Why Trust Ethical Hackers?

Did you know that 9 out of 10 hackers are under 35, while 8 out of 10 are self-taught? Did you know some hackers are not criminals? Did you know every 5 minutes, a hacker reports a vulnerability? Some don't want to steal anything. They are called Ethical and represent a global force for good, coming together to help in the growing security needs of our interconnected society. People are naming them security experts or by titles like “ethical hacker”, “white hat”, “security researcher”, “penetration tester” “bug hunter”, and “finders".

When a vulnerability is found, it needs to get into the right hands quickly so it can be safely resolved. Recent studies concluded that Hacking for good is growing in popularity as nearly two-thirds of Americans (64%) today recognize that not all hackers act maliciously.

How are (ethical) white hackers different than (bad) black hat hackers??They use their knowledge to increase and improve the security of the organizations that employ them. They identify vulnerabilities providing defense advice. The bad ones gain unauthorized access to a resource only for financial gain or personal recognition. Methods used and vulnerabilities will remain unreported so no company will know how to prevent them. In terms of good or bad always white hackers are the digital heroes. But how can we ensure that those who are charged with protecting don’t also use their knowledge for malicious purposes? Well, we don't! A certified penetration tester with the full knowledge of all parties involved is typically under contract to perform a kinda like an audit. So there are some “Rules of Engagement” that all involved are aware of. Every white hack penetration has the scope, process, and reporting procedures clearly defined in the contract, including, but not limited to, all IP addresses, phone numbers, routing ports, exploits, and even social engineering hacks that will be used during the tests. The use of fear, uncertainty, doubt, and deception are forbidden. In other words, an ethical hacker can’t trick a potential client by offering facts and scare tactics designed to exaggerate the threats. There is a well-known fact in the industry that highlights integrity as the primary virtue between good hackers. Comes from protecting the customer, companies, and all involved. This is a goal achievable only by avoiding conflicts of interest, false positives (pointing out flaws where there are no flaws), and false negatives (pointing out no flaws where there are a lot)

White hackers constructively participate in resolving security flaws but they cannot construct the network security of the organizations.?Their job is to test defenses, not create defenses.?If?they will do a test involving human employees the companies they hire them will not receive the names of employees who failed the test, because their privacy could be in danger as a result. Testing requires knowledge and skills used primarily for bad purposes. But instead of sowing discord, ethical hackers are entrusted to use theirs for defense. A white-hat hacker has intelligence and common sense, strong organizational skills, impeccable judgment, and the ability to remain cool under pressure.

As Heather R. Younger said: "An ethical man is someone who lives and dies for integrity. Doing the right thing, even when it hurts, is the ethical leader's mantra." As ethical leaders so are white hackers. They don't make false promises. If they make a promise, they do whatever they need in order to keep it.?The main goal is securing the intellectual property of others.

Unfortunately, legal issues in this field are abundant. Most of them originate in perceived unethical behavior. Ethical hackers have even been arrested for doing their jobs. For example when a former employee discovered an email service that had a significant vulnerability he acted. Emailed users telling them to come on his own website where he gave information about the flaw. He was not only prosecuted but convicted and served 16 months in jail for penetration in a secure network. After a long process, the U.S. Department of Justice conceded that the conviction was wrongful. To avoid legal issues, industry standards and regulations must be followed explicitly.

In the end, when doing a pen test, for white hackers to remain on the good side they have to know what are they testing briefly? Physical security? Logical security? Software security? Software configuration? Hardware configuration? Settings? Because the devil is in the details. One question still pops out...what should a white hacker do if he discovers major vulnerabilities that will impact customers, third parties, or the population as a whole? Is his duty only to tell the client and keep quiet? Respond in comments...

Disclaimer: The original version of this story was published on a platform called Vocal. Check it here: https://vocal.media/01/why-trust-ethical-hackers