The rise of ethical hacking: Protecting businesses in 2024
No matter how strong your organization’s firewalls, encryption, identity and access management, and other security measures are, they will never be impenetrable. This realization has led to the rise of ethical hacking in recent years. Businesses need to know how their protections stand up in the face of a genuine attack, and ethical hackers put those defenses to the test and provide the answers.
Ethical hacking brings creativity and a human perspective to attacking technical systems. Ultimately, it’s the job of ethical hackers to document these weaknesses and how they can be exploited — and then present a report that outlines the issues and suggested remediations.
The evolution of ethical hacking
The early years of ethical hacking are often described as the Wild West, with hackers, good or bad, often characterized as cybercriminals. That perception has evolved, but even in recent years, there have been numerous news stories of ethical hackers and penetration testers being arrested for their acts.
FREE role-guided training plans
Only in May 2022 did the Justice Department announce a new policy change: good-faith security research should no longer be charged under the Computer Fraud and Abuse Act.
Over the past decade, hacking has grown into a legitimate and fast-growing profession. One research organization predicts the U.S. penetration testing market will grow from $3.41 billion in 2023 to $10.24 billion in 2028. What was previously stereotyped as outcasts lurking in the underground and disrupting organizations has turned into a valuable skillset where professionals can earn considerable income.
The effectiveness of ethical hacking
Organizations can test the effectiveness of their applications and security systems with internal resources, but ethical hacking often relies on outside experts to bring a fresh perspective to the attack. This is done in a variety of ways.
- Individual bug bounty programs: Organizations like Apple allow security researchers and ethical hackers to report bugs directly to them. They have categories such as “lock screen bypass,” “elevation of privilege” and “zero-click unauthorized access to sensitive data” with payments from $5,000 to $2 million.
- Ethical hacking communities and services: Organizations like HackerOne offer a “fully managed bug bounty program” with a community of security experts and researchers looking to find vulnerabilities in exchange for a reward.
- Independent experts: If you’re like most organizations, you’re not testing your security often enough. At least, that’s what Infosec Skills author Ted Harrington thinks. Outside experts can assess (and reassess) your security posture on a one-time or recurring basis to help your organization stay secure.
For example, the videoconferencing company Zoom created its first bug bounty program in 2019, and it has been used to fix hundreds of vulnerabilities over the last few years. The company recently said it had paid over $7 million in bounties so far.
The future scope of ethical hacking
There are numerous automated tools to scan networks and identify vulnerabilities, but a lot of the value of ethical hacking still comes from humans — which is why the programs above will likely grow in 2024 and beyond.
In a recent Infosec webcast, Ted Harrington explained how his company, Independent Security Evaluators, can frequently chain two lesser exploits together to create a more devastating attack. In one example, they found two issues in a client’s project:
- Information leakage: Any user could identify any other user.
- Broken authorization: The system didn’t require the current password to reset, only the unique user identifier.
The information leakage wasn’t a big deal, Harrington explained, but when combined with the second issue, it led to a complete system takeover.
“In theory, each user only knows their one user identifier, but when you combine that [broken authentication] issue with the information leakage, where any user can identify any other user, it means any user of the system can take control of the account of any other user of the system, including the admins,” he said. “These are the things that only a human who can connect these dots will be able to do.”
Humans will remain essential to the ethical hacking process in the coming years. However, 2024 will likely be the year of artificial intelligence in cybersecurity — some of it overhyped, some of it extremely impactful — and AI will likely have some effect on ethical hacking.
Ethical hacking trends in 2024
Will AI tools rise to the level of those more advanced attacks that Harrington’s team frequently finds? Maybe not yet, but ethical hackers who leverage these tools will be able to do their work faster — and, one would hope, better. Unfortunately, those same tools will be used by cybercriminals and other unethical hackers.
What should you learn next?
Ethical hackers, whether experienced or still on their ethical hacking learning path, are already making use of AI to:
- Ask tools like ChatGPT how to penetrate certain kinds of technologies and networks using roundabout queries that disguise what could be construed as malicious intent
- Compose realistic phishing emails with perfect grammar
- Write code they can use to execute various attacks
Similar to how employees need ongoing security awareness training around best practices for tools like ChatGPT, it’s important for ethical hackers to continually update their knowledge and skills.
This is especially true given developments in areas like cloud security and zero trust. As organizations adopt these new technologies and security controls, ethical hackers need to remain a step ahead to be effective in their careers.
The demand for ethical hacking
Cyberattacks continue to increase in volume. Check Point Research recently reported a 38% increase in attacks year-over-year, and as we noted above, billions of additional dollars are projected to flow into the ethical hacking market in the coming years.
This is especially true for industries that are stewards of high-value or very sensitive information, such as:
· Healthcare
· Finance and investment companies
· Manufacturing
· Government agencies
· Public agencies, such as school systems and other institutions
This underscores the need for both ethical hackers and compliance, industry and role-based training for the entire workforce. No industry is immune from cyberattacks, and every organization can benefit from understanding its weaknesses before malicious actors can exploit them.
On the professional development front, Infosec’s Ethical Hacking Dual Certification Boot Camp, which prepares cybersecurity professionals to earn both their Certified Ethical Hacker (CEH) and CompTIA PenTest+ certification, has remained among our most popular training courses since PenTest+ was first launched in 2018.
Case studies: Ethical hacking in action
There are thousands of examples of security researchers and ethical hackers discovering vulnerabilities and reporting them to organizations to help improve security. Many of these reported issues are tracked on websites like the National Vulnerability Database.
The Cybersecurity & Infrastructure Security Agency (CISA) highlighted the 25 most dangerous software weaknesses from 2023. This list provides insight into the types of issues ethical hackers commonly find, such as:
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), which can lead to the disclosure of information stored in user cookies, running arbitrary code on the victims computer and other issues.
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), which can lead to reading sensitive database information — or even changing and deleting the data.
- CWE-352: Cross-Site Request Forgery (CSRF), which can lead to the attacker performing any operation as the victim, which can be particularly dangerous if the victim has elevated privileges.
There are a few potential lessons that can be taken from these tens of thousands of vulnerabilities (over 25,000 were reported in 2022).
- Everyone is impacted: No matter how big or small a company is, it will be affected by vulnerabilities.
- Organizations need to be proactive: Whether you’re a tech company like Zoom or an SMB that relies on vendors for much of your infrastructure, it’s essential to have a method in place to proactively monitor and manage new vulnerabilities
- Start with the basics: Yes, there are novel attack vectors, but the data shows that certain common attack methods work repeatedly. That’s why training in areas like the OWASP Top Ten is essential to prevent mistakes that could leave you vulnerable — regardless of whether you use ethical hackers.
The role of ethical hacking in cybersecurity education
As Harrington says, “To defend against attackers, you need to think like them.” That’s why ethical hacking skills are valuable for all cybersecurity professionals. Whether you work in the SOC, in risk management, in compliance or in one of a dozen other areas, it’s always valuable to understand how attackers think.
It’s valuable for all cybersecurity education curriculums to have some level of ethical hacking training within them. Of course, not every role needs the same level of technical ethical hacking skills, but it is essential to understanding how to build effective cybersecurity solutions.
For those looking to dive deep into ethical hacking, there are structured certification paths, such as the EC-Council CEH and CompTIA PenTest+ mentioned above. But as the industry has grown, more specialized career pathways have emerged, such as cloud-focused pentesting and application-focused pentesting.
What should you learn next?
Ethical hacking fills a crucial need
Considering the fluidity of the modern cybersecurity landscape, the need for skilled ethical hackers has never been higher.
By equipping your security staff with the skills needed to protect your network in this way — and by working with external partners — you bolster your security and limit the amount of time that vulnerabilities sit in your system waiting to be discovered by you, or bad actors.
Additional resources and further reading
- Get an overview on penetration testing careers
- Watch our webinars on how to conduct a penetration test and how to do application security right
- Explore the Infosec Skills course library to learn hacking and pentesting