How to Improve Security? Three Ways You Can Learn to Think Like a Hacker
Hacking is bad.
This idea is deeply rooted among a lot of people. And many journalists only seem to make this notion stronger.
But it is, in fact, false. Hacking – in and of itself – is not bad. And people using it are not all criminals. In this aspect, hacking is similar to lock picking – the ability itself is not harmful and in the hands of a locksmith or a firefighter saving people from fire in a locked apartment, it’s actually very helpful. Only in the wrong hands can this ability do harm.
Hacking is just a tool; a skill that can be used ethically. And there are hundreds of people in the world doing just that, every day. Thanks to hacking, they can reveal security holes and vulnerabilities of various applications, they document them thoroughly and then pass them on to the app’s developers. In short, they help to improve the world of cyber security. Almost every university in the world has its own team of such specialists.
And you can use hacking to make your servers more secure as well. By getting into the role of an attacker, you will start to see your infrastructure and data in a different way. Where are the vulnerabilities, how can you get behind the usual defence lines? Finding holes in your security this manner allows you to improve your system in a myriad of ways. Maybe you will even find out about processes you did not know could endanger your data.
But how can you learn to think like a hacker? I will show you three ways that you can use to learn the basic abilities of a hacker, practice them safely and use them to your benefit.
1) Wargames. Practice hacking on real servers
Hacking requires a particular set of abilities. You need to know how programs, CPUs, networks, privileges and other important things work, and a knowledge of a few programming languages will come in handy as well. But that is not much of a problem. All the information is easily accessible on the Internet.
The most common types of attacks and exploits can be studied online as well. Most of them are carefully documented. You can use the well-known database OWASP (Open Web Application Security Project). It is highly regarded by a lot of security experts worldwide, so you should at least quickly browse through it when you can.
But once you have mastered the theory, where can you practice your newfound hacking skills safely and without breaking the law?
In so-called wargames. They consist of sets of hacker challenges that use real servers belonging to the community. The most well-known are Over The Wire, Hack This Site, Smash The Stack a We Chall. The last one mentioned serves as a gateway of sorts, so there are many links to other wargames on the We Chall. There are many to choose from.
Wargames let you practice hacking using real tools and processes that real-world hackers could use. Because the servers are intended to be hacked, you can practice your hacker-like thinking in a safe and legal environment.
The task in wargames is usually to get an access password for the next level or some other sensitive (and protected) information that is saved on the server.
The ‘levels’ or challenges are parts of sets of increasing difficulties. So while the first ones only require you to be able to access a server through SSH and open a text file, the later challenges need you to actively look for possible security holes or even errors in code and to overcome basic security features as well.
Wargames are an excellent gateway to the world of internet security even for those who don’t yet have a lot of experience in the field – it is possible to finish the easier challenges without any knowledge of programming languages.
2) Is freedom what you are looking for? These web apps don’t do handholding
If you are put off of wargames by the structure divided into levels, you will be glad to hear that there are more free form hacking training tools available. There are several ways to learn hacking without any handholding. This is important, as it teaches you the reality of looking for errors without any outside help.
This approach can be practiced with, for example, Damn Vulnerable Web Application (DVWA). All you need to do is download an archive containing the web app and after a quick setup you can go ahead and look for security holes.
A similar service is even provided by Google. Feel free to try and hack its application called aptly Gruyere – it is indeed full of holes, just like the famous cheese.
Vulnerable applications most commonly used by attackers
Hackers usually take computers over through vulnerabilities in people's browsers.
3) The best motivation is the desire to win. A lot of money
All the difficult challenges in wargames are child’s play now? Hacking comes naturally to you? Congratulations, you have just reached the finish line – you can now think like a hacker.
Now, what to do with the new-found knowledge?
First, you should try to use it for yourself or your company. You can secure your infrastructure or data much better when you know what attacks hackers could actually use to target them. Try to launch an attack on your own server, you’ll soon find out whether there are any gaps in your security.
The other and often more lucrative way to use your new hacking skills is to join a hacking contest. These competitions are held all over the world and pit hackers against various challenges that are fiendishly difficult.
This year’s Pwn2Own has paid out 225,000 USD in prizemoney to a South Korean hacker Jung Hoon Lee and 332,000 USD to other successful hackers. Because they were able to expose faults that could potentially affect millions of computer users worldwide.
These huge amounts of money come from companies that choose to back contests such as this one. Even though it’s quite expensive, it pays off. If the gaps in security were found and abused by real-world criminal hackers, their losses in money and customers’ trust would be much worse.
That’s why a lot of companies no matter their size all over the world pay out so-called bug bounties. They are simply cash bounties paid out for finding bugs and breaking into secure systems. Even technology giants such as Google or Microsoft now use them. Some security experts make a tidy living from hunting down bugs in companies’ code like this. If you think you have what it takes, you can look for suitable bug bounties in a list on the Bugcrowd site.
And what about your hacking stories?
How would you describe your run-ins with hacking? Do you use it to find security gaps? Have you ever honed your skills through wargames? And would you consider joining a hacking contest? Or do you still believe that hacking is bad? Share your experiences and opinions, leave us a comment.