Get all your news in one place.
100’s of premium titles.
One app.
Start reading
ABC News
ABC News
Business
Tom Williams

As Optus, Medibank and more are hit by cyber attacks, these 'white hat' or 'ethical' hackers are targeting companies 'from the inside'

Jessica Cruz and Ed Hopkins are hackers, but not in the way you might expect.

They are what is known as white hat hackers (or ethical hackers) — a type of hacker that is increasingly being hired by Australian companies as more and more organisations experience data breaches.

Ethical hackers legally target companies in order to find vulnerabilities in their systems. They then tell their clients how to fix these issues before other less ethical hackers exploit them in illegal or immoral ways, including accessing private customer data.

"We break things before someone else does," says Ms Cruz. "With permission of course."

Fellow hacker Mr Hopkins says ethical hacking is "a rush" and "the best job in the world".

"You're doing it without the risk of police rolling up at your door, and also without the moral burden of doing something terrible," he says.

"So it's the best type of hacking."

Georg Thomas is a cyber security consultant and senior manager of the cyber team at consulting firm Deloitte.

Telecommunications giant Optus has hired Deloitte to run an independent external review of its recent data breach.

Dr Thomas says a white hat hacker is "a cyber security professional that has the same skills and uses the same tools and techniques as a malicious hacker, but the intent is good".

"Hackers look like everyday people. You could walk past one in the street, and you wouldn't know," he says.

The different types of hackers

There are three main types of hackers:

Black hat hackers — who usually act in a malicious or illegal way, in order to achieve some personal or financial gain, or just to cause chaos

Grey hat hackers — who also try to illegally find holes in security systems, but might use information they find to alert the offending organisation (and request money in return), publish details of vulnerabilities online, or sell them to a government or to law-enforcement

White hat hackers — who use similar tools to find holes in security systems, but are paid to do so by organisations which want to discover possible vulnerabilities. They are also known as ethical hackers

Dr Thomas says most ethical hackers work for consulting firms, who are then "engaged by basically every other organisation" to attack their systems.

Ms Cruz — who studied software engineering but found she preferred "breaking things" — says white hat hackers "come in all shapes and sizes".

"I don't go to work wearing a hoodie every day, and I don't work in the dark," she says.

Ms Cruz and her colleague Mr Hopkins — who has an IT and management consulting background — work in the offensive security team at consulting firm PricewaterhouseCoopers (PwC).

"We're trying to use technology in a way that it wasn't intended," Mr Hopkins says.

"Something that people wouldn't necessarily think about or understand is that hacking can be done legally."

Ethical hacks are on the rise, amid more high-profile data breaches

Dr Thomas says Australian companies are increasingly turning to white hat hackers in order to improve their cyber security systems.

It comes as more and more organisations are being hit by cyber attacks — the largest of which have led to the personal details of millions of customers being exposed.

Here are just some of the organisations and companies which have experienced data breaches recently:

Dr Thomas says organisations which may have normally paid for ethical hackers to test their systems once a year are now doing so more often, given "the evolving threat landscape".

"When you think about organisations getting hacked, often it's not just one attack — it's multiple attacks and one just happened to get lucky," he says. "That's why frequent testing is required."

PwC Australia's Cybersecurity and Digital Trust Leader, Robert Di Pietro, says the firm he works for is also seeing an increase in demand.

"And it's a really specialised skill set," he says. "This has to be done in a safe and controlled manner."

How do you carry out an 'ethical' hack?

Dr Thomas says white hat hackers use similar strategies to black hat hackers, including things such as phishing campaigns — which try to trick people into opening links in emails and sharing their credentials — or even following people into buildings, if necessary.

They also create their own hacking tools, and may even examine social media profiles in order to build up an image of an organisation, its structure and its possible vulnerabilities.

"Those same attack vectors are what ethical hackers are going to try, because that's what the bad guys are doing. So it makes sense to try and do the same things," Dr Thomas says.

Ethical hackers can work with clients from a variety of industries, and can be found trying to hack into everything from internal systems to websites, mobile applications, cloud services, critical infrastructure and even ATM machines.

Ms Cruz says she is currently working with a financial institution, "testing a few of their internal and external-facing applications".

"You get to test things that people use every day," she says.

The public 'would be surprised' at what ethical hackers find

White hat hackers who spoke to the ABC said the public would be surprised by the vulnerabilities they find within popular websites and platforms.

"Sometimes all you are given is a website, and nothing else. And they just say, 'Here you go. We want you to test this,'" says Ms Cruz.

"Sometimes you do that and you go, 'Okay cool, I got access to your customers' data.'

"Or it could be, 'Hey, this single website gave me access to your entire corporate environment.'"

PwC's Mr Di Pietro says the company isn't surprised when it finds vulnerabilities in popular websites and platforms, because hackers are "always going to find something".

"There's no such thing as a perfectly secure system," he says. "But I do think the public would probably be surprised at the amount of stuff that we find."

Hacking Google 'from the inside'

Last month, Google launched a YouTube series about its own internal cyber security teams, titled Hacking Google.

One episode covers the company's Red Team, whose job it is to "hack Google from the inside".

The episode details how the Red Team used hacking (and some social engineering) to get their hands on the blueprints for Google's first wearable product, Google Glass, while it was still in development.

The company said the team compromised 17 internal accounts and stole 258 gigabytes of data during their campaign.

What's stopping ethical hackers from going rogue?

Dr Thomas says ethical hackers abide by a standard of ethics and morals, but are also vetted before being hired.

Background checks are carried out and documents such as non-disclosure and confidentiality agreements may be signed.

"In addition to that there are things like the Rules of Engagement," he says.

"It's a document that expressly outlines what the limits are for the hacker. What that helps to do is provide strict boundaries about what the ethical hacker is allowed to do, and what systems they're allowed to target."

Ethical hacker Mr Hopkins says white hat hacking can be "very dangerous if it's done in the wrong way", because additional problems can be created if things aren't done correctly.

"The access that we have and the things that we find could obviously be very beneficial to black hat hackers should they get their hands on it, either through targeting us or through us not operating as safely as we could," he says.

Cyber security faces a skills shortage

Dr Thomas says that like many industries across the economy, cyber security is facing a skills shortage.

The Australian government has previously helped to run hacking competitions, in order to encourage students to take up cyber security as a career.

Mr Di Pietro from PwC says people from a more diverse range of backgrounds are "contributing a diverse range of perspectives" to cyber security than in previous decades, but a skills shortage remains.

"I think if we cast the net broader than what we have done over the years, we'll go a long way to closing that gap," he says.

Ethical hacker Mr Hopkins says that even though hacking "is quite challenging", it is a skill set "that anybody else can pick up".

"As long as you're curious enough and creative enough — and above all persistent enough — anyone can do it."

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.