Hacking is typically synonymised with criminal activity. Ask people the first thing that pops into their head when you say hacking and it’s highly likely they’ll cite Anonymous, WannaCry, or picture teenagers locked up their rooms furiously trying to breach and disrupt the systems of high profile organisations and government bodies. There’s no doubt that these individuals, groups and ransomware exist. However, to argue that they’re archetypal of hacking does an injustice to the less famous, ethically conscious, siblings of criminal hackers that attempt to prevent and disrupt their work.
When talking about hackers we can broadly categorise them into three different groups: black hats, white hats and grey hats. At a basic level their differences boil down to the intention with which they hack. If you’re a fan of American cowboy films (which feature cowboys in white hats and villains in black hats) I’m sure you can take a pretty good guess at which hackers are the goodies and which are the baddies. But in order to understand who does what in more detail, let’s take this summer’s high profile WannaCry case, (that affected over 200,000 organisations across 150 countries) and its conqueror Marcus Hutchins, as an example.
The as yet unknown individual or group who exploited a flaw in Microsoft’s software to encrypt thousands of files, and install ransomware that demanded payment in return for releasing them, were black hats – as they maliciously violated their victims’ computer security, with the intent of extracting money that they weren’t entitled to.
Meanwhile, Marcus Hutchins, who managed to end the attack by triggering a “kill switch” was originally considered a white hat – as his activity prevented further damage being made. He has since become a suspected grey hat – someone who hacks for both malicious and helpful reasons – after he was indicted by the FBI on six charges related to the development and distribution of a particularly nasty piece of malware called kronos.
In other scenarios, black hats might force their way into secure networks to modify, steal or destroy data. While white hats draw attention to organisations’ potential computer or network weak spots, so they can be resolved before they are exploited by malicious hackers. We are currently witnessing a rise in the number of people specifically employed for this purpose, either as a freelancer or internal company employee. Which leads us to our fourth surprise group; blue hats – people invited to find security vulnerabilities in Windows products for Microsoft.
As a white or blue hat hacker your earning potential is significant; you’ll typically be earning upwards of £100,000 after only a couple of years. However, awareness of info security as a career option is frustratingly low, and we aren’t being equipped with the skills to pursue the white hat hacker path from a young enough age. Both of which have resulted in a skills gap, and possibly youngsters pursuing the black hat path out of a lack of awareness of alternative options.
In fact, a survey conducted at the 2017 Black Hat conference in Vegas revealed that 45 percent think primary schools and colleges don’t offer adequate security courses, and 71 percent believe their companies have insufficient staff to protect against cyberthreats. If we want the number of white hat hackers to increase, and the impact of black hat activity to decrease, more effort must be put into raising awareness of ethical hacking as a career option from a young age. Starting with lesson number one: white hat – good, black hat – bad, grey hat – undecided.