Why every cybersecurity person needs to think like a hacker
In the world of football, it is not uncommon to see coaches’ pore over video recordings of opposing teams’ matches in the endeavor to understand their plays, game strategies and strengths and weaknesses. The reason is not difficult to discern. In order that they are best prepared, coaches need their players to be up to speed by knowing the opposition and what they are taking on – so that when the time comes, they are ready to face off. Sport is not the only arena to follow this thinking. The film industry is rife with examples of actors immersing themselves in their roles by actually living their parts in real time when shooting. Robert de Niro in Taxi Driver and Raging Bull, Natalie Portman in Black Swan and Leonardo DiCaprio in The Revenant. In the world of medicine too, top surgeons routinely hone their skills on cadavers to try and understand how tumors and errant genes will behave.
Cybercrime continues to proliferate
In the world of cybersecurity, where hacking is now a full-time profession, albeit illegally, similar thinking on the part of cybersecurity experts is being increasingly called for. No longer can cybersecurity experts continue to play Cops and Robbers and take the part of the cops. With cyber-crimes proliferating at an exponential rate, and even the internet offering courses on hacking, cybersecurity experts are finding themselves on the losing end of an unequal battle. Forbes (1) says 2021 saw 50% more cyberattacks per week on corporate networks compared to 2020, with Education/Research sector being the most targeted by hackers (up 75% over 2020) and Healthcare being next (up by 71% over 2020). What’s scary is the finding that hackers can penetrate 93% of company networks.
The time to change our thinking is upon us, and ‘cut to the chase’ is no longer an option.
The Certified Ethical Hacker
Enter the Certified Ethical Hacker (CEH), a trained expert who understands and recognizes how to spot flaws and vulnerabilities in systems as a hacker would, and then evaluate security and security carriages. The course certifies individuals in the precise network security regulation of ethical hacking from a vendor-neutral perspective, training applicants in multiple techniques, like social engineering or phishing, intrusion detection, hacks on cloud computing software, buffer overflow, policy formulation, DDoS attack and virus creation, etc. CEH experts know precisely how to scan, test, hack as well as secure systems from the latest Trojans and viruses.
Changing the game
The surprising thing about CEHs is that organizations only recruit a single or a couple of them to bolster their Security Operating Centers (SOC). What’s equally surprising is that their compensation is not always quite commensurate with the value addition they bring to the cybersecurity mix.
And yet organizations are fully seized of their value (2). Apple hired hackers who created MacBook’s first virus to make its products virus-resistant. Hackers are paid for digging into the systems of significant companies to find flaws in their security measures. Google, Pinterest, and Western Union are some companies enlisting professional hackers’ help.
Finding qualified white hat hackers who are certified to test an organization’s security systems is, however, not always a breeze. And so, companies are also known to hire black hat hackers from the cyber world to test their systems or deploy white hat hackers who know how black hat hackers operate.
And therein lies the learning. Most black hat hackers are self-taught, untrained and do not possess any formal qualification. The question that arises is – Are Human Resources ready to break out of the conventional recruitment mould that mandates only qualified personnel be taken on board, retained or formally associated with?
What organizations can do
It’s a veritable ocean out there, and with incredibly high stakes, hackers are constantly innovating and coming up with new ways to breach systems.
Against this backdrop, organizations would do well to look at some of the following:
- Invest in penetrative testing of a suitable nature – Internal, External, Targeted, or Blind testing
- Invest in vulnerability testing at regular intervals
- Focus on general and both offensive and defensive cybersecurity
- Certify themselves under ISO 27001 for Information Security Management Systems
- Ensure base-to-advanced level Cyber Analyst qualifications for all SOC personnel
- Insist on CEH qualifications for a majority of personnel in the cybersecurity team
- Think out of the box by being open to self-taught experienced hands in the team
- Engage in internal training on hacking methods with CEH-led and black hat hacker-led sessions
- Establish networks with black hat hackers to understand new trends in hacking and cyber threats, without compromising the organizational policies
In training for his role as a pugilist in Raging Bull, de Niro actually fought and won two of three professional bouts. Going further, the iconoclastic actor even drove passengers in a taxi for 12 hours at a stretch during breaks in shooting for Taxi Driver.
Cybersecurity experts could certainly take a leaf from this example. It’s an unequal battle they are waging against a hacking world that seems to grow from strength to strength. The only way is to fight fire with fire. Take the fight to the hacker. Play him on your terms. Think like him. Develop a hacker’s mindset. Augment teams with hacking skill resources. Become him!
And try to level the odds by never losing sight of the rationale behind ethical hacking – it takes a thief to catch a thief!