There’s a widely held belief that the presence of hackers in and around your systems is always a terrible thing. Widely held, but wrong. The presence of cybercriminals is bad, and while cybercrime does often involve hacking, that’s far from the whole story. All hackers are not cybercriminals and hacking itself can save your business money. Lots of money. What’s more, some of the most successful and legitimate hackers are self-taught.
So, how can you teach yourself to hack and become part of a $27 billion risk-reduction business?
Hacking is not a crime, but it can be a gratifying job
I’m a great fan of the Hacking is NOT a Crime movement, an awareness campaign on this subject. Conflating all hackers with crime is a confusion that your business doesn’t need and could damage your organization’s bottom line. Without hackers, the world would be a very much less secure place.
Hackers like those who participate in the crowdsourced bug bounty and vulnerability disclosure platform Bugcrowd, for example. The hackers track down the security holes in products and services, getting rewarded with financial bounties for doing so dependent upon the criticality of the vulnerability revealed.
According to the new Bugcrowd annual report, Inside The Mind Of A Hacker, these hackers are mostly self-taught and have saved organizations a staggering $27 billion between May 2020 and August 2021.
That $27 billion is one of the headline takeaways of the Bugcrowd report, putting a financial figure on the cybercrime that has been prevented by hackers working on the platform across 16 months. I did, of course, ask Bugcrowd how the $27 billion risk-reduction total was arrived at.
“We calculated the number of valid priority one (P1) findings made on the platform multiplied by the average cost of a breach, according to IBM in 2021,” a Bugcrowd spokesperson says. This comes after analyzing millions of proprietary data points collected about vulnerabilities from a total of 2,961 programs. The annual report also analyzes survey responses and security research on the Bugcrowd platform and provides an intimate look at what makes a hacker.
Inside the mind of a hacker
This 34-page report is both accessible and informative, so I’d recommend it as an essential read to anyone contemplating a career as a hacker. Some of the key takeaways include that a majority of hackers on the Bugcrowd platform (54%) are Generation Z, 34% are Millennials, and just 2% are over the age of 45. In addition, most hackers on the platform live in India, 79% speak at least two languages, and 21% identify as being neurodivergent. Sadly, 96% are male, with only 3% female and those identifying as non-binary, gender fluid or pan-gender making up the remaining 1%. This has undoubtedly got to change, something that Bugcrowd recognizes. “The glaring gender gap is not simply an issue to address down the line,” the report states,” it poses a real, immediate threat to the diversity and multiplicity of perspectives that make crowdsourced cybersecurity such a powerful force today.”
Teach yourself to hack
One of the most positive statistics that caught my eye was that 79% of the hackers taught themselves to hack. Although there are plenty of courses available for those looking to take a traditional route to become an information security professional and plenty of certifications to take for those who want them, hacking can be a much more self-contained learning experience.
There are many variables when it comes to teaching yourself to hack; however, I asked hackers out there doing it already, along with infosec professionals, for advice on recommended educational resources to get would-be hackers started on their career journey. Do bear in mind this is far from a complete list, but hopefully, it will give you some food for thought if you are contemplating becoming a bug bounty hacker.
- Bugcrowd University offers a good starting point for web hacking, with a solid collection of learning links.
- Try Hack Me gamifies learning to hack through the use of real-world scenarios.
- Hack The Box Academy is browser-based, interactive and for every skill level.
- PortSwigger’s Web Security Academy is free and comes from the creators of the penetration testing tool Burp Suite.
- Pentester Lab has exercises ranging from basic bug-finding to tracking down advanced vulnerabilities.
Also, please don’t underestimate the power of both Google and YouTube when it comes to both finding answers to your questions and getting hands-on hacking help. Browsing through security conference talks that have been posted online, infosecurity Twitter and Google are your friends here, for proof of concept (PoC) exploits that are well explained can also help get your head around the practicalities once you’ve advanced enough on your learning journey.
One thing to bear in mind, please don’t try to hack live targets outside of those within an accredited educational resource, though, or you could soon discover that you’ve already crossed that line between being a hacker and a criminal.