Ethical hacking: should you pay a white hat to break in?

Naked Security is reporting this week from Cloud Expo, Europe’s biggest digital transformation show. 

In a bijou booth at London’s CloudExpo, BlackBerry, the much-diminished former behemoth of the mobile sector, was quietly plying its trade. BlackBerry describes itself as “a mobile-native security software and services company” and was there to promote its professional cybersecurity services, which it acquired following the February 2016 acquisition of Encription Ltd, a specialist in penetration testing.

So now, should you wish, you can get BlackBerry round to mess with your systems, while paying for the privilege. They’ll get up to no good, then write you a report telling you all the stuff you’re doing wrong. This, then, is the odd world of the ethical (or “white hat”) hacker, a somewhat shady-sounding occupation that uses penetration-testing techniques to assess IT security and identify vulnerabilities.

Sure, it serves a useful purpose, but it’s a bit weird still, isn’t it? It’s basically analogous to paying an “ethical burglar” to break into your house, or a “white hat mugger” to have a go at stealing your phone. You never hear about those, though, which is something of a shame. There must be thousands of charmless chancers out there desperate to get certified by the council and go out thieving for the greater good. Or, better still, much like that old Kate Bush song, set up in the faithfulness-testing racket, put on a white hat and run around propositioning spouses.

It doesn’t happen though, does it? Or maybe it does, somewhere. Perhaps in the higher echelons of society that we don’t ordinarily get to hear about there are ethical burglars paid for by the likes of the Candy brothers to test the security of plutocrats’ pads. But, on the whole, in the round, the concept of attaching “ethical” to a criminal activity seems only to apply to cybersecurity. As I say, it’s odd.

You can even get a degree in it: in 2016, Scotland’s Abertay University established what it described as the world’s first undergraduate degree in Ethical Hacking, a surely useful and practical course of study that aims to provide students with experience “investigating, analysing, testing, hacking and, ultimately, protecting real-life systems through the development of countermeasures.” Its primary aim, the university states, is “for someone to arrive on this programme as a student and leave as an ethical hacker”.

For the less committed there is the option also of a number of a few more modest qualifications, including the Certified Ethical Hacker (CEH) certification from the EC-Council. And much like the banal suggestion that one should “set a thief to catch a thief”, a canard that clearly implies the police’s refusal to recruit exclusively from the criminal community is entirely misguided, the EC-Council states that, “To beat a hacker, you need to think like a hacker.” Well, no, not really.

It pays quite well though. PayScale states that the median salary of an ethical hacker is around $72,000, rising at the top end to well over $100,000. So why not? And calling yourself an ethical hacker means you get to signal not only virtue, but a certain edginess also. It doesn’t get better than that.

Do you agree with Paul’s opinion on this? Let us know in the comments