Ethical Hacking as a Career: RAD? Right? Rich?

Pratima H

USA: Broiled. Slayed. Butchered. Popped with a pin. Lacerated?

It is still vague how exactly he did that but the ‘slash’ has been killed for sure.

The either-or wall between offensive and defensive markets for hacking comes crumbling down in more ways than one when one speaks to experts like Keith Barker.

So does the will-it/won’t-it question around networks becoming more software-wired and hence more vulnerable?

Barker also dispels many myths around the challenges and grey clouds that have started enveloping ethical hacking per se, whether as a profession or as the way the industry is moving.

After all, just a few years back, who could have thought that ethical hacking would be so much more than a happy, noble pastime for a smart geek getting bored with TV, weather or books? Who would have heard of the candy-trucks that governments and corporate alike are towing these days.

There’s the Department of Defense’s ‘Hack the Pentagon’ bounty program paying hackers to discover cyber vulnerabilities at the agency and cracks of cybersecurity issues in health care. There’s the Google Vulnerability Rewards Program (VRP) that spurs independent security researchers to identify and report vulnerabilities in Google-owned domains (it is being surmised that some $550,000 were shelled out to 82 individuals over the year); and there’s Cyberlympics and the Internet Bug Bounty Program by HackerOne happening in the same world.

Yeah, the same one where zero-day vulnerabilities (or their discoveries perhaps) have been rising with a fury never seen before.

As Symantec’s Internet Security Threat Report showed how in 2015, the total time of exposure came to seven days. It was 295 days in 2014 and 19 days in 2013. If we are talking numbers like an average of $2,200 in reward money for each single report (as guessed in case of Google’s VRP), then there is certainly a big shift happening in the hacking basements.

Google might even spruce up the payouts with June, 2016 kicking in, offering 33 per cent extra for high quality vulnerability reports. That might make sense if we look at other parallel numbers. Some 250 reports received by Google last year that could have came in handy for bolstering the product and weeding out the bugs.

At the same time, there are researches like the one by HackerOne together with economics and policy researchers from MIT and Harvard to get a grip on the dynamics and the economic forces behind the Zero-day market.

This one posited interesting inferences. The vulnerability market is not controlled by price alone, for instance. Or that given the premise that all the payoffs were the same, vulnerability hunters might as well put their energies towards newer, less mature targets to find the easy fixes and skip targeting older, more stable platforms or worse – not doing the actual bug-fixing.

Clearly with so many doubts circling the silver-lined grey clouds of hacking, it helps if some of those ‘slashes’ can be slashed.

Keith Barker has been in these very moorlands for nearly three decades now. Besides having authored numerous technical books and articles on the subjects in this domain, CBT Nuggets trainer Barker wields multiple IT certifications including Cisco CCIE Routing and Switching, Cisco CCIE Security, Cisco CCDP, Brocade BCNP, (ISC)2 CISSP, CompTIA Network+ and Security+, VMware VCP5-DCV, Palo Alto CNSE, and Check Point CCSA.

His training videos give a glimpse of what he packs under his smart sleeves and he actively devours and contributes to some exciting terrains like Cisco, security, networking and Bitcoins.

So, let’s hand over the sickle to him and get started.

Hi Keith. Let us get the simple but big question mark out of the way first. Is ethical hacking the same as it was even five or six years back? Haven’t the boundaries on legal and moral side of it started getting more blurred with the rise of hactivism, stand-offs like Apple and FBI, incidents like Ashley Madison, Panama Papers etc?

It is like a hammer, the way it was even some years back. Whether it’s a good tool or a bad one still depends on one uses it. Yes, there are hactivists or suicide hackers and Black Hats around but that’s not all this world is about. In fact, with certifications we hope that more and more people and professionals realize the threats that have risen, specially in context of social engineering and malware.

We hope that when people strengthen themselves with certifications they pick up the shifts in a lab environment, in a safe context and also with the mindset of good intentions.

Security built in, not sprinkled on: Keith Barker

With so many bounties trying to incentivize hackers on the defense side on one hand, and with a so-called price ceiling on the defensive market; would it be right to accept Katie Moussouris’ argument (made in the MIT Hacker One study last year) about hackers being attracted to less-mature targets instead of actual core-fixing? How would money be the differentiator in pulling a hacker to the good side?

For me it’s a case of labels being blurry. I guess it boils down to which cause the tools are being used for. The tools are quintessentially not different. If someone is using it for an attack or something illegal, then it’s a Black Hat case. If someone is using the exact tools with someone’s permission for penetration testing etc, then it’s a white hat in action. That said, I have always encouraged legal ways and better familiarity with tools and counter-measures.

As to what will ultimately drive a person when it comes to the fork in the road, it’s hard to control anyone’s moral compass. All that can be repeated here is this: Hiding all the time vs. using your skills for a good cause and with good money? The choice should be simple.

Talking of White Hat side, has hacking in itself got more difficult with live-data, disruption-possibilities and changing nature of apps?

Security always needs to be built in and not sprinkled on. The software design and testing phase continue to be crucial when it comes to penetration tools and stop-gaps. Before users are allowed to taste anything, it should be scrubbed well. Third-party’s unbiased options can be good choices here.

Code, per se, is changing so much with the rise of citizen developers and trends like Github, low-code platforms etc. How do you see that affecting the space?

Standardisation should be better, specially when it happens to sub-systems. The logic of the code is getting better than what it was five or six years back, despite the new trends. Right tools and right QA always work. It’s like tinker-toys with well-defined parts. They should be a help and not a problem.

How do you see the network side changing? Would SDN, Fog, IoT etc put in more kinks when enterprises want to try something new and make things easier for attackers?

Anything new is not just new for enterprises but for hackers too. Whenever there is automation like the SDN kind, there is definitely a new potential for attackers to have another attack vector or pane. But like the Ethereum case has taught us, every new thing needs a learning curve, correct precautions and ability to see and fix vulnerabilities with time.

So many zero-day vulnerabilities are making noise, and of the HeartBleed or OpenSSL kind at that. How much of a concern is that?

The very concept of ethical hacking is being aware. Being alert takes a new proportion when it comes to zero-day bugs. Not paying attention makes one more vulnerable. Most companies that are using legacy anti-malware solutions should start looking for new choices like signature pattern tools, mathematical models etc that a new breed of companies have started offering. If you can’t change your tune, you can’t spot and handle zero-day attacks.

Why is a certification better than self-schooling for an aspiring ethical hacker? Why is this a good career choice?

Training has been observed to be five times better than a self-learning format or a classroom. It’s also more reasonable from time, engagement-level and affordability perspectives. We take blue-prints and give courses that make it easy on the pocket and clock to pick up knowledge and skills. It’s like a buffet with a flat rate. Plus, a certification is a doorway to get into the bigger world that opens up and one can move to additional trainings if one starts having fun and loves building these skills. There is one more pleasant side-effect. A learner is in a much better position to sniff out weaknesses in the real world as practised in the lab world. That makes the world safer and alert.