26.5 C
New York
Sunday, August 14, 2022

An ethical hacker by trade

- Advertisement -
- Advertisement -

His name has many connotations, but few people will think of good ones. For many who Hacker, or hacker, is just the cybercriminal who breaks into someone else’s system for malicious purposes, be it sabotage, industrial espionage, extortion or data theft. A dark figure before which another completely opposite appears: that of hacker Ethicist (or cyber expert) who, while mimicking the behavior of the former, does so more with the aim of uncovering vulnerabilities in a technological infrastructure and thereby helping to improve corporate cybersecurity. Professionals whose demand continues to grow: According to LinkedIn, cybersecurity specialists were the fifth most popular job in 2020, up 60% year over year. “It’s one of the top three STEM jobs, especially when you have two or three years of experience. And it is also estimated that 84% of Spanish companies will increase their investments in cybersecurity over the next three years,” explains Víctor Portal, Professor at the IMF x Deloitte School of Cybersecurity.

Computer crime is unfortunately in fashion and the data confirms it: in 2021, according to a report by the security company in the cloud Data101, in Spain alone there were 40,000 daily cyber attacks (125% more than in 2020). and PwC estimates that this type of crime will increase by another 10% over the course of 2022. But what types of attacks are the most common? “Perhaps the greatest threat today is this ransomware, a form of blackmail that uses a computer virus to encrypt the victim’s files to make them inaccessible, and then demands a ransom to regain access,” Portal explains. But the case history in real life can be very different, for example when one company acquires another and needs to integrate both computer systems, potentially increasing the possibilities of a cyber attack.

“In a situation like this, the hacker Ethics stress tests defenses and identifies security gaps,” said Laurie Mercer, senior manager of the cybersecurity company HackerOne. “For example, when we acquired PullRequest, we immediately submitted its assets to the community of Hacker, and within 48 hours we received nearly two dozen communications that enabled our customers to fix the bugs.”

Who can be an ethical “hacker”?

The truth is that there is no single profile. Traditionally, experts in this field have had to adapt as quickly as the ever-evolving threats require, which means there is a large component of self-education. A lot hacker Ethicists have a degree in computer science (37%) and 20% have college-level knowledge 2021 Hacker Report. “Community hacker He has very different abilities. One of our top cyber experts is a Dutch GP; another works at a bank branch in Nairobi, Egypt; and of course there are very good professionals in Latin America and in Spain, like Santiago López, the 19-year-old Argentine who became the first multimillionaire cyber expert on the HackerOne platform,” says Mercer.

In other words: A computer science degree is not absolutely necessary, but of course a certain technical basis is required to be able to face such a challenge successfully. Retraining in this field is also possible by completing a specific postgraduate master’s degree in cybersecurity, which will provide the necessary techniques and knowledge Hacker; or resort to intensive training (training camp) or specialized in it chop as Expert Analyst in Auditing Systems and Networks. If you are interested in math, engineering, science, programming languages ​​”or discovering the what, who and when of each attack that can occur in an organization, you can definitely choose this branch of cybersecurity”. argues Portal. There are also free resources such as Hacker101where interested parties can become hacker Ethics thanks to video lessons, guides and access to a chat where they can connect with a whole community of students.

Beyond purely academic knowledge “a good one hacker You must have a genuine interest in understanding how the technology really works inside; who be a determined and inventive person; that he does not give up easily in the face of adversity and that he perseveres in his efforts to solve the technical problems he will encounter,” he adds. It is not for nothing that they are professionals who spend many hours in front of the computer screen before solving the challenges that are in front of them or even those that they have set themselves. “But you also have to be self-taught and a restless person who asks (and still asks) a lot of questions and who tries to make the best of what you know about a given topic,” say the IMF. Motivations also vary: while three out of four cyber professionals do it for financial reward, 85% also want to learn and develop, and almost half are motivated to do good, protect and promote both businesses and citizens protect against cyber threats.

Work as a cyber expert

The ultimate goal is always the same: to identify potential vulnerabilities in a computer system before an attacker can exploit them to cause real harm, and make the necessary recommendations to fix them. A task about the work of Hacker, it needs the right approach on the part of the company because, as Deloitte points out, there is no such thing as 100% certainty. Indeed, according to the report, organizations today face a significant gap between what they can defend and what they must defend (the so-called “attack resistance gap”). Attack Resistance Report 2022 by HackerOne. Therefore, “although it is not easy, we must seek a balance between the two extremes. Businesses need to focus on what they need to defend, these are the critical aspects of their business: in some cases it will be their website (e-commerce) and in others the information they handle (like consultants or law firms),” emphasizes portal. .

The work of this hacker Ethics can be realized in many ways. For penetration tests (or pen test), a small number of people examine a company’s computer systems for a period of time, looking for cracks and vulnerabilities; while in bug bounty, Instead, the test is released on a much larger scale through a platform that mediates between thousands hacker Ethics and the organization that owns the asset (thereby increasing the likelihood of finding vulnerabilities). “Usually you combine both approaches, starting with the penetration test and after solving the problems found, go to the error bonus”, portal explained. Additionally, in these programs, you pay for each reported vulnerability based on its severity. And then there are the calls Honey pot, These are intentionally vulnerable systems that connect to the internet to attract cyber criminals and thus monitor their behavior.

‘Hacking’ with a legal guise

The adoption of programs of error premium it has reduced the number of cases where ethical, well-intentioned hackers have reported vulnerabilities and received a complaint instead of a reward because they have access to platforms to do their work on and legal protection. “We were aware of the activities of a hacker in installations of high national strategic value (nuclear power plants, dams, water treatment plants…) that previously communicated vulnerabilities and that have never been found despite the launch of an investigation to identify them,” says Jesús Pascual López, director of the lawyer friend. However, he adds, “in Spain we have the task ahead of encouraging the collaboration of these professionals with the forces of public order. The figure of the security investigator or auditor needs to be settled.”

Many of the cyber experts who advise their law firms have been involved in criminal proceedings for the breach of secrets, computer theft or other property damage. However, they have also helped many security professionals to create service contracts that clearly reflect the protocols of action in order to work legally. “A hacker He must have ongoing legal advice and have appropriate contracts in place that not only specify the services to be provided, but also the powers and assumption of liability for any damage that may occur.”

Proper authorization should therefore be the basis for all actions hacker ethically. However, according to López, these are boundaries that are more difficult to define in practice: “For example, if a person is a user of a technological service, he or she is duly authorized to examine and verify the security he or she claims to have to verify?” asks the lawyer. “On the other hand, “specified security measures” must be in place for intrusion. But what happens if these do not correspond to the risk level of a system? Is the mere fact of circumventing a security measure considered access, or is it necessary to interfere with the system in some way?”

EL PAÍS TRAINING in Twitter Y Facebook

Subscribe to the Newsletter the formation of EL PAÍS


Source elpais.com

- Advertisement -

New Articles