Ethical Hacking's Place in Business
Businesses, governments, and individuals are all focused on utilising and leveraging technology. With initiatives like Smart Nation and Smart Home, the question becomes how do we protect ourselves and our technologies against vulnerabilities? Ethical Hacker, JP Dunning, explains what ethical hackers do and why businesses need them, and what the talent attraction challenges are for the industry.
The definition of an ethical hacker
An ethical hacker is someone who is curious at heart and questions how the world around them works. They are intellectuals who are very inquisitive about how technology works and have the skills to test it.
They are researchers and professionals who use their know-how to protect organisations and individuals from cyber-attacks. When ethical hackers find vulnerabilities, they typically report their findings back to these organisations and work with them to remedy any security lapses.
The primary challenge industry-wide is negative employment, meaning that there are more open jobs than people to fill them.
A talent crunch then leads to rising salaries being needed to attract additional cybersecurity resources, which would mean increased operational costs. This may adversely affect start-ups and small and medium-sized enterprises (SMEs) who are running on lean budgets. Start-ups and SMEs are also at greater risk of being affected by talent shortage as they do not have the allure or brand appeal that a large company or multinational company (MNC) might have, nor do they possess clear career progression paths. Also, jobs in technology are perceived to be less attractive than in other sectors, like financial services. This poses a challenge to attract talent, especially for technical positions like penetration testing.
Also, cybersecurity is competing with other facets of technology, like data analytics, software programming, and application development, and are all fishing from the same limited pool of technology talent. There is also an acute skills gap especially within local senior positions where technical expertise needs to be complemented with business acumen and strategic thinking.
Higher education in Singapore and around the region is starting to facilitate students’ learning more about cybersecurity skills to prepare them for the job market. I spoke with several college students who were presenting their research projects at GovWare this year, and I was very impressed by their understanding of detailed security issues and their innovation around the security research they presented.
Also, for many years, there has also been a stigma around teaching people the skills that are used by hackers. However, it is very hard to know how to defend unless you understand how hackers are going to attack, and then test your company for the same vulnerabilities.
Speaking about the challenges I face as an ethical hacker: one of them is that it not the kind of job you can leave at the office. It is very fast paced and highly technical. People must have the passion to keep up with fully understanding the latest vulnerabilities and hacking techniques.
What it takes to be an ethical hacker
It often takes the knowledge to understand technology better than the designers who designed it. This means years of learning about the fundamentals of modern technology. Many people see hackers in movies and TV shows and think it is just a matter of typing a few commands to gain access. The truth is, most ethical hackers have years of experience around learning Internet protocols, operating systems, and software engineering. After becoming experts in these areas, they are then able to learn how to assess the security and discover new vulnerabilities.
It would also serve them well to start off with a job in IT, such as a system administrator or programmer. Roles like these would help to increase knowledge about how networks and systems work, and finding anomalies becomes second nature.
They would also need to possess a ‘hacker’ mindset. A budding ethical hacker should not just understand and employ standard means of attack like worms, malware and ransomware, but also use social engineering to extract personal data that could be beneficial in their penetration testing efforts.
They would also need to possess communication skills.
The ability to effectively communicate findings and translate the technical language into something a business executive can understand is crucial for an ethical hacker.
Many of the smartest ethical hackers are not able to communicate the impact of a vulnerability. This makes it difficult to share discoveries with companies on the threat posed by the vulnerability and how to fix the issue. Often, many ethical hackers lack the skill of translating very technical discoveries to a non-technical audience. This leads to misunderstandings and sometimes inaction on the part of companies.
It would also be beneficial for aspiring ethical hackers to visit conferences, technical expos, hacker symposiums and hackathons. This is where they can meet the people who carry out in-depth research on cyberattacks and cybercriminals and those who write hacking tools/software.
Ethical hackers: essential to the Singapore market
The McAfee Labs September 2017 Threats Report revealed that the public, financial services and technology sectors in Asia Pacific suffered the most number of cyberattacks. In a study by consulting firm Deloitte, it was revealed that Singapore is ranked fifth among Asia’s Cyber Five (South Korea, Australia, New Zealand, Japan) – a group of five nations who are most heavily dependent on internet-based transactions. However, the same study also revealed that Singapore, and the rest of their Cyber Five counterparts are nine times more vulnerable to cyberattacks than other regional economies.
The Smart Nation Initiative, coupled with Singapore’s position as a financial hub and the spate of cyberattacks in 2017 that affected a government portal and two higher educational institutions, indicate the precarious position that Singapore finds itself in.
As the Smart Nation initiative continues to advance, ethical hackers will be needed to advise on security risks, perform penetration testing, and research vulnerabilities in Smart Nation technology and infrastructure early, so that they can be rectified at the design stage.
Ethical hackers will also be required by the public and financial sectors in Singapore. According to a study by consulting firm PwC, the financial sector and the government are two of the largest markets for cybersecurity. In line with this, CREST, a non-profit organisation that serves the needs of a technical information security marketplace that requires the services of a regulated professional services industry, has established a presence in Singapore to introduce its penetration testing certifications and accreditations to cybersecurity professionals here. This initiative was developed in collaboration with several associations, including the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS).
Given the increasingly sophisticated threats that financial institutions face, penetration testing will help discover and fix system vulnerabilities. This certification will provide financial institutions better assurance on the quality of penetration testers, deepen the pool of qualified penetration testers, and strengthen the overall cybersecurity posture and defence of our financial institutions.
Even the government is taking steps to beef up its pool of ethical hackers. Organisations like DSTA and MINDEF have organised hackathons to test young cybersecurity enthusiasts on their ability to hack, in the hopes that they can be recruited to serve as cyber defenders during their national service.
How ethical hackers can assist Singapore's Smart Nation initiative
Ethical hackers can play the roles of testing the infrastructure and advising on the best possible ways to deploy a Smart Nation.
Singapore’s Smart Nation initiative is the reason that the nation has invested heavily in technology, and is underpinned by Singapore’s Cybersecurity Strategy. The Cybersecurity Strategy will aim to create a resilient and trusted cyber environment that will enable us to fully reap the benefits of technology and secure Singapore’s future. Singapore has achieved much in its Smart Nation journey, but is faced with the risk of sophisticated threats. The nation is extremely dependent on digital technology to develop a Smart Nation comprising of digitally-enabled businesses and lives. Cybersecurity, beyond a necessity to defend and protect, is also an enabler for our future economy, society, and ultimately our Smart Nation.
One of the pillars of Singapore’s Cybersecurity Strategy is to step up the protection of our essential services. The government will implement a Critical Information Infrastructure (CII) Protection Programme that will emphasise robust and methodical cyber risk management processes, and the importance of a culture of cyber risk awareness across all levels of CII organisations. The nation will also increase the adoption of Security-by-Design practices to address cybersecurity issues upstream. This will enable us to pre-empt cyber vulnerabilities by going upstream, as cybersecurity will no longer be an afterthought, but will be implemented throughout the lifecycle of technology systems.
Ethical hackers are crucial in this regard. They will be required to perform penetration testing to discover vulnerabilities early, and report them so that they can be addressed at the design stage.
It is also important to note that the people and processes are just as important as technology. Training the personnel deploying and operating the Smart Nation infrastructure at all levels is critical to ensure that security is maintained to its utmost potential.
Other Asian markets that will need to rely on ethical hackers
According to market research firm Markets and Markets, the global penetration testing market is set to be worth USD $1.724 billion by 2021, up from USD $594.7 million in 2016, growing at a Compound Annual Growth Rate (CAGR) of 23.7%. The APAC market is expected to grow at the highest CAGR between 2016 and 2021. The major driving forces for this growth are increasing technological adoption and massive opportunities across industry verticals in APAC, especially in India and China.
Some markets are more recent to emphasise on the need for skilled ethical hackers. Ethical hackers are also relied upon with regards to the embedded hardware in Internet of Things (IoT), smart cars, and industrial control systems. These technologies are being expanded with a wide variety of new capabilities which need to be reviewed by ethical hackers for the risks they can pose to an individual and a Smart Nation.
Cyber vulnerabilities in Asia
There are two that I want to cover.
One is that we still see many organisations with a lack of focus on securing their assets, which in some cases may be the personal information of their clients. There is a really low-entry barrier for unskilled malicious hackers— also known as script kiddies—to perform cyber attacks on people and organisations. While not as sophisticated as more advanced hackers, these script kiddies do cause cyber destruction all over the world. While some areas of Asia are still maturing with understanding and spending funds to secure their assets, even these unskilled hackers can cause significant impact.
The second hole or vulnerability is with connected devices in the home. According to market research firm Markets and Markets, the global Smart Home market will be worth US$137.91 billion by 2023, growing at a CAGR of 13.61% between 2017 and 2023. APAC will experience the greatest boom in the smart home market, and is expected to grow exponentially between 2017 and 2023. This can be attributed to the increasing number of new residential projects and numerous initiatives to strengthen the building infrastructure in the region.
The additional presence of a huge end-user base in advanced economies such as Japan and South Korea, coupled with the increasing demand for energy management systems are also expected to fuel the growth of the Smart Home market in this region.
However, with so many connected devices within a smart home, the threat surface area is also exponentially increased, as there are now many endpoints for cybercriminals to exploit.
Old electronics companies are adding on new features while many startups are penetrating the Smart Home industry. While competition might drive innovation, it is important that they engage with skilled ethical hackers to find out how their products can be exploited. Some examples of realist threats for Smart Home and Smart Buildings include:
- Webcams/CCTV cameras: can be hacked to broadcast video feeds online without your knowledge.
- Smart sensors in appliances: hackers can send spam from your appliance or order costly items without your permission.
- Smart light bulbs: connected bulbs can become an entry point for hackers to access the rest of your home network.
- Smart thermostats: infected systems can alter temperature settings and lead to higher energy bills.
- Smart home controller: can be infected with a malicious backdoor allowing a hacker to access your home network and attack your other devices, like phones, laptops, and smart TVs.
- Smart locks: smart locks might be vulnerable to remote unlocking without your permission or knowledge.
- Connected vehicles: a hacker could break into a connected vehicle and meddle with the brakes (brake suddenly or cut the brakes), activate the windscreen wipers suddenly, or increase the volume on the sound system. One could potentially lose limbs or life if such scenarios lead to an accident, as well as impact their surrounding environment (cause a pile-up, damage property, or even injure/kill other people).
The lines in cybersecurity both in the office and at home are blurring in line with the rise of IoT and mobility trends. In order to protect our connected homes, consumers should consider investing in security platforms that offer comprehensive end-to-end security protection. Security at the network level means that all the devices in your home, even the ones without screens, are automatically protected.