When we hear the term “hacker” and we immediately think a “bad guy,” right? Well, not necessarily. Allen Harper is actually the “chief hacker” for a security company, Tangible Security! He is also the author of the Gray Hat Hacking The Ethical Hackers Handbook.
Harper told Chris Dorobek on the DorobekINSIDER program that there is a perception of hackers as the bad guys, but in fact there are three distinct types of hackers.
- Good: "There are the good guys, which we call white hat hackers, and they are primarily focused on defensive measures."
- Bad: "There’s the bad guys, which we call black hat hackers and of course, they’re focused on offensive, or attacking measures."
- Grey Hat: "There’s a group kinda in the middle, and that’s what we categorize ourselves as. Grey hat hackers, and that’s the name of the book that I wrote, its actually in a third edition now, heading to fourth, quite a popular book on the subject of ethical hacking. And the idea of a grey hat hacker, is one that uses offensive techniques for defensive purposes, and that’s what we intend to do."
How does grey hat hacking work, and why would one do it?
"It's key to understand that one of the most important things that you can do today to defend your network is get an attacker’s point of view. So, you know, there’s an old adage, “It takes one to catch one.” You can imagine, if you would, if we had a sniper problem, and this sniper was causing casualties on our side, and we decide we wanna go hunt down that sniper. Who would you send? Of course, you would send another sniper, and the same is true in the hacking field. It basically, the point of view that we bring to a client would be an attacker’s point of view. In other words, we understand how the attackers operate, we emulate them to the best degree possible, and we use those techniques to find the issues in a network before the bad guys find ‘em. Its pretty much a foot race right now as to who can get to those problems first, and we aim to be there first, and help our clients fix them before the bad guys can," said Harper.
How do you integrate grey hat hacking into how an organization does business?
"We have what we all “rules of engagement” by which we set the bounds of the engagement. What we try to do is be as realistic as possible with the given time and budget constraints that we’re dealing with. The idea is to work your way from the outside in to a network and use all of the techniques that the bad guys are using. One of the biggest things that are being used right now are social engineering techniques, where the bad guys are quite simply tricking users into doing what they ought not do. We call this “hacking the brain” or “hacking the user.” And that’s the number one way that hackers get into the network right now," said Harper.
How do you find ethical hackers?
- Key Insight: "It's probably one of the hardest things we do, is find good people, and that all starts with the background check. I tell youngsters all the time – we deal with high school students, and they get excited about this hacker concept, and they’re at a very dangerous crossroads. They can either learn these skills at a school lab or in their home lab, safely, or they can learn ‘em on the dark side, and unfortunately, if they do that, we can’t use ‘em. And so, the first rule in our business, is if you have a criminal record, then we can’t use you, unfortunately. You have to understand that we deal with banks and financial institutions and so forth, and we take great care to ensure that we vet all personnel and make sure that they’re of the highest levels of integrity," said Harper.
You’re putting a big trust in these folks, aren’t you?
- Key Insight: "That’s right, that’s right. We spend a lot of time on that. We spend a lot of time in our hiring process. We hire right, and then we spend a lot of time, y’know, but, in way of leadership and monitoring and making sure that our procedures are followed. Now, it’s also important to know that we have a lot of internal procedures that make us efficient, but they’re also put in place as safeguards to make sure that the people that we hire are doing what they’re intended to do," said Harper.
Are there unique challenges for government, compared to the private sector does?
"I would say the techniques are the same as far as defending, its just that the threat is different. And really, what we’re talking about, the most significant threat that we face nowadays is cyber espionage, and you can understand that cyber espionage at a state level, or a nation level, is certainly a different threat than one, y’know, at a corporate level. Although, y’know, again, the same techniques apply and a lot of times, the same defenses would apply, its just that the impact, or the risk is different," said Harper.
There’s a lot of folks going after government sites nowadays, why?
"It's about the theft of intellectual property, and also access to critical systems that could be used in a crisis or in time of war, you know, in terms of the government. So, if you think about it like this, I’ll give you just a quick example of cyber espionage and how it works. The idea is this: Imagine that we have a fictitious bicycle manufacturer in middle America, and they’ve been in business for more than 100 years, it’s a family owned operation, and they’re planning a new bike that’s gonna hit the market in, let’s say, three years. And so they go into R&D, and they have an innovate design. Its basically a game changer for the bike industry. And then, all of a sudden, after their R&D, a competing bike hits the market with the same features, and the same technology, only it’s half the cost, and on the bottom it says “Made in China.” See, that scenario is happening across the country, and its really hard to get older companies, and even government agencies, to wrap their minds around the real and present threat of cyber espionage. Cases like that go under-reported all the time, and in fact, y’know, there’s a real incentive in place not to report these types of cases. Its one of the problems built into the security field that bad news tends to be secret," said Harper.