Breaking into your own house is unnerving.
Why wasn’t that window locked? Why didn’t the alarm trip? Why didn’t the neighbors blink? It’s too easy.
For the same reasons, cybersecurity experts say, breaking into your own place is important in the cyber world. And that’s what white hat hackers are for.
White hat hacking (or ethical hacking) is breaking into computers and devices to test an organization’s defenses.
It’s one of “the most exciting IT jobs any person can be involved in,” chief security officer Roger Grimes wrote for CSO Online. “You are literally getting paid to keep up with the latest technology and get to break into computers without the threat of being arrested.”
And it’s the cyber version of “know your enemy,” Bob Withers told attendees at the ISSA Colorado Springs 6th Annual Cyber Focus Day.
An ethical hacking expert who has “battled the dark side of the hacker force since the internet’s days of screens-that-are-green,” Withers has worked in cybersecurity for the U.S. State Department, major New York banks, tech firms, commercial enterprises, defense agencies and in academia.
“The bad guys are there to break in,” Withers said. “If we think like the bad guys, we will find the vulnerabilities and hopefully close them before the bad guys can actually take advantage of them.”
HACKING FOR DEFENSE
“Hacking for defense gets to be really important to know where your vulnerabilities are,” he added. “That’s where you allocate your budget and your manpower and your resources and your technologies — or you decide that you’re not going to carry out a business.
“Why do people on the dark side hack? For fun; for profit; being nasty,” Withers said. “And then there are the pros — the nation states.”
Every one of them is a threat, and having a certified ethical hacker examine your systems from their vantage point is critical.
“We worry, as engineers, about how to get things to work,” Withers said. “We want to prevent them from breaking — we want to prevent them from doing bad things so we patch, we harden, we remove unnecessary services. [But] the cybersecurity professional should be looking for the ways that broken things can be exploited.”
He used credit reporting giant Equifax as a cautionary example of what happens when vulnerabilities aren’t found and fixed.
“Equifax had a failure in their configuration control and management processes,” Withers said. “They knew that they needed to patch Apache Struts [an open-source web application framework] as part of their infrastructure — and they blew it. And 400 million people’s information got stolen.”
The best way for an organization to build good defenses is to try every avenue for breaking into its own network, and every trick for hijacking its own systems.
Some companies hire ethical hackers to identify these vulnerabilities; other times, white hat hackers find holes without being asked.
Late last month, Tencent Keen Security Lab released a 37-page report showing their researchers were able to trick Tesla Autopilot into steering into oncoming traffic.
“Researchers have devised a simple attack that might cause a Tesla to automatically steer into oncoming traffic under certain conditions,” Ars Technica reported April 1. “The proof-of-concept exploit works not by hacking into the car’s onboard computing system, but by using small, inconspicuous stickers that trick the Enhanced Autopilot of a Model S 75 into detecting and then following a change in the current lane.”
Changes to physical environments are currently considered outside the scope of attacks against self-driving systems, but Tencent Keen researchers don’t think they should be. The point of their research was to persuade companies designing autopilot systems that they should pay attention to such exploits.
“We have to know what the attackers are looking for, what they’re thinking about, to be able to find the vulnerabilities to patch,” Withers said.
Withers said he took the first of his many ethical hacker certifications in 2005 and now, as an instructor at Global Knowledge, he dedicates himself to “teaching and evangelizing cybersecurity to students worldwide.
“I tell people that I teach ‘ethical hacking’ and inevitably, in the general community, there’s giggling and snickering: ‘Hey, hey, hey, how can hacking be legal?’ And the answer is: with permission and within the scope of work. You do your best due diligence to find the holes so they can be fixed. That’s ethical hacking.
“But we have other euphemisms: security testing, red teaming, tiger teaming, penetration testing,” he said. “It’s all about thinking like the enemy and seeing what the enemy can find.”
Among other things, ethical hackers learn to do reconnaissance on the target environment; take over as an administrator; plant backdoor software; persist in the network (think of it as lurking); avoid, detect and circumvent firewalls and other protections; and hide their tracks.
“The end of the hacking cycle is covering your tracks — for two reasons. You make it hard to discover that you’re there,” Withers said, “and then you make it hard to figure out what happened.
“We talk about this in the ethical hacking class. Getting in is fine. Getting it out is better. And getting out with credit card databases, frequent stayer accounts, anything that could be monetized and used for nation state purposes — that’s really the ultimate goal of the hacking.”
In a criminal hacker’s mind, Withers said, “the only crime is getting caught. Hackers don’t want to get caught — so we need to understand how they’re evading our defenses.”
UCCS Cybersecurity Programs Interim Director Rick White; Shawn Murray, president and chief academic officer for Murray Security Services; Jordan Scott, cybersecurity analyst at Boecore; and Lisa Gilbert of Applied Research Systems were among 19 speakers and trainers at the ISSA Colorado Springs Focus Day.