Hacking – what colour hat are they wearing?


The word ‘hacker’ conjures up an image of either a bored but talented teenager trying to access the Pentagon for fun, or a serious criminal trying to steal your data and/or your bank details. Of course, many hackers do fall into those categories, and it’s estimated that globally, there is a hacker attack every 39 seconds. That’s less time than it takes to upload a selfie to your Instagram account.


An estimated 75% of businesses don’t have a formal cyber attack response plan, although they may have it on a to do list, buried under the business plan. The reality is that a cyber-attack can overwhelm a small business and make your business plan redundant, especially if you end up with your systems closed or your finances raided.


The good news is that not all hackers are bad. They fall into three main categories: black hat hackers, grey hat hackers and white hat hackers. The term came originally from cowboy Westerns!


Black hat hackers are the people with criminal intent and the top ones can bypass software defences and access systems in seconds, release malware to destroy files and steal passwords, or carry out denial of service attacks.


White hat hackers are also called ethical hackers and as you may have guessed, they are on the right side. These people use their skills to assess vulnerabilities and weaknesses in your cyber defences or IT systems – crucially, with permission from the top. Most businesses will ask these hackers to probe their systems and assess their risks, but ethical hackers can do other things too. Given that most cyber criminals exploit the weakest link – the people in your organisation – they will also test how well-trained staff are, and if they are following simple security protocols such as not clicking on phishing emails. Using ethical hackers raises the overall level of security and gives a clear plan of action to improve cyber defences.


While system testing concentrates on attacking software and computer systems from the start – scanning ports, examining known defects in protocols and applications running on the system and patch installations, for example – ethical hacking may include other things. A full-blown ethical hack might include emailing staff to ask for password details, rummaging through executive's dustbins and even breaking and entering, without the knowledge and consent of the targets. Only the owners, CEOs and Board Members (stake holders) who asked for such a security review of this magnitude are aware.


In between lie the grey hackers, who usually hack into systems without criminal intent but without permission.



While our members are very unlikely to need a full-blown ethical hack as described above, we do offer elements of ethical hacking using experienced cyber security professionals who are studying for qualifications in hacking and cyber security. We can probe your website for weaknesses, we can try to get access to your systems from the outside, and we can see what damage could be done once inside. These services are offered at significantly lower fees than businesses would normally have to pay, since the ethical hackers are working with SWCRC to gain more experience and build their work portfolio. That said, they’re trained, supervised, and working to recognised experts. If you’d like to read more about our Student Services, please click here.



The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the South West is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the South West provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

 

The Cyber Resilience Centre for the South West does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the South West is not responsible for the content of external internet sites that link to this site or which are linked from it.