'Ethical' hackers say: It's just hacker. To be one is no longer a bad thing
Great and good of pentesting chew the fat with El Reg
Ethical hacking is a "redundant term" but to be a "hacker" is no longer a bad thing, according to proponents of the cybersecurity art form known as "penetration testing".
One-time Lulzsec hacker Jake Davis and his deportation-proof hacker mate Lauri Love appeared at a talk organised by pentesting biz Redscan in which the great, the good and The Register chewed the fat about hacking for positive purposes.
"It's got a negative stigma because of very malicious hacking which is always dumped into the same category of cyber attack," said Davis, dismissing the term "ethical hacking" while embracing ye olde-fashioned word: "We should just say hacker. To be a hacker is no longer a bad thing."
Agreeing with Davis, Love opined that "ethical" hacking could be defined as breaking into a computer system but in a setting where "you are in a symbiotic relationship with the thing you are hacking".
"Whether that's an intelligence-led penetration test, as you said, the utility depends on how that relationship works; what parameters set as you gain access; trust that has to be built; what responsibilities to ensure you're not causing damage; finding what access you can create," he added.
As far as the practical utility of pentesting goes, Ian Glover, president of British pentesting 'n' accreditation biz Crest, took a pragmatic line.
Stealing, scamming, bluffing: El Reg rides along with pen-testing 'red team hackers'READ MORE
"We can't find everything," he said, "but to do the best job we can, we need to give advice and guidance to organisations on where vulnerabilities are and how to address them." And how better to achieve that than through testing their defences, right?
First Group's CISO, Giles Ashton-Roberts, was rather more concerned with legal compliance worries around the practice. Detailing the number of regulations his multinational transport firm is bound to comply with (including the EU's Networks and Information Security Directive, GDPR, and on the online payments side PCI-DSS, among others), he said: "Where we engage with penetration testers, we have a series of penetration tests continuing through the year… Next time we go for that round of penetration testing it's ensuring we've closed the gap on the vulnerabilities that were found."
Backing this up, Anthony Lee, a tech and IP lawyer from Rosenblatt, pointedly observed: "Organisations are less concerned about personal data and more concerned about people coming in and making mischief with their systems… The problem you have is you can open the safe but you can't look at the contents."
Davis was rather taken with this idea. A security consultant since the end of his LulzSec days years ago, he commented: "You'll open the safe, look at the contents and then pretend you've never seen the contents, sign a lot of documents – or, in certain cases, sign a lot of documents saying you can't replicate those documents [inside the safe] because they're deadly cyber weapons."
Following on from this, Love, who now works for an Australian infosec firm, summed up the tension between pentesters and industry:
[It's] because you're trying to reconcile two completely different things. You want someone coming in who can be as trustworthy as the legitimate employees allowed to access those systems. You want to know that an organisation like Crest has accredited them to act diligently, responsibly... At the same time you want people close to this to be able to simulate a real-world hacker.
All these views are great provided you have suitably skilled and experienced pentesters to hand, and – as ever – it is the gap between newly qualified folk and experienced personnel which can cause headaches.
Redscan's director of cybersecurity, Mark Nicholls, said: "I'm seeing, or have seen, a quality issue in terms of people coming on board. Working with certifications and fresh out of university, the practical experience is not there. Maybe there's not that level of [in-depth] exposure at university – which would go a long way to making better hackers."
Industry likes pentesting provided its fears are soothed in advance; pentesters (or ethical hackers, call them what you will) are happy to do the work; all they need are enough skilled people. And they're easy to find. Right? ®