Ethical hacking in Aotearoa: How can it benefit cybersecurity in NZ?
There's a big difference between hacking and ethical hacking.
One is illegal; one's not. One is a common method of breaching cybersecurity defences; one is a tool that is a highly recommended means of bolstering them. And both are ramping up in New Zealand in tandem with an escalation of cyber-attacks.
Both hacking and its ethical variant, in effect, have an identical method: to bypass cybersecurity defences, identify and exploit vulnerabilities, and forcibly break into applications. Their goals, however, are worlds apart — threat actors seek to perform malicious activities, while ethical hackers use their newfound knowledge of security vulnerabilities to strengthen the defence they've penetrated.
Another key difference is the presence of permission. Before releasing an application for general use, a cautious software developer will give penetration testers free rein to perform a simulated cyber-attack and break the app's security barriers — giving developers a better idea of its overall security posture.
But not all software and application developers seek an evaluation from professional penetration testers before launching their software, despite research pointing to penetration testing's role in ‘drastically reducing' security incidents while also validating the effectiveness of the current security measures employed by organisations.
Should organisations, especially those with substantial cybersecurity requirements, implement ethical hacking as an integral part of their cybersecurity approach? Shofe Miraz, a security consultant from Auckland says yes — with haste and as early in the process as possible.
“In any situation where software is about to deploy, penetration testing should be early on,” says Miraz. “It should absolutely be included as part of a broader security product release.
In his experience as a penetration tester, Miraz has learned that the earlier that ethical hacking is introduced in the development of a system or product, the better the security outcome will be.
In general, with big organisations, security can often be an afterthought. In cases like these, there could be a clash of ideologies, because the organisation has a deadline and doesn't want to wait before the product is deployed. But if penetration testing is integrated into the development phase, he says, security won't become a roadblock further down the track.
Miraz now says it's best to regularly perform penetration tests before products are in production. And this is possible because of a strong connection between the security, development and integration teams.
“The development team builds it, the security team tests it, the integration team deploys it,” says Miraz. “We've found that this cycle builds more confidence in the final product.
This is, by and large, the model employed across the many cybersecurity companies that specialise in penetration testing in New Zealand. Several follow the mantra that penetration testing should always be carried out whenever a new application, ICT system or device is being deployed, or the configuration of an internet-facing service has changed.
So, with these standards common throughout the ethical hacking community in Aotearoa, how do we fare on the world stage?
“It's hard for me to say that we are the best in the world,” Miraz says with a smile, “but I've seen some really good work coming from boutique companies in New Zealand.
Miraz says there's a particular emphasis on reporting quality in Aotearoa — in the actual data gleaned from breaching the product's defences, as well as how it's presented to the client. If the client doesn't understand the results of the test, there's little chance that any of the discovered issues will be remediated.
It also makes good business sense to invest in quality reporting: “If they understand the issue and remediate it, they will come back for a retest. It's a win-win.
As for awareness and spotlighting the ethical hacking community in Aotearoa, there's Hack and Learn.
Founded by Dylan Clark, a manager of cyber-threat emulation and defence at IAG, the Auckland-based InfoSec group was borne out of Clark's desire to form a community around those who wanted to learn more about ethical hacking. The group's monthly sessions, where participants simulate penetration testing on purpose-built servers, attracted up to 50 patrons before COVID-19 struck.
“I really wanted to have a team of people who could learn together — a hands-on community. That didn't exist, so I set it up,” says Clark.
Hack and Learn sessions focus on web application hacking, where penetrators (also known as the ‘red team') employ the ‘kill chain methodology': a laundry list of reconnaissance, weaponisation, delivery, exploitation, installation, and finally, control.
“During the session, we'll give them the time to figure out the application's logic flaws, and then they can weaponise a payload and exploit it. We walk them through it and make sure everyone's up to the same stage.
Clark co-presents Hack and Learn with Shofe Miraz. The pair created their own purpose-built machines complete with custom web applications — designed to be hacked, but not easily. The applications are strictly in-house and offline: the group does not attempt to breach real-life applications or websites.
Clark and Miraz often reinforce this point at their sessions — the primary goal is learning, not wanton destruction. Of course, building a dedicated community of penetration testers is about more than just teaching people ethical hacking: it's about growing awareness and interest in cybersecurity in general — and ultimately getting more people in the industry.
“That's the main reason I started it: to get people motivated, get them excited, get them learning,” says Clark. “It's a very niche skill set, so it can be difficult to get into cybersecurity in New Zealand.
And what better way to get people into the industry than exposing them to cybersecurity's most notorious — and, some may say, glamorous — activity?
“Yes, hacking is cool,” says Clark. “But so is the defensive side, too.