Thinking like a hacker keeps organisations safe
The mass shift to digital, accelerated by the pandemic, has exposed networks and data to new cyber security risks. Ethical hacking is a vital resource in the first line of defence.
By Reuters Plus
Ethical hacking – legally breaking into computers and networks to test cyber defences – has proven to be a key tool for anticipating cyber vulnerabilities at a time when IT infrastructure and security have been so drastically repurposed.
Cybersecurity was already a pressing priority for organisations, but the recent upsurge in reliance on digitisation, especially through the pandemic period, has further expanded the potential threat surface.
“Cyber risks have been very different during the pandemic. We have seen IT equipment used and stored in uncontained spaces, and many companies have had to make rushed transitions to the cloud to facilitate remote working, with little time to consider the security risks,” says Stuart Criddle, Ethical Hacking Lead for PwC UK and an executive member of ethical hacking industry body CREST.
So, how does it work?
“Ethical hackers are looking at ways to take down a system, rather than build it up,” explains Criddle. “If you write a document, you never see your own errors. You need someone to check your work, and that is what ethical hackers are doing.”
A report by Cybersecurity Ventures and Intrusion, estimates that cybercrime damages totalled USD 6 trillion globally in 2021 – double the USD 3 billion recorded five years earlier in 2015. In the month after the first 2020 lockdown the FBI’s Internet Crime Complaint Center reported a 400 per cent increase in average daily cybersecurity complaints in the US.
Simon Brown, Head of Cybersecurity Strategy and Capability at Westpac, says that as people have spent more time online for work, entertainment and shopping, cyber criminals have moved in quickly to take advantage.
“Cyber criminals are always alive to any potential opportunity, and the pandemic has been a unique opportunity for criminals to try to exploit new vectors of vulnerability,” Brown says.
Beating the criminals to the punch
Ethical hacking and penetration testing – the practice of focusing on a defined area looking for weaknesses – are helping organisations to uncover vulnerabilities before malicious actors do.
In April last year a bounty program – where organisations offer a fee for any weaknesses hackers can find – run by Apple, reportedly led to the discovery of vulnerabilities in web browser Safari, which could be used to hijack iPhone cameras.
HackerOne, a penetration testing and bug bounty platform run by ethical hackers, reports the number of vulnerabilities rose by 63 per cent in 2020 on the previous 12 months. Threats discovered included a 53 per cent rise in submissions for improper access control and privilege escalation.
Unpatched legacy software has also exposed companies to risk, as have cloud services, with HackerOne recording a 310 per cent increase in reports received of misconfiguration vulnerabilities i.e., failures to implement all the security controls for a server or web application. These often occur when security controls are not updated from default settings as new software and web assets are brought online.1
Alice Collins, Bug Bounty Specialist at HackerOne, says it has become essential for organisations to think like hackers to overcome current digital challenges. “Hackers bring a diverse and creative mindset, augmenting the inhouse security team and helping to reinforce and complement current security testing methodologies,” she explains.
Different approaches
Running an effective ethical hacking exercise or penetration test, however, is a complex exercise. Organisations take differing approaches to ethical hacking strategies, depending on their size, budget and objectives.
Brown says that as a large organisation in a regulated sector, Westpac has invested in an internal penetration testing team, giving the bank dedicated in-house resources to run multiple exercises throughout the year.
“We have built up a specialised internal team with a sophisticated skill set. It has given us control over how exercises are designed and allowed us to be nimble. That resource means we can do a lot of penetration testing across a range of scenarios, in a secure environment,” Brown says.
Smaller organisations, without the internal resources to staff a full-time internal team, turn to third-party consultancies for support. Typically, consultancies offer services from attacking (“red”) teams that are engaged to attack cyber security systems and find ways past defending (“blue”) teams.
“We work with clients across a range of scenarios,” Criddle says. “We offer a continuum of services from review of a client’s cyber security systems, through to the configuration of red testing teams to conduct penetration tests.”
Bounty programs have also proven effective. Platforms, including HackerOne, facilitate private programs, where access is limited to a select group of hackers to participate, as well as “capture the flag” competitions, where ethical hackers compete against each other in penetration testing exercises.
“A bug bounty provides continuous security testing by the hacker community. Hackers are smart, driven and creative people who often think outside the box and can help elevate any cyber security strategy which is already in place,” Collins says.
Rules of engagement
For any model, background checks on ethical hackers are essential. But as the ethical hacking industry has matured, vetting has become easier, and organisations have more data points to consider when assessing the ethical hackers they may hire or contract with.
Although most hackers are understood to be self-taught, industry bodies such as CREST now provide certification schemes, and educational institutions have also noted the need for codified training in the ethical hacking space. The University of South Wales in the UK, for example, has created Tigerscheme, a commercial certification scheme for penetration testing, backed by university standards.2
All ethical hacking deployments also have to have the necessary legal framework in place to work effectively. “Contractual relationships and legalities are complex,” Criddle says.
Experts note3 that penetration tests do involve going into difficult areas, and in order to replicate what malicious hackers will do effectively, personal data may have to be accessed and used to expose potential vulnerabilities. Organisations have to be clear on this, and also have a framework in place for ethical hackers to report into without risking censure.
HackerOne, for instance, has found that 50 per cent of ethical hackers have not reported a bug because of a lack of clear reporting channels, or prior negative experiences.4 This represents a missed opportunity for companies that would otherwise have been made aware of their exposures.
Team dynamics
Legal and security considerations aside, the configuration of penetration testing teams has also evolved with the industry. For example, ethical hacking has moved on from “red” attacking teams and “blue” defending teams to more cohesive “purple” teams.
Setting up teams in this way enables better sharing of information, says Matt Bottaro, Information Security Senior Manager for Penetration Testing and Red Teaming at Westpac.
“It is important to remember that a penetration test isn’t successful when a problem is found, but when it is solved. It doesn’t help if a red team makes a breach, throws across a report and then celebrates,” Bottaro says.
“You deliver much better outcomes in a purple team environment, where the red teams can share how they broke in, and the blue teams can discuss how best to block weak points.”
Criddle adds that penetration testing is as much about uncovering vulnerabilities as speeding up detection, which is best achieved when red and blue teams work together.
“Friendly engagement in a purple team setting makes organisations much more sensitive to what the tell-tale signs of an attempted hack are. If red teams can share behaviours, blue teams can put better detection systems in place,” Criddle says.
Global ticketing agency Ticketmaster, for example, suffered a breach exposing the details of 40,000 customers, but the theft of the data only came to light months later when banks detected unusual behaviour patterns as part of their fraud checks. In another case, bank card details stolen in a hack on airline British Airways were found for sale on the dark web weeks after the initial breach.
“Reducing the time from attack to identifying the problem makes a material difference to the harm cyber criminals can do,” Criddle explains.
1 https://www.hackerone.com/resources/latest-news-insights/the-2021-hacker-report. page 1.
3 https://www.redscan.com/media/Redscan_Industry_Report_Ethical_Hacking_in_2020.pdf page 7
4 https://www.hackerone.com/resources/latest-news-insights/the-2021-hacker-report page 1
Stay informed with Westpac IQ
Get the latest reports straight to your inbox.
Related articles
Business scams on the rise – be alert!
Beating the scammers
Browse topics
Disclaimer
©2025 Westpac Banking Corporation ABN 33 007 457 141 (including where acting under any of its Westpac, St George, Bank of Melbourne or BankSA brands, collectively, “Westpac”). References to the “Westpac Group” are to Westpac and its subsidiaries and includes the directors, employees and representatives of Westpac and its subsidiaries.
Things you should know
We respect your privacy: You can view our privacy statement at Westpac.com.au. Each time someone visits our site, data is captured so that we can accurately evaluate the quality of our content and make improvements for you. We may at times use technology to capture data about you to help us to better understand you and your needs, including potentially for the purposes of assessing your individual reading habits and interests to allow us to provide suggestions regarding other reading material which may be suitable for you.
This information, unless specifically indicated otherwise, is under copyright of the Westpac Group. None of the material, nor its contents, nor any copy of it, may be altered in any way, transmitted to, copied of distributed to any other party without the prior written permission of the Westpac Group.
Disclaimer
This information has been prepared by the Westpac and is intended for information purposes only. It is not intended to reflect any recommendation or financial advice and investment decisions should not be based on it. This information does not constitute an offer, a solicitation of an offer, or an inducement to subscribe for, purchase or sell any financial instrument or to enter into a legally binding contract. To the extent that this information contains any general advice, it has been prepared without taking into account your objectives, financial situation or needs and before acting on it you should consider the appropriateness of the advice. Certain types of transactions, including those involving futures, options and high yield securities give rise to substantial risk and are not suitable for all investors. We recommend that you seek your own independent legal or financial advice before proceeding with any investment decision. This information may contain material provided by third parties. While such material is published with the necessary permission none of Westpac or its related entities accepts any responsibility for the accuracy or completeness of any such material. Although we have made every effort to ensure this information is free from error, none of Westpac or its related entities warrants the accuracy, adequacy or completeness of this information, or otherwise endorses it in any way. Except where contrary to law, Westpac Group intend by this notice to exclude liability for this information. This information is subject to change without notice and none of Westpac or its related entities is under any obligation to update this information or correct any inaccuracy which may become apparent at a later date. This information may contain or incorporate by reference forward-looking statements. The words “believe”, “anticipate”, “expect”, “intend”, “plan”, “predict”, “continue”, “assume”, “positioned”, “may”, “will”, “should”, “shall”, “risk” and other similar expressions that are predictions of or indicate future events and future trends identify forward-looking statements. These forward-looking statements include all matters that are not historical facts. Past performance is not a reliable indicator of future performance, nor are forecasts of future performance. Whilst every effort has been taken to ensure that the assumptions on which any forecasts are based are reasonable, the forecasts may be affected by incorrect assumptions or by known or unknown risks and uncertainties. The ultimate outcomes may differ substantially from any forecasts.
Conflicts of Interest: In the normal course of offering banking products and services to its clients, the Westpac Group may act in several capacities (including issuer, market maker, underwriter, distributor, swap counterparty and calculation agent) simultaneously with respect to a financial instrument, giving rise to potential conflicts of interest which may impact the performance of a financial instrument. The Westpac Group may at any time transact or hold a position (including hedging and trading positions) for its own account or the account of a client in any financial instrument which may impact the performance of that financial instrument.
Author(s) disclaimer and declaration: The author(s) confirms that (a) no part of his/her compensation was, is, or will be, directly or indirectly, related to any views or (if applicable) recommendations expressed in this material; (b) this material accurately reflects his/her personal views about the financial products, companies or issuers (if applicable) and is based on sources reasonably believed to be reliable and accurate; (c) to the best of the author’s knowledge, they are not in receipt of inside information and this material does not contain inside information; and (d) no other part of the Westpac Group has made any attempt to influence this material.
Further important information regarding sustainability-related content: This material may contain statements relating to environmental, social and governance (ESG) topics. These are subject to known and unknown risks, and there are significant uncertainties, limitations, risks and assumptions in the metrics, modelling, data, scenarios, reporting and analysis on which the statements rely. In particular, these areas are rapidly evolving and maturing, and there are variations in approaches and common standards and practice, as well as uncertainty around future related policy and legislation. Some material may include information derived from publicly available sources that have not been independently verified. No representation or warranty is made as to the accuracy, completeness or reliability of the information. There is a risk that the analysis, estimates, judgements, assumptions, views, models, scenarios or projections used may turn out to be incorrect. These risks may cause actual outcomes to differ materially from those expressed or implied. The ESG-related statements in this material do not constitute advice, nor are they guarantees or predictions of future performance, and Westpac gives no representation, warranty or assurance (including as to the quality, accuracy or completeness of the statements). You should seek your own independent advice.
Additional country disclosures:
Australia: Westpac holds an Australian Financial Services Licence (No. 233714). You can access Westpac’s Financial Services Guide here or request a copy from your Westpac point of contact. To the extent that this information contains any general advice, it has been prepared without taking into account your objectives, financial situation or needs and before acting on it you should consider the appropriateness of the advice.
New Zealand: In New Zealand, Westpac Institutional Bank refers to the brand under which products and services are provided by either Westpac (NZ division) or Westpac New Zealand Limited (company number 1763882), the New Zealand incorporated subsidiary of Westpac ("WNZL"). Any product or service made available by WNZL does not represent an offer from Westpac or any of its subsidiaries (other than WNZL). Neither Westpac nor its other subsidiaries guarantee or otherwise support the performance of WNZL in respect of any such product. WNZL is not an authorised deposit-taking institution for the purposes of Australian prudential standards. The current disclosure statements for the New Zealand branch of Westpac and WNZL can be obtained at the internet address www.westpac.co.nz .
Singapore: This material has been prepared and issued for distribution in Singapore to institutional investors, accredited investors and expert investors (as defined in the applicable Singapore laws and regulations) only. Recipients of this material in Singapore should contact Westpac Singapore Branch in respect of any matters arising from, or in connection with, this material. Westpac Singapore Branch holds a wholesale banking licence and is subject to supervision by the Monetary Authority of Singapore.
U.S.: Westpac operates in the United States of America as a federally licensed branch, regulated by the Office of the Comptroller of the Currency. Westpac is also registered with the US Commodity Futures Trading Commission (“CFTC”) as a Swap Dealer, but is neither registered as, or affiliated with, a Futures Commission Merchant registered with the US CFTC. The services and products referenced above are not insured by the Federal Deposit Insurance Corporation (“FDIC”). Westpac Capital Markets, LLC (‘WCM’), a wholly-owned subsidiary of Westpac, is a broker-dealer registered under the U.S. Securities Exchange Act of 1934 (‘the Exchange Act’) and member of the Financial Industry Regulatory Authority (‘FINRA’). In accordance with APRA's Prudential Standard 222 'Association with Related Entities', Westpac does not stand behind WCM other than as provided for in certain legal agreements between Westpac and WCM andobligations of WCM do not represent liabilities of Westpac. This communication is provided for distribution to U.S. institutional investors in reliance on the exemption from registration provided by Rule 15a-6 under the Exchange Act and is not subject to all of the independence and disclosure standards applicable to debt research reports prepared for retail investors in the United States. WCM is the U.S. distributor of this communication and accepts responsibility for the contents of this communication. Transactions by U.S. customers of any securities referenced herein should be effected through WCM. All disclaimers set out with respect to Westpac apply equally to WCM. If you would like to speak to someone regarding any security mentioned herein, please contact WCM on +1 212 389 1269. Investing in any non-U.S. securities or related financial instruments mentioned in this communication may present certain risks. The securities of non-U.S. issuers may not be registered with, or be subject to the regulations of, the SEC in the United States. Information on such non-U.S. securities or related financial instruments may be limited. Non-U.S. companies may not be subject to audit and reporting standards and regulatory requirements comparable to those in effect in the United States. The value of any investment or income from any securities or related derivative instruments denominated in a currency other than U.S. dollars is subject to exchange rate fluctuations that may have a positive or adverse effect on the value of or income from such securities or related derivative instruments.
The author of this communication is employed by Westpac and is not registered or qualified as a research analyst, representative, or associated person of WCM or any other U.S. broker-dealer under the rules of FINRA, any other U.S. self-regulatory organisation, or the laws, rules or regulations of any State. Unless otherwise specifically stated, the views expressed herein are solely those of the author and may differ from the information, views or analysis expressed by Westpac and/or its affiliates.
UK and EU: The London branch of Westpac is authorised in the United Kingdom by the Prudential Regulation Authority (PRA) and is subject to regulation by the Financial Conduct Authority (FCA) and limited regulation by the PRA (Financial Services Register number: 124586). The London branch of Westpac is registered at Companies House as a branch established in the United Kingdom (Branch No. BR000106). Details about the extent of the regulation of Westpac’s London branch by the PRA are available from us on request.
Westpac Europe GmbH (“WEG”) is authorised in Germany by the Federal Financial Supervision Authority (‘BaFin’) and subject to its regulation. WEG’s supervisory authorities are BaFin and the German Federal Bank (‘Deutsche Bundesbank’). WEG is registered with the commercial register (‘Handelsregister’) of the local court of Frankfurt am Main under registration number HRB 118483. In accordance with APRA’s Prudential Standard 222 ‘Association with Related Entities’, Westpac does not stand behind WEG other than as provided for in certain legal agreements (a risk transfer, sub-participation and collateral agreement) between Westpac and WEG and obligations of WEG do not represent liabilities of Westpac.
This communication is not intended for distribution to, or use by any person or entity in any jurisdiction or country where such distribution or use would be contrary to local law or regulation. This communication is not being made to or distributed to, and must not be passed on to, the general public in the United Kingdom. Rather, this communication is being made only to and is directed at (a) those persons falling within the definition of Investment Professionals (set out in Article 19(5) of the Financial Services and Markets Act 2000 (Financial Promotion) Order 2005 (the “Order”)); (b) those persons falling within the definition of high net worth companies, unincorporated associations etc. (set out in Article 49(2)of the Order; (c) other persons to whom it may lawfully be communicated in accordance with the Order or (d) any persons to whom it may otherwise lawfully be made (all such persons together being referred to as “relevant persons”). Any person who is not a relevant person should not act or rely on this communication or any of its contents. In the same way, the information contained in this communication is intended for “eligible counterparties” and “professional clients” as defined by the rules of the Financial Conduct Authority and is not intended for “retail clients”. Westpac expressly prohibits you from passing on the information in this communication to any third party.
This communication contains general commentary, research, and market colour. The communication does not constitute investment advice. The material may contain an ‘investment recommendation’ and/or ‘information recommending or suggesting an investment’, both as defined in Regulation (EU) No 596/2014 (including as applicable in the United Kingdom) (“MAR”). In accordance with the relevant provisions of MAR, reasonable care has been taken to ensure that the material has been objectively presented and that interests or conflicts of interest of the sender concerning the financial instruments to which that information relates have been disclosed.
Investment recommendations must be read alongside the specific disclosure which accompanies them and the general disclosure which can be found here. Such disclosure fulfils certain additional information requirements of MAR and associated delegated legislation and by accepting this communication you acknowledge that you are aware of the existence of such additional disclosure and its contents.
To the extent this communication comprises an investment recommendation it is classified as non-independent research. It has not been prepared in accordance with legal requirements designed to promote the independence of investment research and therefore constitutes a marketing communication. Further, this communication is not subject to any prohibition on dealing ahead of the dissemination of investment research.