‘Everything is Hackable’: How Ethical Hackers Inspect the Security


In the era of increased sensitive data breaches and cyber-attacks, a skillful penetration testing specialist is worth his weight in gold. Not so easy to find one, though. They seldom make a public appearance (Mind their occupational hazard!), study 24/7, and can't live without crashing. An ‘ethical hacker’ switched off from his key hobby for a while. Emerline didn't miss the chance and talked to him to shed light on why IoT is ‘Hello ‘90s!’ and some business giants don’t care about the security at all.

Mind the difference between penetration testers and hackers

It is based on the mindset — pentesters are not necessarily hackers and vice versa. While the former perform pentesting for eight hours, then go, and play tennis or football, the latter arrive home feeling the temptation of hacking something. Simply speaking, there are two kinds of people, they can even work in one office, but if a guy is a pentester only, his job is not his life. Born hackers seize every single moment to do what they love most of all.

Beware of nonpros as soon as penetration testers are in higher demand than ever before

Current business needs contribute to a rapidly growing penetration testing market. It increases in direct proportion to the spread of bad ‘professionals’.

Attending a hacker training is a positive tendency when you thirst for knowledge. Generally, people go there as they thirst for money. Honestly, even several universities is not enough as you learn nothing about security there. Look, just to exploit cross-site scripting (a type of injection), you need to know at least about the specifics of the internet connection, HTTP, HTML, and JavaScript.

Above all, hackers are born, not made. Provided I go for a football school for years, I’ll never play like Cristiano Ronaldo. Real hackers have a binary DNA in their core, otherwise you’ll hardly succeed.  

Don't be led by ready-made tools — if something goes wrong, create your own

Nothing can illustrate this postulate better than a real-world example. The record shows it’s not enough to know how to run pentesting tools. When you simply follow certain steps and the tool suddenly stops working, it’s pretty easy to give up and rank the vulnerability as low-risk instead of creating your own tool to exploit it. So, the moral is: have a clue what you are doing. If you can’t create a tool on your own, you don’t understand how vulnerability works.

It’s up to business to decide whether a pentester goes inside the system or acts ‘on the surface’

If a company refers to pentesters to check the security of their systems, normally it gives the target and chooses one from the two services we can provide.

Vulnerability assessment is limited to finding one and doesn’t presuppose going inside the network. Let’s say, I’m given a website — I use an SQL injection, find the vulnerability, and stop here. In case of a real pen test, I’ll exploit an SQL injection vulnerability, go inside the database, crack the password, or correct it and use for connecting from other account, etc. The basic idea is to turn into a network administrator for a while to see which risks a company is facing.

Nothing is hundred percent secure. Still, you can’t ignore sensitive data protection

All companies want their private data to be protected, regardless of whether it is an IT startup or a well-established healthcare organization. Everything is hackable; it’s a question of time and budget. Anyway, pen tests are useful when it comes to networks, sensitive data, or private customer information. Businesses will get the detailed picture of how to fix the vulnerabilities thus avoiding possible data leakage. 

A hacking conference is a ‘litmus test’ for its participants

Penetration testers’ community is hardly defined as tightly connected. Normally, they meet at the conferences such as DEF CON in Las Vegas, Hackers 2 Hackers in Brazil, or CODE BLUE in Japan.

While organizing my own security conference in Brazil, I focused on keeping a level of talks really high. The mindset of the event sounded like, “if you don’t like all this technical stuff, you are in the wrong way and should choose another niche.”

VR connecting people. Soon, hackers will benefit from it

VR has already proved its worth in a variety of industries, from gaming to medicine and architecture. My ambition is to implement the capacities of virtual reality into the future security conferences in order to make the event more accessible to the people. For small meetups, VR works perfectly well, and I hope to add a participation effect during the next conference for all the engaged hackers across the world. 

Windows forces us to learn, and IoT makes pentesters’ lives easier

As the security evolves, it is becoming much more complicated to hack operating systems, such as Windows or Linux. As for the network-related stuff, the binaries are getting harder, too. Personally, I like such challenges —tricky security techniques motivate penetration testers to broaden their intellectual horizons.

IoT is a separate matter. I feel like I’m in ‘90s — everything is new, open, and connected to the Internet without the slightest care about security. When we face the IoT devices, our job is as easy as pie.

GDPR has reminded companies about the value of penetration tests

With the spread of the General Data Protection Regulation, penetration testing services become crucial. They can discover vulnerabilities and prevent breaches. In this regard, one more area of responsibility for us is to create a secure environment. We check whether all necessary security controls are implemented correctly and identify potential risks to companies’ data.

Compliance goes to the top of the agenda 

As far as I can judge, the biggest business clients like banking don’t care about security at all. Big companies think that security is rather an expense than an investment. One and the same vulnerability could be open for years — penetration testing turns into a must if the organization aims to be in compliance and avoid penalties.

But, being on compliance does not necessarily means the company is safe. Other measurements must be in place to reduce the attack surface.

Recommended for you