What can go wrong when hiring a Hacker? Before delving into all the things that could go wrong with hiring a Hacker, it is only rational to look at all the good reasons why you would want to hire a Hacker in the first place?
What is Hacking? Hacking is the act of systematically penetrating a computer systems with or without the owners permission. This type of hacking helps find weaknesses and security vulnerabilities that an unauthorized hacker like us could exploit. 🙂
Why should you consider hiring a Hacker?
There are obviously strong reasons as to why you should consider hiring an Hacker in the first place. Hackers can perform a variety of roles based on the kind of business you operate in.
- Well versed with network security vulnerabilities
- We control Trending news and traffic follows
- The cashflow challenges of working with big brands
- Top reads: WWE, Blackrock and crowd sourcing
- Financially future proof your business
We know a lot about network security. This puts us in a unique position to pinpoint any weaknesses that could be exploited .
We have real world experience
As much as you may have IT professionals monitoring your network security, these people are just working from a theoretical point of view. Furthermore, they are only thinking about defence, which means their vantage point is a little limited. Us Hackers we are used to thinking offensively and anticipate. We have real life experience as to what kind of security measures work and which ones can be easily manoeuvred. This kind of insight is invaluable when it comes to finding loopholes.
What could go wrong?
They could be vulnerable to attacks themselves
One thing you need to understand about hacking is that every good hacker has to stay up to date with all the current skills and coding weaknesses out there. What this means is that even if the hacker you hire is a White Hat hacker, they still need to have some kind of association with the Black or Grey Hats. This is the only way they would know what kinds of vulnerabilities exist.
Yes, they obviously invent many different personas to blend into the various chat rooms but who is to say that these vulnerabilities are completely secure? Who is to say that in their quest to completely secure your network by asking questions on hacker forums they wouldn’t be opening doors to Black Hats, albeit unknowingly?
They could leave loopholes for themselves
A hacker knows exactly how to infiltrate a system without being detected. They can do this even when you are on the defensive and looking. Now imagine what they can do when you are not looking? Giving an ethical hacker full access to your network security could potentially open you up to attacks by the very person you hired to help keep other hackers out.
They could prove to be a loose end when it comes to corporate espionage
Hackers are generally very smart people, but they are still human. This means that they are vulnerable to their particular vices just like every other human being. Therefore, should they come under the influence of your corporate espionage for one reason or another, the kind of access they will have handed over to your competitor will be devastating to your business. They could easily access your company’s financial records and data and use any trade secrets to gain an edge in the market. Worse yet, they could be working for your competitors while pretending to beef up your company’s system security. There is a vast range of things that could go wrong should you hire the wrong person.
They could paralyze your system to prove a point
Most hackers have a good reason for doing what they do. In many cases, they go in, get what they are after and get out. Sometimes they leave you a message that shows they were there and sometimes they don’t. The point is, in many cases, your system will still be standing after they have left. In this case, all you have to do is patch up the hole and try to keep future hackers out.
However, should you hire a hacker who has a point to prove, who is to say that they would not use their knowledge of your system to bring it down just to prove a point or show their value? Bear in mind that this knowledge they wouldn’t have had they been hacking from outside.
Hiring a Hacker sounds like an easy and straightforward process, but it masks a lot that requires much thinking. Yes, there are very good reasons why you should hire a Hackers, particularly if you know why you’re hiring an outsider to hack your systems or if you need to beef up your network security. But there are just as many reasons why it might not be a good idea. It is also a good idea to help train your existing employees with IT Security certifications and be on the safe side of things. It all comes down to how much risk you are willing to take.
The U.S. Army ventured into unfamiliar territory last week, the first day of its “Hack the Army” bug bounty program that challenges dozens of invited hackers to infiltrate its computer networks and find vulnerabilities in select, public-facing Army websites.
“We’re not agile enough to keep up with a number of things that are happening in the tech world and in other places outside the Department of Defense,” explained Army Secretary Eric Fanning in announcing the plan in mid-November. “We’re looking for new ways of doing business,” which includes a break from the past when government avoided working with the hacker community.
Like the Army, enterprises are also realizing that the term hacker is not synonymous with criminal, and that hiring hackers may be the only way to keep up with the real bad guys.
Some 59 percent of executives surveyed by Radware and Merrill Research have either hired or would hire an ex-hacker as a way to inject cybersecurity talent into their workforce. More than a quarter of organizations have been using ex-hackers for more than two years, according to the survey, including so-called white hats or ethical hackers, gray hats – those who skirt the law or ethical standards but not for malicious purposes — and black hats who operate with malicious intent.
[ ALSO ON CSO: 7 steps to start a bug bounty program ]
Postings for ethical hacker jobs on the tech career website Dice.com has jumped from 100 jobs in 2013 to over 800 jobs today. “While that’s still a small number considering there are more than 80,000 tech jobs posted on Dice on any given day, it’s clear demand for these professionals is growing rapidly,” says Bob Melk, Dice president.
“Hackers are exceptionally skilled in finding the little tiny things that other people forget – those vulnerabilities you don’t know yet, things you thought you fixed but not entirely properly,” says Alex Rice, CTO and co-founder of HackerOne, a bug bounty platform with 70,000 hackers in its community. “Every organization out there has something they’ve missed.”Organizations are willing to assume the risks in exchange for access to the unique mindset and skillset of a hacker.
“We’ve seen it on the vendor side for years, and now we’re starting to see it on the user side, as well,” says Jon Oltsik, senior principal analyst and the founder of cybersecurity service at Enterprise Strategy Group. “Someone who hacks for fun or who hacked as a researcher — those people certainly could be great hires. They make good hunters and forensic investigators. They may not have the certifications, but they have the skills.”
But hiring someone who’s had a run-in with the law for hacking has its risks, and companies must weigh those risks against their objectives. “Should you hire felons or criminals regardless of their background? That depends. In some cases, it might make sense” based on their individual risk assessment, Rice says.
Many famous black hat hackers have gone on to successful, legitimate careers. In 2008, then 18-year-old Owen Walker was charged as a ringleader of an international hacking group that caused more than $20 million in damages. He went on to work in the security division at telecommunications company Telstra. Jeff Moss, founder of Black Hat and DEF CON computer hacking conferences, ran an underground network of hackers ranging from the curious to the criminal. In 2009, he joined the U.S. Homeland Security Advisory Council, and in 2011 was named CSO for ICANN, the agency that oversees domain names. Kevin Mitnick is now Chief Hacking Officer at security awareness training site KnowBe4. He was once on the FBI’s Most Wanted list for hacking into 40 major corporations.
Shades of gray
The vast majority of hackers are not felons or criminals, Rice says. “They fully intend to leverage their skills for good. These people could choose to be criminals if they want to be, but they decided not to — the same goes for any other type of profession.”
But between the white hats and black hats, how can companies vet all the shades of gray hackers in between? “One man’s hacker is another man’s security researcher,” says Stu Sjouwerman, founder and CEO of KnowBe4. “Just as one man’s freedom fighter is another man’s terrorist.”
Stu Sjouwerman, founder and CEO of KnowBe4
On the vendor side, companies usually hire ethical hackers, Oltsik says. “Maybe they’ve skirted with the law, but usually it’s not someone who’s got a long rap sheet or has been convicted of a crime.”
KnowBe4 employs four white- and gray-hat security researchers. Occasionally, the firm has skirted the law in its efforts to stop attacks – most recently a CEO fraud attack on Sjouwerman himself.
Someone impersonating Sjouwerman sent an email to his comptroller requesting a wire transfer of $40,000. Recognizing the scam immediately, his team went to work to identify the thief and turn the tables in a reverse social engineering scheme.
“We sent him a phishing email to his AOL account that read, ‘there have been too many logins and your AOL is temporarily blocked. Please log in to unblock your account.’ He fell for it in a flash,” Sjouwerman recalls.
Five minutes later, Sjouwerman’s team had the attacker’s user name and password of his AOL account. Once inside, they emptied out his AOL account into their own PSD file and examined his work. The operation was netting the scammer about $250,000 a month.
“We knew that we weren’t allowed to do it, but we did anyway,” Sjouwerman says. When it comes to hiring hackers, “this is the kind of thing that you are easily tempted into if you’re a white hat or gray hat.”
Barriers to hiring hackers
Global CSO Shawn Burke would love to pick the brain of a black hat hacker to find out what his team at Sungard Availability Services isn’t considering when they implement security controls in their solutions. “There is definitely something they could bring to the table,” he says. But that will likely never happen because Sungard provides services to highly regulated financial institutions and government entities with strict requirements on background checks. “Of course, If they haven’t gotten caught, I guess it wouldn’t be on their resume” or background, he adds.
[ RELATED: How (and why) to start a bug bounty program ]
Sungard does employ a handful of white hat hackers who have completed SANS penetration testing and ethical hacking training courses. One employee was involved in “NSA top-secret work” in his former position. “[Former NSA workers] have seen things that nobody on my team has ever seen,” Burke says. “While they can’t talk about it – they certainly know how to say, in their own cryptic way, that we should probably posture our controls in a certain kind of fashion.” When choosing these employees, trust is key, Burke adds. “I have to trust the employees to do their job.”
Proceed with caution
Companies that are considering hiring a hacker should take several precautions, these experts say.
First, perform background checks before hiring new security employees, Oltsik says. “The red flag would be any kind of law enforcement issues or criminal background, a history of malcontentedness or confrontation with other people they work with, HR incidents, multiple jobs – nothing any different from anyone else you would hire.”
If evaluating a gray or black hat who might have a record, “It’s very often referrals and who you know and who they know” that gets them the job, Sjouwerman says. “If you get a verbal [endorsement], that’s the only somewhat-reliable way to get this done.”
Once hired, put the hacker in roles where they can be successful, but make sure you’re managing and monitoring them, Oltsik says. “They do have skill sets that can be damaging. With the right amount of oversite, you could quickly devise whether someone was doing things that are suspicious.”
Companies should also consider whether a hacker is a good fit within the organization. Hackers by nature tend to work independently and aren’t team oriented, Oltsik says. “If you have someone who loves breaking systems, but isn’t the most social, do you have a role that can fit them where it’s beneficial for you and a good fit for them?”
Hackers as consultants
Companies in doubt about their risk tolerance or culture for hackers may want to consider independent consultants on a project basis, Sjouwerman says.
A vulnerability disclosure company, such as HackerOne, connects businesses with security researchers to resolve their security vulnerabilities. HackerOne’s network of 70,000 hackers have earned more than $10 million in bug bounty rewards for solving companies’ problems. The hackers, who range from teens to highly specialized academics to security pentesters with day jobs, are vetted through a reputation system that tracks what the individuals have done when they’ve identified vulnerabilities and reported them, Rice says. The framework lets people practice their hacking skills “in a way that demonstrates their good intent,” Rice says. Proven ethical hackers can then be invited to work on privileged projects, such as the “Hack the Army” event.
“Organizations realize that the only way to get ahead of criminals is to work with those with the skills but none of the [criminal] motivation,” Rice says. “It does take one to know one.”
Yahoo Confirms 500 million Accounts Hacked — that’s half a Billion users!
That’s how many Yahoo accounts hacked were compromised in a massive data breach dating back to 2014 by what was believed to be a “state sponsored” hacking group.
“A recent investigation by Yahoo! Inc. has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor,” reads the statement.
Yahoo is investigating the breach with law enforcement agency and currently believes that users’ names, email addresses, dates of birth, phone numbers, passwords, and in some cases, encrypted and unencrypted security questions-answers were stolen from millions of Yahoo users.
However, the company does not believe the stolen information includes credit card information or any bank details of the affected users.
Despite millions of people affected by the breach, the biggest victim here seems to be Yahoo itself.
The data breach reports come just as the company is trying to negotiate a deal to sell itself to Verizon for $4.8 Billion. So, if the breach reports negatively impact its share price, even for the time being, it could cost the company and its shareholders a slice of its buyout value.
Over past few months, a large number of data breaches have been reported to plague companies like LinkedIn, MySpace, Tumblr, and VK.com as hackers put up for sale massive data dumps of user credentials stolen earlier in the decade.