Aug 12, 2013

    Wanted: Ethical hackers

    WITH cyberattacks becoming increasingly sophisticated, more ethical hackers are needed in Singapore to combat cybercrooks, including hackers with malicious intent, information-technology (IT) security experts told My Paper.

    This comes after a security breach at New York-based exchange operator Nasdaq OMX Group last month. The hackers had gained access to the passwords of people using its online community forum.

    The incident happened even as a report was released that said half of the securities exchanges globally were targets of cyberattacks last year, Reuters said.

    A spokesman for the Association of Information Security Professionals (AISP) said information systems cannot be "hack-proof" as, given time, they can be compromised by "exploiting vulnerabilities in technology, gaps in procedures" or tricking users into doing something which causes their systems to be vulnerable, such as unknowingly installing malicious software.

    So, "regular assessment of information security and risk exposure should be carried out by qualified third-party or independent assessors, to make sure an organisation is not vulnerable to known attacks", he said.

    One way to fight cybercrooks, like malicious hackers, is with ethical hackers.

    Mr David Siah, country manager of Trend Micro Singapore, said: "There is definitely a need to train more (ethnical) hackers, both in terms of quantity and quality."

    He noted that there is a thriving cybercriminal underground that attracts far more people due to the money that can be made.

    Mr Eric Chan, regional technical director for South-east Asia and Hong Kong at Fortinet, said the skills of ethical hackers are helpful.

    These skills include "performing system-penetration tests and vulnerability assessments which are important to identify weaknesses in IT systems", he added.

    "These are weaknesses and vulnerabilities that (malicious) hackers are exploiting," he said.

    One potential stumbling block is a lack of cybersecurity professionals here and globally.

    To address this shortage and more sophisticated cyberattacks, the Government announced a five-year National Cyber Security Masterplan last month to boost the number of cybersecurity experts here and bolster defences against cyber threats.

    Another issue is that as cybercrooks are becoming more targeted and persistent, and are always finding ways and techniques to breach networks, Mr Siah said ethical hackers need to continually upgrade their skills.

    But how to safeguard against the good hackers turning to the dark side? Mr Chan said that besides the skills that cybersecurity professionals should pick up, it is also important to impart ethics.

    The AISP spokesman said organisations need to practise a policy under which individuals are provided only with system privileges and information necessary for them to fulfil their work.

    He said: "There should be a separation of duties to ensure that no individual holds complete control over the entire organisation's information system. And organisations should have adequate compliance policies in place, with regular audits conducted to uncover non-compliance."