The digital revolution of the past 50 years or so has brought about sweeping changes for billions around the world, many of them positive. To name a few, it’s now easier to communicate with friends, family and colleagues; book holiday vacations; and go shopping.
However, the digital world that we all so happily inhabit is also something of a leaky sieve. Computer networks are not, it turns out, invulnerable. In fact, they are preyed upon relentlessly by hackers, ever-keen to outwit IT security specialists and the global antivirus companies.
Hacking with Malign Intent
Malicious hackers can wreak untold havoc. A recent survey found that a criminal security breach can cost a UK SME anything up to £115,000 per incident. For large UK organisations, this estimate can soar to £1.15m.
Moreover, one recent report puts the cost of cybercrime worldwide at circa $300bn per year. This figure accounts for hundreds if not thousands of companies that were breached, including Nieman Marcus, the high-end U.S. store chain, which was subject to a criminal intrusion in January 2014 by hackers who stole the credit card details of around 1.1 million customers.
By no means is all cybercrime financially motivated, though. Cyber espionage is now commonplace and is superseding more traditional, “analogue” methods for extracting secrets from foreign governments. As a result, and following a recent episode involving a U.S. double agent, Germany announced it is now considering using typewriters for key communications. Such is its concerns about cybercriminals stealing its data.
The above examples notwithstanding, not all hackers pore over their laptops with malicious intent. There’s actually a long and respected tradition of benign information systems intrusion, sometimes known as “white hat” or ethical hacking. This dates back at least to the early 1970s when the U.S. Air Force attempted to breach the Multics operating system to assess the extent of its security.
Over the past two or three decades, ethical hacking has become professionalised in the form of penetration testing, often abbreviated as “pen testing”. It is now possible to study hacking in college or at university, as well as to attain professional qualifications in the field, including the GIAC Web Application Penetration Tester certificate from the respected U.S.-based SANS Institute. Pen testing is a disciplined process involving one or more security experts who execute a scheduled, authorised breach of an organisation’s IT infrastructure. The purpose is to expose and document vulnerabilities with the explicit intent to patch them ASAP.
Today, penetration testing jobs are highly sought after in the information security industry.
A recent Google initiative dubbed Project Zero has taken the idea of ethical/professional hacking one step further. Google has assembled a team made up of personnel with real-world hacking credentials in an effort to make the web a safer place. The team plans to identify major vulnerabilities across the web, inform the relevant companies, and suggest fixes.
If evidence were ever needed of cybercrime entering the realms of corporate respectability, it surely comes in the form of Project Zero team. Who knows what other initiatives will be announced in the coming years?