THE HACKING of Canada-based website AshleyMadison.com has left the private and personal information of its 37 million users at the mercy of hackers. But it has also prompted prominent questions in the cybersecurity debate and brought ethical hacking in the spotlight.
Hacking and ‘ethical hacking’ might sound like two terms coming out of the same stable, but there is a major difference between them.
The former is done by cyber criminals, where they attempt to capitalise on a computer network’s vulnerabilities and penetrate it using malicious content. The Sony Pictures incident is a recent example of how serious hacking can prove to be. A Fortune magazine story described it as a “cyber-invasion” that “brought Sony Pictures to its knees and terrified corporate America.”
Ethical hacking, on the other hand, is done to find and fix lapses in a system. EC-Council, a professional certification body, describes the ethical hacker as an individual who is employed with the organisation and who can be trusted to undertake an attempt to penetrate networks and computer systems using the same techniques as a hacker.
A group of hackers, who call themselves the Impact Team, were behind the attack on the dating website, AshleyMadison. It was a frightening specimen of how hacking has evolved over the years – cracking e-mail and social media accounts is now the stuff of yore.
“Over the years, the level of awareness about cybersecurity has increased but so has the level of expertise of hackers. We are seeing more and more sophisticated attacks now – hacking of smartphones, ATM machines, cloning of cards and so on. It is becoming a bigger problem,” says computer security expert and ethical hacker Ankit Fadia.
Phishing, wormhole attacks, transferring Trojan programmes through files and using spyware are a few other tricks that hackers have up their sleeves. “Most of the businesses have online applications, which are typically the biggest target and also have the most number of vulnerabilities,” adds Bikash Barai, CEO of iViZ, a cloud-based application penetration testing provider.
While the hacking episodes at AshleyMadison and Sony Pictures made news worldwide, there have been incidents aplenty in India as well. A PTI report mentioned that over 700 Indian government websites had been hacked since 2012. But are Indian companies taking hacking seriously?
“Indian companies are now aware of the threat that hacking poses. They are spending more and hiring professionals to beef up their security,” adds Fadia. Start-ups and bigger companies are not behind either, says Samir Saraiya, CEO of ThatsPersonal.com, a niche e-commerce portal in the personal products space. “Over the years, India Inc has recognised the need for ethical hackers, or ‘white hats’, with the surge in cyber crime. Even the brighter start-up lot is ahead of the game, with many of them hiring certified, full-time white hats,” says Saraiya.
That there is a need for ethical hackers in the country is no secret. A Nasscom report had cited that India will need at least 77,000 ethical hackers every year. To that effect, many institutions across the country offer courses on certified ethical hacking.
Ethical hacking is no longer a formal process. Companies invite ‘white hats’ to check their systems and duly reward them, but like the lapses that cyber criminals look to exploit, there are still a few gaps left to be filled. Mayank Goyal is an ethical hacker who has worked with MNCs before. Goyal believes while ethical hacking is a bright prospect in India, there is still scope for improvement. “Ethical hacking has slowly become an excellent industry. But I think not many Indian companies provide ethical hacking as a solution per se. This is something that needs to be looked at. It will be beneficial not only for the companies but the engineers as well,” says Goyal.
Barai, of iViZ, says many companies are adopting ethical hacking just for the sake of it and the ‘cost factor’ also plays a big role. “The biggest challenge is the quality of testing. Most organisations are sensitive to price and hence, they end up adopting lower quality testing, which sometimes is equivalent to buying a cheap lock,” he adds.
More importantly, some man management skills could go a long way in solving the cyber security problems. “The system administrator in a company has to keep an eye on the day-to-day operations and security. Security is a dynamic and constantly changing field, which needs a lot of focus. You can’t have dual-purpose people looking after your security,” says Fadia.