Here at The Security Awareness Company, we firmly believe in making a clear distinction between “hackers” and “criminal hackers.” The word “hacker” gets thrown around in the media a lot, and it’s never in a good light. But there is a big difference between someone who identifies as a “hacker” and someone who uses their hacking skills to commit crimes. (It reminds us of the square/rectangle analogy: all squares are rectangles, but not all rectangles are squares. All criminal hackers are hackers, but not all hackers are criminals.)
To help us understand the difference, we have reached out to friends and colleagues in the infosec and hacking communities to write a few guest posts over the next few months. Our first guest Georgia Weidman, a friend in the infosec community who self-identifies as an ethical hacker. She is a full-time security researcher and founder of Bulb Security and Shevirah. For more information, connect with her on Twitter. She has agreed to talk about her experiences in the hacking community, how she got involved, what an ethical hacker is, and what the community has contributed over the years.
When I was about 10, I read a book about Kevin Mitnick, Pengo, and Robert Morris. While their exploits seemed very interesting, each story ended in jail time or, at the very least, derailment of career goals. My unsophisticated Internet searching circa the early 2000’s led me to the same conclusion. Hacking was a neat skill to have, but the price was too high. It was many years later when I discovered ethical hacking through my participation in the collegiate cyber defense competition and began a career as a penetration tester, security researcher and trainer. Though it all turned out the way it should in the end, I am often left thinking how much more I would have accomplished with all those extra years to focus on ethical hacking, and what contributions I could have made towards the state of security while still in my teens. Still today when I tell people what I do for a living, a fair number of people’s eyes glaze up as they realize they are talking to a hardened criminal who just hasn’t gotten caught yet. This depiction of hackers really needs to change.
Rather than seeing ethical hackers as criminals, we should instead recognize their contributions to the state of security.
Ethical hackers are responsible for most of the security measures that keep everyone from the casual user to the enterprise safe using electronic devices particularly when connected to the Internet. Hackers discover security issues through simulated security tests known as penetration testing, playing the part of a malicious attacker to find and fix the vulnerabilities before the bad guys do. Security researchers and ethical hackers, are responsible for the behind the scenes coding on tools such as anti-virus and email spam filters that keep us all safe from malicious programs as well as working on and testing the security of encryption protocols such as SSL on secure websites when you put in your credit card or password and WPA2 on wireless networks. Without ethical hackers, we would all be left helpless at the mercy of malicious attackers. Rather than seeing ethical hackers as criminals, we should instead recognize their contributions to the state of security.
For anyone interested in becoming a certified ethical hacker, our partner EC Council offers an ethical hacking training and certification program.