A man at his computer in a dark attic room. Possibly wearing a hoodie. This is the image that comes to mind when many people hear the word “hacker. This is not surprising; cyber-attacks are often carried out with malicious intent, for example, to steal data. But there is another side to the story. In this column, expert Patrick Jordens zooms in on ethical hacking, in which a hacker with good intentions looks for vulnerabilities in software and programs. Jordens is the director of Trusted Third Party (TT3P): a Dutch company specializing in cybersecurity. TT3P helps companies better defend themselves against, among other things, hackers taking company systems hostage or unlawfully obtaining data.
Patrick Jordens
Patrick Jordens (1969) is an entrepreneur with a heart for digital security. He is director of Trusted Third Party and founder of DMCC Group, which helps organizations comply with all external laws, regulations and internal policies in the field of privacy and consumer law. He is also a guest lecturer in marketing, data privacy and ethics at the Hogeschool van Rotterdam.
What exactly is an ethical hacker?
“You have different types of hackers. We call the malicious hackers black hat hackers. They aim, for example, to steal data or hold systems hostage and they demand ransom. Benevolent or “ethical” hackers are called white hat hackers. These terms come from The Wild West. If you watch old westerns, you will see that the bad guys wear black hats, and the good guys wear white hats.
Ethical hackers are active on the Internet, looking for vulnerabilities within organizations. They perform actions to identify and fix vulnerabilities in systems. These can be anything from network security weaknesses to data breaches.”
How do ethical hackers go about their work?
“There are several ways to do that. First, you have the idealistic hackers. They operate independently. They are often people who strive to make the Internet more secure. For example, they try to get into the Tax Office’s system and, should they succeed, they report what they have found before making the leak public.
Then: the commercial variety. Ethical hackers can also work on behalf of a company or agency. Note: it is important that an ethical hacker is always someone from outside the organization. I often hear from companies that they commission their own IT vendors to perform a scan. In fact, that is the same as a butcher inspecting his own meat. In fact, often the person performing the scan is the same person responsible for the software. You can’t assume that he or she will file a report.”
Is ethical hacking actually legal?
“Basically, hacking is illegal. It is equivalent to breaking and entering. Therefore, a white hat hacker has to ‘reassure’ you in a certain way. He must be sure that he will not be reported. Companies do this through responsible disclosure. Organizations then indicate on their website that they are open to receiving reports about security problems. If such information is not on the website, chances are the hacker will not report the vulnerability. The risk of them getting into trouble is then too great.”
You also employ ethical hackers. What do they notice about companies where they discover vulnerabilities?
“Software updates are being done poorly and organizations are still working with simple passwords like welcome123. These kinds of passwords are not only easy for people to guess. There are also tools that hackers use to crack such passwords quickly.
This is why multifactor authentication is so important, for both companies and individuals. If a hacker tries to get into your system, you get notified about it yourself. Or, what also works well: password phrases. You don’t forget those easily and they are also strong because of their length.”