Computer nerds, who set out to find security vulnerabilities in other companies are guaranteed to be up to no good, right? Not always. That’s because some of these individuals, referred to as ‘ethical hackers’, work with good intentions. The term describes IT specialists who use their know-how to help companies uncover inadequate security measures. In so doing, they operate alongside digital solutions such as customer and identity access management (CIAM) to help organisations protect themselves against intruders. In this article, we explain the difference between reputable and criminal hackers and how this type of collaboration works.
The rapid advance of digitalisation has led to a dramatic increase in the complexity of IT infrastructures in companies and government agencies, which must also store more and more sensitive data in digital form. Consequently, the topic of cybersecurity is playing an increasingly important role.
As part of their fight against cyber-attackers, IT managers can seek help from external hacking specialists who put their programming and IT expertise to ethical use. In doing so, they are helping out their own internal IT teams, which are often already overstretched.
White hat hackers vs black hat hackers
Following the traditional means of distinguishing the good from the bad in Western films, ethical hackers are also known as white hat hackers. They differ from their criminal counterparts, the black hat hackers because companies hire them specifically to break into their IT systems. Since the ‘victims’ consent to these attacks, this hacking type is considered ethically acceptable.
The job of ethical hackers is to find vulnerabilities in digital systems before the black hat hackers do so. Their work focuses on issues such as security vulnerabilities in programming software for web applications or checking hardware for security risks. White hat hackers can also uncover vulnerabilities in the configuration of software products in companies. Although the products from most vendors are as secure as possible, this is only one aspect of security. IT managers frequently struggle to optimise the operational configuration of their systems, as digital solutions – at least for now – are often unable to detect all errors.
Therefore, the fundamental differences between ethical hacking and ‘normal’ hacking relate to the reasons for and context of the hack. White hat hackers aim to provide constructive help in securing digital infrastructures and sensitive data against external attacks.
In contrast, black hat hackers act with ulterior motives, such as personal enrichment or stealing confidential data. They do this by infiltrating or even destroying security systems.
From a purely technical perspective, however, constructive and destructive hackers often employ the same know-how and technologies.
How collaboration with ethical hackers works
Anyone who is considering hiring an ethical hacker can find them on recognised marketplace platforms, also referred to as bug-bounty platforms. Payment is usually based on a commission model, whereby hackers only receive a commission if they find vulnerabilities. The amount paid depends on the severity of the security vulnerabilities discovered.
Even for ethical hackers, infiltration of a third party’s IT systems is fundamentally illegal. As a result, before starting their work, both clients and hackers must protect themselves legally by signing a contract that sets out precisely what the white hat hacker may and may not do.
That said, hiring ethical hackers as a precautionary strategy against malicious attacks is definitely recommended. As external experts, ethical hackers are likely to suffer from fewer biases and blind spots, for instance. They also bring with them the know-how to which small and medium-sized companies, in particular, do not have access.
Nevertheless, clients should be clear about one thing: even an ethical hack that adheres to all legal requirements involves a certain risk of negative consequences such as impaired system performance or even crashes.
What else can companies do to protect themselves?
Apart from hiring ethical hackers, organisations and companies can take steps of their own to arm themselves against destructive attacks. Such measures – also recommended by ethical hackers – include keeping operating systems and software up to date and using two-factor authentication (2FA) or multi-factor authentication (MFA). Logins, in particular, often rely solely on insecure passwords. In the context of a CIAM solution, it makes much more sense to trust in 2FA/MFA and replace passwords entirely with biometric authentication. Moreover, companies should always heed the manufacturer’s instructions regarding the software used and make their employees aware of cyberattacks such as phishing emails.