fbpx
Back To Top
DataEthics4All-Ethics-1st-Live-#5-Ethical-Hacking

DataEthics4All Ethics 1stᵀᴹ Live Talks: Ethical Hacking & What it Means

“That name is very misleading – ‘ethical hacking’, there is nothing ethical about it.”

~ Susanna Raj

TEST

 “$27 billion in cyber-security costs were saved in investigation, remedy action and recovery incident investigation and recovery during the course of the pandemic.”

~ Shilpi Agarwal

Expand

Talk Summary

DataEthics4All brings this Series of Weekly Ethics 1stᵀᴹ Live Talks for Leaders with an Ethics 1stᵀᴹ Mindset for Leaders who put People above Profits. Come, Join us for this lively and informative weekly discussion and food for thought on how to create an Ethics 1stᵀᴹ World: People, Cultures, and Solutions. On 2nd December we discussed what is Ethical Hacking? Is it Legal? How can Tech Companies take advantage of Ethical Hacking.

 

 

 

Talk Transcript

 

0:43 Shilpi:  Welcome back to yet another episode of ethics 1st live where we bring food for thought for ethics 1st minded leaders who put people above profits. I’m your host, Shilpi Agarwal, founder and CEO of DataEthics4All Foundation, and I will be joined by some of my leadership council members – Suzanna Raj, and Samantha Wigglesworth. 

6:37 Shilpi:  Let’s continue on with the topic, which is ethical hacking.

6:40 Shilpi:  So, what exactly is ethical hacking? What does it mean to you? I’ll do a follow up question about whether or not ethical hacking is even legal. We’ll start with you, Sam, today.

6:56 Samantha Wigglesworth:  Okay great, thank you.

7:00 Sam:  I think that when I first think of the words ‘ethical hacking’, it’s an individual, someone who has experience of working with computer systems and is quite talented with the programming, they’re quite knowledgeable. They’re the ones that are given the keys to access systems, and companies have permission to go and test out software, the programming languages for software, I think they might be computer systems as well. 

7:31 Sam:  So they’re the ones that go in and try to find vulnerabilities and holes in the system. They’ve got a lot of knowledge and the tools and experience to do that, and they’re given that permission. 

7:46 Shilpi:  Yeah, they’re given the official role to find vulnerabilities in the system.

7:51 Susanna Raj:  Yeah it is exactly that, they hire outsiders, primarily, you have to hire outsiders, it cannot be somebody who works within the company, and they cannot be given a role within the company. So you have to hire somebody from outside who doesn’t know the inner workings of your company or how the programme was coded. Basically, they come from outside and try to hack your system from outside. 

8:25 Susanna:  It is called ethical hacking because other hacking comes from somebody who comes and tries to hack their way in and access information. This is a company that knows that they’re going to be hacked, but they don’t know when or how or where they will be hacked, but they know that they have hired someone to hack the system. 

8:46 Susanna:  That is why the name ‘Ethical Hacking’ actually came into being, it’s something that is done with permission. 

 

8:56 Shilpi:  Yeah, I like this important distinction that you brought to the table.

9:15 Shilpi:  So it’s important to understand that when we are part of the security system, or the security team inside the company, within the company, we know all the passwords, we know everything, we know what we have built. And so, stress testing will always be done around it. For software testing, for example, if we know everything about how we built it, then the QA that’s why the QA team is different from the development team because that’s how they will be able to find those vulnerabilities. In the same way, whenever there is an international conflict, or there are terrorist organisations, they find cyber criminals to breach security systems, and they pay them to compromise national security or to extort huge amounts of money by injecting malware and denying access.

10:11 Shilpi:  That has led to the steady rise of cybercrime that leads to devastating results and scenarios, privacy leaks, as well as international government leaks. So that’s why this domain has become popular, and it is very upcoming now. 

10:33 Shilpi:  Companies themselves hire consultants, hire teams outside their company to bring them on board. 

10:41 Shilpi:  So they say, to catch a criminal, you have to think like a criminal, and when we wear a white hat, we seldom are able to think outside the box, we don’t have the tools to think like a criminal. Not that ethical hackers are criminals, but they are trained to be thinking like hackers who can damage our systems, and they have been trained to be able to think like that and to tell us the gaps in our security system. So it’s very interesting. 

 

11:16 Shilpi:  So you know how hacking has a very standard stereotype. Basically, it’s a person in a hood, sitting in the basement trying to hack a system. Whenever I think of hacking that picture comes to mind, right? Somebody in a hood sitting there, the dark web, with this black laptop, or what have you, and they are doing this illegal kind of activity. So has Ethical Hacking evolved in a way that has broken this stereotype? What do you think?

11:57 Sam:  I think a little, yeah, I think the fact that we as organizations now invest heavily in hiring, like Suzanna said, external support and hackers that are professional in their approach, we can see that we’ve moved away from that traditional image, I think, yeah, definitely. 

 

12:16 Sam:  I think there are a number of certified programmes that you can now be a part of and apply to pass and do the tests for, and I think that’s kind of elevated the profession, it’s a global certificate as well. Yeah, whether it’s with another professional role, whether it’s education, teaching, being a professional, medical professional, you have to redo exams in certain areas, or re-submit your tests in certain topics and pay again and renew your path, your certification. 

12:57 Sam:  That’s the kind of thing that you can do now, and I think that’s really helpful. So I think that helps, having that certification. I know that the council, the EC Council, does that as well. So that helps, and it supports bringing it out of the kind of traditional stereotypes that we’ve heard.

13:18 Shilpi:  Yeah, so I want to back you up on that ‘Certified Ethical Hacker’ thing that you mentioned from the EC Council. They have this credential programme, anybody can learn to become a Certified Ethical Hacker, and it is ANSI 17 or 24 compliant, it is also listed as a baseline certification in the US Department of Defence directive and is NSCS certified training. So it’s an upcoming field. 

13:52 Shilpi:  There are professionals who are actually getting into this and choosing ethical hacking as a professional career these days.

 

14:04 Shilpi:  I mean, it’s very interesting from where we started, and how hacking came to be and where it is today. So, how is ethical hacking helping the CIA SO’s today Susanna? The chief information security officers.

14:24 Susanna:  I think in many ways it could be helping them because in order to find out the vulnerabilities inside your company, and to hear of them before they cause damage, it’s a wonderful thing. I do believe Ethical Hacking should have some standards, and it’s great that they are bringing up those standards, yes. But to go back to the last question about the stereotype, that they will be somebody in a basement, it has moved away from that.

14:59 Susanna:  There is a vulnerability within ethical hacking itself that is not being talked about very widely. It has a lot of disadvantages, the same advantage that it has – the outsider, is the main biggest disadvantage to the company. 

15:17 Susanna:  It is a major loophole because an outsider is always an outsider. They don’t have the legal liabilities, the loyalty, or the integrity that the NDA and all those compliance regulations, all those things that you sign up for , you know, the 2200 pages that you sign, and somebody hires, you never bother to read all of them, you know, protect the company, and the company’s information, not only the company’s information, it’s our private data as well. 

15:48 Susanna:  So a bank hires an ethical hacker, the bank is, as we know, more reliable for the security of my data, but an ethical hacker doesn’t have the same liability. Even though we have standards now, it doesn’t solve that problem at all, it’s still a vulnerability. 

 

16:24 Susanna:  That name is very misleading – ‘ethical hacking’, there is nothing ethical about it.

 

16:31 Susanna:  You hire an outsider, you ask them to log into your system, they find 1000s of loopholes, they’re supposed to keep documentation of how many ports of entry they tried to enter and the hackers have to close all their loopholes so there are no entry ports, but that the system, see no one security system, one, cache them and backed. So all of those things they have to disclose and tell you about them, and maybe a hacker who was ethical by nature would actually tell you that, but there is no legal obligation for them to tell you everything

17:08 Susanna:  There is no legal obligation for them – they could just grab like 50 names, IDs and social security numbers out of the 50 billion that your company holds. They can do it, they can take it and they can use them, and one of those 50 could be me or you, and this is a major legal liability now.

 

17:30 Susanna:  There are court cases, and corporations are fighting with ethical hackers, and ethical hackers are being sued at many different levels. So it doesn’t look as rosy as you guys put it to me.

17:46 Shilpi:  That brings up an important point, Susanna, and I want the crux of our talks to be the ethics first mindset. So it doesn’t matter what contract you have signed, ethics first mindset is something that we all need to strive for, and that’s what we are trying to do. We are trying to celebrate the ethics first leaders of today and raise the next generation of ethics first leaders of tomorrow, because at the end of the day, just like you mentioned, you can hire an ethical hacker – their job is to find the vulnerabilities, they have a contract in place, but if they don’t have an ethics first mindset, then they can misuse that information to their advantage. How do we stop that? That can only happen on a personal level, when people genuinely feel like they are responsible to society, and they need to do the right thing. The strong moral foundation needs to be there, and especially in this role more so than other roles, to be able to make sure that it’s done right.

18:56 Susanna:  Definitely, I mean, everywhere, you have to have an ethics first mindset. You could sign millions of NDAs, but it still comes down to what you feel in your heart and how you have grown up and with what value systems that is more true, that is going to be stronger than an NDA, because nobody reads an NDA. So there is no point in writing a strong NDA, it only matters  how much we are building that relationship of trust and integrity into our citizens and our youth and leaders. But still, that being said, that does not get them off the hook, they should still come up with regulations for ethical hacking, especially during the pandemic.

19:40 Susanna:  As Sam mentioned, and I think we also had an internal document of research that I saw, there has been an increase in the need for Ethical Hacking during the pandemic because all of us moved to remote work. So during this time, when there is an increase, the market is wide open to a lot of people, and when there is a need and a demand, you don’t go through the same vetting process that you would in a normal circumstance – you just let in more people. So we all have been exposed to a lot of vulnerabilities that we are not even aware of now in the last two years. So it does not dissolve anyone from not having the responsibility to go after regulations.

20:31 Shilpi:  Even if you read an NDA, at the end of the day, if you want to do something wrong, there can be legal battles, you can have the fights, but the damage will be done, our  customer data can be misused, it can be sold on the dark web and once these things are done, yes, you can keep beating the snake, but the snake has gone right. So it’s no longer going to be there. So yes, all these fines and the ethics first mindset, being a good morally responsible person at the crux of it is the most important thing

21:09 Shilpi:  But on the other side, which is a little bit rosier, also background [?] that has built a whole business of crowdsourcing ethical hackers on a platform, they provide training and they come up with reports.

21:26 Shilpi:  They said that they estimated that $27 billion in cybersecurity costs were saved in investigation, remedy action and recovery incident investigation and recovery during the course of the pandemic. 

21:34 Shilpi:  And that’s how the CIA SOs were helped for big organizations, the CIA SOs and the CXOs, they were helped because of ethical hacking, that’s their report. So if $27 billion can be saved, and losses can be mitigated, then I think there is some truth to that story. 

22:07 Shilpi:  Yeah, I think it’s a good point, I think we’ve got to think about these organizations and just how much work goes on in the background. Really what you’re doing is you’re trying to protect – imagine you have your own organization, your own software, your own IP, you have to think about that, you have to think about – if that gets lost, what impact will that have on your operations and profitability?  So that’s always going to be in the back of their mind, right? Of the CXO and CIA SO.

 

22:45 Shilpi:  Yeah, it’s my neck on the line, right? Yeah, we have had this discussion before – even the CXOs, nowadays, if there is a breach, all they have to do is inform, so what they’ll do is send out an email saying ‘ We have had the security breach’ and they don’t even confirm that your data was stolen. It’s like, yes, there was a breach, and this many records were affected, and we don’t even know if your record was one of them, but it’s our duty to inform you. 

 

23:19 Shilpi:  So there’s this blanket, and we should have some regulation on that, so some more tighter measures need to be there, in governance it needs to be there in terms of laws. Just this blanket statement, and acknowledging that something has gone wrong is not enough. 

 

23:43 Shilpi:  Especially with the data of minors – they won’t even know that something has gone wrong until they become adults and they want to get into college, get a credit card, buy a new house, buy a new car, whatever that first buy is, their first car or their first house or whatever that may be – until that point they won’t even know.

24:05 Shilpi:  That identity for 10, 15, 20 years has been misused, and who knows what’s on it now. So those are the kinds of things that we need to think about a lot more when it comes to ethical hacking, or when it comes to cybersecurity. 

 

24:25 Shilpi:  Susanna touched upon this but there is this bigger topic about how the pandemic has affected this industry, the ethical hacking industry. What do you guys think? Has it exploded? Increased? Are there more ethical hackers in place? If so, why?

24:25 Sam:  I’m actually quite surprised at the numbers because, again, I was doing some reading of a couple reports, and I thought, well let me see just how much things have changed during COVID. And there has been quite a significant increase in the number of vulnerabilities that were found.

25:14 Sam:  I would have expected there to be a correlation between always working from home remotely, and the number of vulnerabilities that were spotted by ethical hackers, and there has been. I think they said something like 80%, more vulnerabilities are found that they’ve not seen even before the pandemic. 

25:30 Sam:  We’re working with our data a lot more at home, and obviously conversing online a lot more, and we’re not in the office, and it’s a completely different aspect isn’t it. It’s obviously a great industry to get into if you want to practice your craft and become a really successful ethical hacker, it’s a good time to practice. 

26:05 Shilpi:  Because of all these remote workforces, right? We’ve been confined to working from home, so all this stress testing that need not to happen also has to happen now – even if you have been given a computer, or a laptop, or a device from work, but still your internet connection, your setup of Wi Fi systems and all of that, how secure your system is internally, and how you’re connected to the office network, all of that plays an important role. From all parts of the world, people were stuck, and those who could be physically in one location are now not. So yes, all of this has impacted the rise and increase in cybersecurity crime. And the increase in crime has led to the increase in the ethical hacking industry where companies are feeling more and more vulnerable, and they want to make sure that they are protected before a bad element gets into their system. 

 

27:20 Susanna:  Yeah, this was somewhere in an article I read, that this was one of the largest stress tests on the internet, and the internet didn’t fail, but it revealed to us a lot of the vulnerabilities within that bandwidth itself, especially for online banking, medical doctors and medical institutions around the world had to scramble at the last minute to move to remote, interactions and interactive ways of seeing patients that were secure enough because they couldn’t use Zoom so they had to come up with their own apps. Those apps had to be developed overnight. You could be having a conversation with your doctor and they want to see something and you’re showing them – and imagine if that gets attacked or hacked and your video gets out on the web. Yeah, there was so much going on, and that’s why the need for hackers really shot up. But it’s a difficult time period we’re living in and so there are things that happened that we cannot even predict.

28:50 Shilpi:  This definitely is an important stream, and some ethical hackers have claimed to do this full time, or to do this part time, some of them say that any more it pays them more than any other job in the industry, and they can always work at home. Obviously, they have to put their ethics at the heart of it, but it is a viable career path these days

29:19 Shilpi:  So what are some of the skill sets according to you that are necessary? If I want to become an ethical hacker today, what are the skill sets I should look for to acquire?

29:29 Sam:  I think for a graduate or young trainee to go into the market now they need to have a range of coding skills as fundamental understanding. So, they’ll have to have some JavaScript and Python, some C sharp, maybe, and also SQL because each of those programming skills will then allow you to test those vulnerabilities in their software code. 

29:55 Sam:  Yeah, I think fundamental computing skills you need to know, and networking,  and you need to know how to build a computer in the hardware and software components, I think all those are really important in my view. So your hardware knowledge, definitely. And obviously networking, internal networking, and obviously wider area networks, things like that. And you’ve got to be persistent and be a problem solver

30:29 Susanna:  Yes, you definitely need technical skills, but I could give you an example of how you could become an ethical hacker and have zero technical skills – somebody found out that the router password on a satellite was set to the default, and that required no technical skills at all. All the router passwords have a default password, and somebody on a satellite didn’t even bother to change it, so that’s all; somebody found that out and they just informed them.

31:12 Susanna:  So you don’t really need a high technical skill, but you need to pay attention to details, and that’s why you need that outsider perspective because how matter how many times, it might be 10,000 times that you read an article you wrote but after you publish it you see, right there glaring in front of you, 10 stupid mistakes that you didn’t even see because we don’t have the ability to see it unless someone reads it for us.

31:48 Shilpi:  So this is very interesting, and I read somewhere that not only does the ethical hacking community consist of really young people, from 25 to 35, but it is also very ethnically diverse

32:06 Shilpi:  One of the powers includes communication, attention to detail and curiosity besides the technical skills, and they have to be digitally native, and that is basically what people between 25-35 are. They are ethnically diverse, they are digitally native and they are establishing their career at this time where the market is mostly insecure, so they have a great chance at succeeding at this.

32:40 Shilpi:  It’s also great for people with neurodiversity who have ADHD, or autism, because they already have attributes like memory skills, and they have heightened perception and attention to detail which means they would be great at this if it was something they wanted to pick up as a career.

33:07 Shilpi:  It’s a fast-paced environment that rewards creativity and difference in thinking and this could be a career path for them.

33:22 Shilpi:  So, has our conversation changed your perspective on ethical hacking and ethical hackers?

33:32 Sam:  I think so, for me definitely it’s been a really good discussion looking at just how much has changed this past couple of years and from a company’s perspective why it is so important. But also from what you and Susanna said, that it’s actually important that we have someone from the outside detecting those vulnerabilities, that’s something I’ve definitely learned from this evening.

33:56 Shilpi:  Yeah, definitely. How about you Susanna, did we help change your first impression?

34:04 Susanna:  Yeah definitely, especially the neurodiverse population, they don’t crave external attention that much so they really need a task they can focus on and they give focused attention to detail, because details are something that we may get bored with but they don’t, they find it very interesting and stimulating, and they don’t’ do very well with external people who are talking and chatting and all of those things. 

34:37 Susanna:  So that helps them focus on this type of task and since it pays well, that’s a good idea.

34:42 Shilpi:   Awesome, yeah I learned a lot as well. Coming up with this topic, I did some research and this helped me learn and understand and change my perspective too. Even though I knew ethical hacking existed I didn’t know much about it, or that it has become mainstream. There are certifications now available for it, there’s crowdsourcing platforms available for it. 

35:09 Shilpi:  Of course, we talked about the ethics bounty system last week which was parallel to this conversations which means that once you hire ethical hackers, whether inside the company or outside the company, then you give a reward as a bounty to people who are able to find those vulnerabilities for you, so it helps them and it helps you.

35:34 Shilpi:  Yeah so ethical hacking, and ethics bounty systems, these are all great conversations, and with so much technology and it’s problems, if we are going to think about ways to solve these challenges in really creative ways I think that we’re going in the right direction.

 

 

 

Shilpi_Agarwal_Speaker_-_AI_DIET_World_-_Founder_DataEthics4All
Susanna-Raj-Speaker AI DIET World event 2021
Sam-Wigglesworth- Speaker AI DIET World 2021

Leadership Team, DataEthics4All

Join Us in this weekly discussion of Ethics 1stᵀᴹ Live and let’s build a better AI World Together! If you’d like to be a Guest on the Show, Sponsor the Show or for Media Inquires, please email us at 

 

Come, Let’s Build a Better AI World Together!