Overcoming legal and organizational challenges in ethical hacking

In this Help Net Security interview, Balázs Pózner, CEO at Hackrate, discusses the essential technical skills for ethical hackers and how they vary across different security domains. He explains how AI and machine learning enhance ethical hacking by streamlining vulnerability detection and boosting defenses.

Pózner also discusses legal challenges and highlights the role of community testing and user education in improving cybersecurity tools.

What are the most critical technical skills an ethical hacker should possess, and how do these vary depending on the security domain?

Curiosity and perseverance are the most important qualities for an ethical hacker. The tech world evolves rapidly, and continuous learning and improvement are vital. While it’s impossible to master every technology, having developer skills can be a significant advantage. Understanding how applications are built and being able to develop them provides deeper insights into potential vulnerabilities.

A professional ethical hacker must have a broad understanding of various IT systems, networking, and protocols – essentially, a deep “under the hood” knowledge. This foundational expertise allows them to navigate different environments effectively. Additionally, target-specific knowledge is crucial, as the security measures and vulnerabilities can vary significantly based on the technology stack in use.

Specialization can be beneficial, but it also poses a risk. Pentesters need to balance their expertise to avoid becoming too narrowly focused. However, on bug bounty platforms, success can be achieved even without deep technical knowledge. Diverse perspectives often lead to discovering unique vulnerabilities, and many bug bounty hunters focus on specific vulnerabilities, such as IDOR (Insecure Direct Object References).

In my experience, ethical hackers who continuously update their skills and knowledge tend to be more successful. For example, understanding the latest trends in IoT devices can open up new opportunities for identifying vulnerabilities that others might overlook. This adaptability is crucial in our field.

What are some common challenges ethical hackers face, especially when working within organizational constraints or legal boundaries? How do they navigate the complexities of varying laws and regulations?

Ethical hackers must have a thorough understanding of local regulations, as legal boundaries can vary widely. Bug bounty platforms offer a safer environment for ethical hackers by providing clear guidelines and legal protections. However, navigating complex legal landscapes remains a challenge, especially for pentesters.

Ethical hackers often receive requests from customers or sales teams to perform unauthorized hacks, sometimes under the misconception that it is part of the pre-sales process. It’s crucial to reject such requests to maintain ethical standards and legal compliance. Clear communication and strict adherence to ethical guidelines are essential to navigate these challenges effectively.

How can AI and machine learning be integrated into ethical hacking products, and what unique advantages do they provide?

AI and machine learning can significantly enhance ethical hacking efforts. On the offensive side, automated processes supported by AI can efficiently identify vulnerabilities and suggest areas for further manual security testing. This streamlines the initial phases of penetration testing and helps uncover potential issues more effectively. Additionally, AI can assist in generating detailed penetration testing reports, saving time and ensuring accuracy.

On the defensive side, AI and machine learning are invaluable for detecting anomalies and correlating data to identify potential threats. These technologies enable a proactive approach to cybersecurity, enhancing both offensive and defensive strategies. By using AI and machine learning, ethical hackers can improve their effectiveness.

We are working to integrate AI into our HackGATE tool to automate the initial vulnerability scanning process. This not only speeds up the testing phase but also allows our ethical hackers to focus on more complex security issues. For example, AI can help prioritize vulnerabilities based on their potential impact, enabling our team to address the most critical threats first.

What role do you see community testing (e.g., crowdsourced or open-source contributions) playing in developing and QA ethical hacking products?

Open-source contributions play a crucial role in developing ethical hacking products. An interesting perspective was shared by Jason Haddix in his DEF CON speech, where he mentioned that major security vendors, such as web application firewall vendors, collect payloads used by top ethical hackers. While this practice can be seen as a form of intellectual property theft, it also contributes to developing more effective security products.

Crowdsourced security testing brings diverse perspectives and approaches to the testing process, increasing the likelihood of identifying software bugs. This collaborative approach, when combined with traditional testing methods, ensures a more secure product and leads to higher-quality outcomes.

Ethical hacking products require expertise. What role does user education play in your product strategy, and how do you support users in mastering your tools?

User education is a key component of our product strategy. We prioritize creating a user-friendly interface that helps users of all technical expertise levels. Additionally, we provide comprehensive documentation for those who prefer self-guided learning.

We also offer personalized onboarding sessions and one-on-one meetings to provide tailored support. This close interaction is highly valued in the cybersecurity market, where personalized assistance can significantly enhance the customer experience and build trust in our product. Furthermore, we implement industry-standard best practices and maintain multiple support channels to ensure users have the appropriate resources.

When I talk with our customers, I emphasize the importance of ongoing support. For example, during a onboarding sessions with a new client, we walked them through the entire process. This personalized approach not only helped them get up to speed quickly but also built a foundation of trust and long-term partnership.