticated interconnections and interactions. Critical infrastructures dependent upon SCADA systems including power suppliers, railways, water suppliers, etc., which are typically geographically distributed across many miles of infrastructure, indeed, across entire nations & the world!
There are two types of problems that arise with geographical distribution. Firstly, the vulnerabilities associated with the network connecting the components of the system. Secondly, older SCADA systems were built without Internet security in mind; therefore, they lack I.P. authentication mechanisms for the secure transmission of data.
Considering their importance, SCADA systems are the subject of many hacking simulations at cybersecurity conferences. A fake SCADA system is set up using virtualization software. One team tries to compromise the SCADA network – using open source and programming code – while the other defends it.
In the New Year, cyber security conferences will begin again (hopefully in person). Most leading cyber vendors provide instruction in ethical hacking education at these conferences. Besides educating security experts in penetration testing, these conferences also gamify hacking simulation & could be a great method to introduce cyber awareness to the general public of your corporation & potentially even recruit more talent into the department of the CISO from other departments of your organization.
Hacking simulations help employees stay up-to-date with the latest threats and trends relevant to their industry. Therefore, these simulations should be a part of employee education during onboarding as well as continued cybersecurity awareness training & you may even find these events are free to your organization, so take advantage of it today & encourage your people to take on the personification of a Hollywood cyber hacker, but with ethical intent!
To receive more timely insights, analysis and resources, sign up for the CyberTalk.org newsletter.