SolisImages - stock.adobe.com
Out of the shadows: The rise of ethical hackers in 2021
Ethical hackers working on the Bugcrowd platform have saved organisations almost $30bn in risk during the Covid-19 pandemic, as the community sheds old stereotypes
The ethical hacking community is throwing off old stereotypes of hoodie-wearing basement dwellers to meet its true potential, and is now emerging as a highly professional, committed, self-aware and diverse trade that offers great opportunities for people keen to establish a cyber career.
This is according to the latest Inside the mind of a hacker report produced by crowdsourced cyber platform Bugcrowd, which reports on how ethical hackers have saved organisations around the world an estimated $27bn in cyber security costs such as incident investigation, remediation, recovery and even ransom during the course of the pandemic.
The firm’s deep dive into the activity and attitudes of the thousands of ethical hackers who work through Bugcrowd is intended to offer CISOs and security teams a valuable insight into how ethical hackers work, and the economics of security research.
“Hacking has long been maligned by stereotypical depictions of criminals in hoods, when in fact ethical hackers are highly trusted and industrious experts who empower organisations to release secure products to market faster,” said Ashish Gupta, CEO and president of Bugcrowd.
“With this report, we are proud to shine a light on the top ethical hackers that CrowdMatch – Bugcrowd’s proprietary recommendation engine – automatically curates for customer programmes based on skills, environment and use cases.”
The latest study covers the period from 1 May 2020 to 31 August 2021 and, among other things, contains some startling new insight into the threat landscape. Since the start of the pandemic, 79% of hackers who took part said vulnerabilities had increased, 80% saying they had found a vulnerability they had not encountered before, and 71% said they were earning much more now that most companies are working remotely.
More widely, the report paints a picture of a community that is very well aware of its value to its organisations, with 91% of respondents saying that traditional “point-in-time” penetration testing cannot adequately secure organisations all the time, and 96% saying they are helping end-user organisations to fill the cyber skills gap.
Pathways to a cyber career
The hacking game is also no longer seen as a side hustle, with 42% of Bugcrowd users saying they hack full-time and 26% part-time. Others are increasingly using hacking as a stepping-stone to a cyber security career.
Among them is 24-year-old, US-based Chris Inzinga, aka cinzinga_, who transitioned into security research after struggling to find the right academic programme for his interests and goals
“A number of years back, I was going through a very uncertain and difficult period in my life,” he said. “Rather than succumb to indecision and inaction, I decided to focus all my attention on learning cyber security as a practical tradecraft.
“As a beginner, I found the Bugcrowd team to be incredibly supportive. They helped me understand why some of my earlier submissions were low-impact, and how I could improve in the future. I found this personalised feedback to be unparalleled among all the other platforms, and it truly helped me in the early days of my cyber security journey.”
Meanwhile, 27-year-old Ankit Singh, aka AnkitCuriosity, who comes from India, is a self-taught hacker who tried to work independently but struggled to get very far, before encountering Bugcrowd.
“I remember in my early days of ethical hacking, when I wasn’t aware of Bugcrowd, I had found some bugs in a few organisations’ production websites,” he said. “I tried really hard to find their contact information and even called them about the issue – but they just hung up the phone before I could even explain. Maybe they didn’t care, or maybe they had no idea what I was talking about.
“If someone told me about platforms like Bugcrowd – and ethical hacking education opportunities – earlier, it would have changed everything.”
Singh added: “I am helping to change the world’s perception of hackers. I want people to look at security research as a creative art form, rather than merely a subject or skill.”
Farah Hawa, who, like Singh, is largely self-taught, and is India-based, has used her learnings to become a hacking influencer with her own growing YouTube channel. “I have niched my channel down in a way that my videos only focus on breaking down complex technical vulnerabilities into more digestible bits,” she said. “I think my audience definitely appreciates that in my content because I try to explain everything in the simplest way possible and, believe it or not, this is a pain point for a huge chunk of the infosec community, especially beginners.
“I would recommend beginners start hunting on smaller programmes because they have less competition and will be more likely to learn, grow their skills, and also build their motivation.”
UK-based Katie Paxton-Fear, aka InsiderPhD, who besides being an ethical hacker is also a cyber lecturer and educator, said the critical skills that hackers need besides technical prowess include communication, attention to detail and curiosity. She said that although anyone can pick up a book or watch a YouTube video, it is more challenging to develop such soft skills.
“Most people can think of 10 uses for a paperclip, but people who are really good at what’s called lateral thinking don’t just stop at thinking of a paperclip as a small, metal thing,” she said. “They think, what if the paperclip was huge? What if the paperclip was made of glass? What if the paperclip was on your computer as an animated character telling you how to solve problems?
“We want people to be able to think outside the box, and that is the real value that things like crowdsourced security offers – a bunch of people that think in very different ways all hacking on one piece of software, because you’ll get so many answers to a question like, ‘How many uses can you think of for a paperclip?’”
Young and diverse
The report also paints a picture of a community that skews young and diverse, with 52% of Bugcrowd’s hackers aged 18 to 24, 35% 25-34, and just 2% over 45. The high number of Generation Z, or Zoomer, hackers born post-1996 reflects some of the generalised trends that are now said to characterise people aged 25 and under – ethnically diverse, digitally native, and establishing their careers at a time of intense job market insecurity.
While ethical hackers currently lack gender diversity, 96% of those on the Bugcrowd platform are male, 3% female, and 1% agender, genderfluid, non-binary, pangender or of another identity, the community exhibits exceptional diversity in other areas, such as Neurodiversity.
Just over one-fifth of Bugcrowd hackers are neurodivergent, living with conditions such as attention deficit hyperactivity disorder (ADHD), autism, Asperger’s, dyscalculia, dysgraphia, dyslexia, dyspraxia, obsessive-compulsive disorder, sensory processing disorder, synaesthesia, and Tourette syndrome.
It is no secret that some attributes widely seen in neurodivergent individuals, such as memory skills, heightened perception and attention to detail, appear to make careers in ethical hacking – a fast-paced environment that rewards creativity and difference in thinking – ideal for them. Bugcrowd said this was probably reflected in increasing numbers of neurodiverse hackers – up 8% since the last report.
Paxton-Fear is herself on the autistic spectrum. She said: “Someone who is autistic can have hyper-focus moments where they are so invested in something, it is all they can focus on. They can focus for hours on one thing. And that is a real advantage because if you have somebody like that looking at your website, you have got the most dedicated security tester, right? You have got somebody who will go above and beyond, because it is something they really enjoy.”