While more companies are investing in strengthening their IT security, most cybersecurity practices are still reaction-based, relying on software tools to identify when an attack has taken place – or has been attempted – and react accordingly.
But as cyberattacks continue to increase in frequency and sophistication, it’s clear that businesses need to take a more proactive approach to countering cybersecurity threats.
Ethical hackers are sought after to help companies identify potential threats and weaknesses in their networks before an attack occurs, working effectively against cybercriminals to beat them at their own game.
Think like the attacker
“No matter how much money you spend on cybersecurity tools alone, you need a human element,” argues Haris Pylarinos, CEO of ethical hacker training platform Hack the Box.
Haris Pylarinos, a former ethical hacker and spyware tester with over 15 years of IT and cybersecurity experience, believes that typical approaches to cybersecurity are limited in that they do not do not reflect the methods and techniques used by hackers for cyberattacks.
According to him, the best defense is attack. “You have to think and act like the attacker in order to find all the ways, no matter how creative, to gain unauthorized access to your systems,” he told ZDNet.
80% of data breaches can be attributed to a skills shortage
According to a recent study, 80% of data breaches can be attributed to a shortage of cybersecurity skills in the workforce.
While cybersecurity training programs can improve organizations’ awareness and resilience to cyberattacks, they typically don’t provide the kind of hands-on experience that allows security teams to step into the shoes of adversaries, says Haris Pylarinos, or spend time testing corporate networks for vulnerabilities that hackers can exploit.
This is where ethical hackers come into play. “They imitate this behavior, they find these flaws that no tool is able to find,” he says.
Ethical hackers in the public
Public sector bodies are also beginning to recognize the value of ethical hacking. In May 2022, the UK government’s Cabinet Office published a job advertisement for a senior ethical hacker to help provide penetration testing and red-teaming capabilities for the government, and take responsibility for “simulating cyber-offensive tools and techniques”.
“I assume that, like most organizations, they recognize the critical need to adopt a hacking mindset in today’s high-threat environment,” said Haris Pylarinos.
“It’s the only way to stay ahead of the criminals and that’s to be welcomed. »
Despite this, the profession remains a niche. The closest thing to ethical hackers, for most organizations, are penetration testers (pentesters), whose job it is to probe specific parts of a company’s computing environment in order to discover and reveal any vulnerabilities.
In reality, ethical hacking has a much broader role. He uses all the tools and techniques at his disposal to set up attacks and test the weaknesses of several parts of the computing environment, like a criminal hacker.
“Generally, in my view, a pentester describes what a person does – a cybersecurity professional who focuses on ways to break into networks,” says Haris Pylarinos.
Recruitment like no other
Ethical hackers don’t have to be cybersecurity professionals either: “If a developer on a team thinks like an ethical hacker, they can often spot security breaches before they happen. »
Of course, recruiting and training people to become ethical hackers remains a significant hurdle, not least because there is a massive shortage of available talent.
Again, Haris Pylarinos points out that ethical hackers don’t have to be cybersecurity specialists, although they should be tech-savvy and share some of the characteristics that make hackers good at their stuff.
“Assessing technical skills should be a priority in the hiring process, but the good news is that they’re often easy to assess,” he says. “This allows hiring managers to gauge hacker knowledge of the latest exploits and attack vectors across new technology solutions and platforms used by organizations and businesses today, such as cloud expertise. »
“You can’t just ‘pirate'”
An innate curiosity about how things work – which “indicates the candidate will be able to spot vulnerabilities easily and quickly” – as well as soft skills like communication and the ability to work in a team are also essential characteristics, according to the former ethical hacker.
The best ethical hackers are able to communicate clearly and accurately express the seriousness of different situations, he adds. “The guidance they provide, along with their suggestions for actionable ways to mitigate issues, requires immediate trust and buy-in from the entire team to make a difference in a fast-paced, high-pressure work environment. »
Ethical hacker training also comes with special considerations, as it requires a safe technical environment where students can experiment with different techniques and scenarios. “You can’t just ‘hack’,” warns Haris Pylarinos. “It’s illegal, and you can cause damage. »
Source: ZDNet.com