CISOs / Myth busting: The top ten things you never knew about ethical hacking
Myth busting: The top ten things you never knew about ethical hacking
26 March 2018
By Laurie Mercer, solutions engineer at HackerOne
Legend has it that the original definition of ‘Hacker’ was “someone who makes furniture with an axe”. Today, if you look up the word ‘hacking’ in the Cambridge English Dictionary, it is described as ‘the activity of illegally using a computer to access information stored on another computer system or to spread a virus’. Neither definition is ripe for the 21st century.
Today there is an army of white hat hackers who are acting as guards and protectors, and only a very small minority of them have even thought about making furniture.
‘White Hat’ hackers work with organisations and help them find vulnerabilities on their networks before cybercriminals can exploit them. Day in and day out these hackers are competitively hunting for security vulnerabilities and responsibly reporting them to organisations so they can be rapidly remediated.
Keren Elazari called Hackers “the Internet's Immune System”. Often driven by a sense of curiosity, they are doing nothing illegal, and their ethos is that the internet becomes a safer place every time a vulnerability is found and fixed.
Also of interest: Breaking into the mind of a hacker
The Age of the Hacker
We’ve entered a digital age where every company connected to the internet needs to think about cybersecurity. Anyone who relies on software to run their business needs to ensure their systems are secure. But cyberthreats can appear to be asymmetrical - the number of attackers far outnumber small security teams.
As more and more code is deployed, traditional security controls and even automation cannot possibly keep up. Instead, we must turn to a community of hackers, already keeping a watchful eye on the internet. Tens of thousands of trusted hackers are invited and incentivised to test software everyday by organizations like Lufthansa, Shopify, the European Commission and others. These are called bug bounty programs.
Bug bounty programs involve engaging with a large community of hackers with diverse skillsets and in-depth knowledge, enabling them to test systems for weaknesses that often go unnoticed for months or even years. There is an old saying that “in the eyes of many, all bugs are small”, bug bounty applies this adage to security testing so that vulnerabilities can be looked for by the largest number of eyes, and fixed before criminals exploit them.
According to a recent report from HackerOne, its network of white hat hackers have already found over 72,000 valid vulnerabilities. This highlights the important role white hat hackers play in helping organisations mitigate security threats.
The 2018 Hacker Report surveyed 1,698 ethical hackers to understand their key motivations. The study uncovered some very interesting drivers and below are the top ten ethical hacking facts to come from the report which, I’d wager, will be a surprise to many:
White hats have already made over $26m in the last five years
White hat hackers on HackerOne’s network have earned over $26 million in bug bounty money in the last five years. This demonstrates that white hat hacking can in fact be a legitimate and lucrative career choice.
Money is not the number one motivator
While many people might think the main motivator for ethical hackers is money, this is actually not the case. The financial incentive is undoubtedly important, however, the key motivator for white hat hackers is the opportunity to learn tips and techniques. Other top reasons for hacking include career advancement, the opportunity to protect and defend and to do good in the world.
Hackers love to hack websites
Over 70 percent of hackers say their favourite types of product or platform to hack is websites and web applications, followed by APIs (seven percent), technology that has their data (five percent) Android apps (four percent), operating systems (three percent) and IoT (three percent).
One in four hackers donate bounty money to charity
Over 24 percent of hackers from HackerOne’s network have donated bounty money to charitable organisations - talk about hacking for a good cause!
The top five hacker regions are India, the US, Russia, Pakistan and the UK
India (23 percent) and the United States (20 percent) are the top two countries represented in the HackerOne hacker community, followed by Russia (six percent), Pakistan (four percent) and United Kingdom (four percent).
One hacker used his bug bounty money to buy his family a house
Ibram Marzouk, an ethical hacker in HackerOne’s network, used his bug bounty money to buy his family a house when they moved to the US. Other hackers have used bug bounty money to buy cars, school tuition, pay for holidays and even pay for college.
Top ethical hackers are making 2.7 times the median salary of a software engineer in their home country
The top hackers based in India earn 16x the median salary of a software engineer. And on average, top earning researchers make 2.7 times the median salary of a software engineer in their home country. This means white hat hacking can be a more lucrative career choice than software engineering for some.
Hackers spend an average of 20 hours a week hacking
Over 66 percent of hackers spend 20 hours or less per week hacking, with 44 percent spending 10 hours or less per week. More than 20 percent of hackers spend over 30 hours per week. Only 13 percent of hackers hack fulltime (40+ hours per week).
50 percent of hackers are aged under 25
Hacking attracts the younger generation. The majority (45 percent) of hackers are between 18 and 24 years of age. Over 90 percent of HackerOne’s bug bounty network are under the age of 35, with only eight percent under the age of 18. While many hackers are young, nearly 29 percent have been hacking for six years or more, of which over 10 percent have been hacking since at least 2006.
Hackers by night, students and tech employees by day
Almost half, 46.7 percent of hackers work fulltime in related areas - such as information technology (IT), software or hardware development. Over 44 percent of those working in an IT profession specifically focus on security or security research, and 33 percent on software development. Just over 25 percent of HackerOne’s hackers are students.
Hacking is increasingly viewed as a legitimate activity – both by the hackers whose actions are financially rewarded, but also the organisations looking to utilise their skills to secure their software and networks.
Since the 1980s, hackers have defined themselves as “One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations.” Is it time the dictionary was updated to give this vital skill the credibility it deserves and banish the criminality association once and for all? I think so.
Also of interest: Security by design - what you need to know!