A Twitter poll aimed at the cybersecurity community asked “Black-Hat Hackers vs. White-Hat Hackers – who’s more experienced?”
Brian Krebs, a cybersecurity expert and one of the top bloggers on the topic chimed in with a good point, saying “Many of the ‘white-hats’ I know are former grey or black hats. As such trying to put people in buckets like this is hard.” But still, people had their say.
Results of the 628 votes:
- 65% of respondents voted Black Hats are more experienced.
- 35% of respondents voted White Hats are more experienced.
While the poll is only a small sampling and hardly scientific, its results are consistent with a number of industry experts cited in a recent cybercrime report that said black-hat hackers are motivated by money, espionage, notoriety, and malicious intent… and they are faster, more daring, and more experienced than white hats who are constrained by boundaries and rules.
“Black-Hats have advanced hacking skills compared to that of most white-hats,” said Atif Ghuari, CTO, USA at Herjavec Group and adjunct professor of cybersecurity at Drexel University.
“Black-hats are ahead of white-hats,” said Adam Segal, director, Digital and Cyberspace Policy Program, Council on Foreign Relations, and author of “The Hacked World Order”. “That is symptomatic of the larger problem in cybersecurity that offense still has the edge over defense. The defender has to worry about millions of lines of code, thousands of devices, thousands of networks. The attacker only has to be right once.”
“Speed is where the black-hats have the advantage,” said Dr. Anita D’Amico, CEO at Code Dx, an application security company, a human factors psychologist, a specialist in cybersecurity situational awareness, and a security researcher, who was previously head of Northrop Grumman’s first Information Warfare team.
D’Amico continued “Right now about 11 percent of compromises are accomplished within seconds and another 82 percent in under an hour. The attackers work nimbly and without rules. The attackers, by nature, abhor rules and will break them. The defenders, by contrast, often are encumbered by rules of engagement and permissions, and so the defensive response is slow, measured in hours or days. Even white-hat hackers who are paid to penetrate an enterprise by its own organization have to work within boundaries and rules that are not there for the black-hats.”
“(Cyber) Criminals have the advantage because the math works in their favor: they can use the same attack infrastructure to send the same phishing email delivering the same malware that exploits the same vulnerability to thousands of targets; they only need to be successful once” said Rob Knake, senior fellow for Cyber Policy, Council on Foreign Relations, and previously director of cybersecurity for The White House. “Defenders need to protect massive attack surfaces, being right every time.”
Exactly who are the black hats? A recent CSO story provides a high-level breakdown of the various hacker types.
How to beat hackers at their own game? White Hat Security recommends thinking like a hacker and says “To beat them, you need to join them – at least for a while. Learn to think like a (black-hat) hacker. Engage the services of ‘an ethical hacker’ (white-hat) to see if you can break through your own defenses. It may seem counter-intuitive, but the best way to discover your application (and other) vulnerabilities is to hack yourself first.”
Kevin Mitnick, the world’s most famous hacker, does exactly that. His firm claims a 100 percent successful track record of being able to penetrate the security of any system they are paid to hack into using a combination of technical exploits and social engineering.
The takeaway? Go hack yourself.