From covert to overt: The life of an ‘ethical’ hacker
When Matthew Bottaro joined Westpac almost 18 years ago as one of the bank’s first “ethical hackers”, he never predicted he’d be leading a team of around 40 internal and contracted hackers working around the clock to keep cyber criminals at bay.
“Back then, we were doing probably a handful of ethical hacks in a year,” says the penetration testing expert and Westpac senior information security manager.
“Now we’re doing literally hundreds per year, hacking every single day, day in and day out, with new technology and hacking techniques emerging constantly, and a lot of work coming down the pipeline.
“The routine then compared to now – it’s like night and day.”
Westpac is by no means alone in expanding its team of ethical hackers – sometimes known as “white hat hackers” – whose job is to find vulnerabilities and “attack pathways” in the bank’s digital applications and infrastructure before they can be exploited by criminal hackers.
In fact, a quick job search shows it’s a role in hot demand by most large companies around the world, it’s a skill starting to be taught in schools and it’s even possible to be qualified as an “Offensive Security Certified Professional” – trends that are not surprising given malicious cyber incidents are constantly making headlines.
In Australia, a cybercrime report was made every 10 minutes on average to the Australian Cyber Security Centre during the year to June 2020, according to its Annual Cyber Threat Report. At a global level, research firm Juniper estimates more than 33 billion records will be stolen by cybercriminals in 2023, compared with 12bn in 2018.
To date, the security controls of major Australian banks, insurers and superannuation funds have staved off any material cyber breaches, but swelling numbers of high-profile incidents show the threat is not going away.
Just last month, the Reserve Bank of New Zealand revealed a malicious illegal breach of one of its third-party systems, not long before a similar incident occurred at the Australian Securities and Investments Commission. Meanwhile, Rio Tinto and an Australian state government department were among 1800 organisations dealing with malicious code emanating from an attack on a small US-based tech firm SolarWinds, and last year cyber criminals knocked New Zealand’s stock exchange off-line for a few days, logistics company Toll Group was forced to temporarily shut services down after an attack, and media monitoring agency iSentia’s services were also interrupted.
“Our job is to secure the bank and make it harder for a hacker to do what they do,” says Bottaro, hired in 2003 by Westpac’s chief information security officer Richard Johnson when he was head of technical security services.
“It's about identifying where we need to focus our resources to remediate or improve detection or alerting capability if somebody was to have a go at Westpac.”
“Ethical hacking” – a term said to have been coined by IBM Vice President John Patrick in 1995 – is no longer just an operational imperative.
It’s a regulatory requirement.
In November, in a speech marking the release of the Australian Prudential Regulation Authority’s five-year cyber security strategy, APRA executive board member Geoff Summerhayes warned enforcement would be taken against banks, insurers and super funds that fail to meet its prudential standard on cyber security known as CPS 234 which took effect in 2019. Among its requirements are to test the effectiveness of information security controls through a systematic testing program – essentially the role played by Bottaro’s team of technical experts who actively seek out potential system weaknesses before they can be exploited.
Mr Summerhayes said APRA was “acutely aware” attempted cyber-attacks were being warded off by financial institutions on a daily basis but cautioned that "it’s only a matter of time". In fact, a recent report by the Bank for International Settlements, found that since the COVID-19 pandemic began, the financial sector globally had been targeted by hackers relatively more often than other sectors, as criminals attempted to capitalise on the mass movement of employees to working from home where laptops may be easier to compromise.
“With the accelerating transition to a digital economy opening up new connections for criminals and bad actors to exploit, and ever-increasing reliance on the virtual world, we can expect no let-up in this fight," Mr Summerhayes said.
While Bottaro acknowledges Westpac had detected a greater number of “phishing” and malicious emails – where criminals masquerade as trusted entities and dupe victims into providing sensitive data like passwords or banking details – he says his team of ethical hackers have upped regular efforts to test controls and alert employees of the dangers through regular internal “spear phishing” simulations. “We will even use online information, such as social media, to make those emails look more real,” he says.
Education like this plays a huge role in the fight against cyber criminals, says Bottaro adding that milestones like tomorrow’s Safer Internet Day provide good opportunities to highlight the importance for employees, customers, friends and family of protecting their digital lives from criminals. He confesses a few (virtual) high fives fly around when a team member unearths a vulnerability that took a lot of thinking, effort and understanding of new hacking techniques, before moving swiftly to remediate issues and use it as a teaching opportunity.
“People can be very generous in the amount of information they provide publicly on the internet, which can be used by malicious people,” says Bottaro, who recommends the Safer Internet Day online resources provided by the eSafety Commissioner particularly around protecting personal information and social media profiles.
“You've got to balance having your online profile out there, say for career purposes or staying in touch with friends, but make sure people aren't going to abuse that. Fortunately, many social media platforms allow you to protect your privacy through features like privacy settings and location services.”
When asked whether he thinks there may be a point when there are more ethical hackers than criminals, Bottaro gives a considered reply.
“Criminal organisations might still outweigh us in terms of numbers, but luckily some of the best information security experts have dedicated their careers to keeping information safe.”