Listen To The Article

Whenever I mention my field of expertise and line of work, the first questions I usually get are “Can you access my Facebook account?”, “Can you read my Instagram messages?” or something along those lines of indiscreetness, curiosity and most definitely illegal uses of one’s computer prowess. This is the effect that the statement “I’m a computer hacker” generally has on people. It is a combination of mystery, incomprehension and bewilderment, laced with a media-induced perception of illegality and crime.

But what do computer hackers really do for them to have become, in the past decades, some of the most sought after and highest paid experts in the world?

Oh and before we start, the answers to the questions cited in this piece’s opening paragraph are yes. On any and all counts, a resounding yes. But more importantly, it would be illegal to do so and, despite what you may think, I can assure you that most computer hackers have no interest whatsoever in breaking the law, nor do they entertain any notion of curiosity when it comes to other people’s personal data.

Just because a locksmith has the technical know-how to open most locks does not mean that all locksmiths spend their time invading people’s privacy in their homes, and the same goes for computer hackers. You call upon a locksmith when you have a problem with a lock, and you call upon computer hackers when you need your security evaluated. However, let’s start calling them information security experts. In both cases, it’s just a profession.

It is important to make the distinction that not all computer hackers work in the field of information security, but all information security experts must be computer hackers to be able to perform a good job at testing your networks and securing your applications.

You may ask yourself why that is, and here is the answer: in the game of cyber-security, attackers always have the advantage because you cannot defend against an attack if you do not know where it is going to come from. This is why, to be able to anticipate security breaches and test security stances, security experts must have their ear to the ground on anything and everything happening in the computing underworld, know about the latest methods used by offenders and be as passionate about it as those who will use their skills to create mayhem. Those are the hallmarks of computer hackers.

It comes down to this: if you wanted to test the soundness of your home security system, would you ask the company that sold it to you to demonstrate its value, thus throwing objectivity in the results out the window, or would you rather have an expert (reformed) thief try and break in? Obviously the latter, as the thief made a career out of defeating security systems and finding creative ways to break into places undetected. So, if there is anything not up to par in your security apparatus, they will find it, label it and issue sound recommendations about how to fix it. Let me state in the clearest way possible that I’m not saying that all computer hackers are reformed law breakers.

Allow me to digress a little. I am from what is known as the “internet generation,” meaning that I grew up with the development of the digital age. Back in its early days, the internet was like the wild west of old, and no laws were governing it whatsoever. Thus, for all of us who had the hacker gene, doing things that would be considered illegal today was normal or, at least, did not feel reprehensible. We were not driven by any sort of criminal intent, but by curiosity and an appetite for learning and, to be honest, maybe a little sense of power for being able to navigate the web and all its nooks and crannies in ways inaccessible to the common user.

This allowed the first generation of information security experts to acquire a certain grasp and expertise on matters of defeating computing securities and safeguards in the ways that a thief would acquire his breaking-in skills. As the first generation of computer hackers matured, most turned to using these skills in the service of the internet and its users and, obviously, a few of them turned to the dark side.

Today the internet is regulated (overly, some might say, and not enough, others would argue) and laws are being passed that prevent the new generation of information security experts of learning by doing. But since the value and need of having them around has been recognized, there are now university courses being taught, conferences being held as well as virtual labs during which one can learn by doing, without breaking any laws.

So, here we have it. Information security experts test all things related to technology (software, hardware, applications, websites, networks, etc.) and look for weaknesses or vulnerabilities in their security, catalog them and then offer recommendations on how to address them. They can also help by consulting in development phases as to make sure security is kept in the minds of the developers or builders, a vital aspect which is far too often overlooked for lack of resources, budget, expertise or time-to-market constraints.

Why is this expertise different than that of normal IT operators, and how do computer security experts go about testing your environments?

First of all, let me state that I do not wish to diminish the value of, or fundamental need for, all people working in IT, from network administrators, to web developers, coders, application developers, in-house internet security teams, etc. Their work is essential and they keep the wheels of the internet and computing world turning on a daily basis, and they should be praised.

But to each his own and most of them, though experts in their own fields, have enough on their plates to worry about deep security issues. Having an in-house security team (which makes sense once a company is big enough and can afford it) does not negate the need for external experts to come in and objectively test the company’s security stance. Again, the external experts might have a better grasp on new vulnerabilities out in the wild, and will most definitely not have the subjectivity of a team testing security that they were responsible for installing in place. I will now try to explain, in layman terms, how computer security experts go about assessing security, and introduce the ambiguously named action of penetration testing. Though it is really just what it says.

The experts will try, in a real time environment (meaning just as if criminals were trying, and without knowledge of the company’s IT departments of the coming tests), using all available methods in their arsenal, to breach your security and penetrate your network. It is important for the company’s IT department to be unaware of the simulated attack timing because, if someone was planning to break into your house, they would not give you the time and date beforehand, would they ?

The methods used will range from exploiting known and, most importantly, unknown vulnerabilities in the hardware or software used by the target company, writing specific custom pieces of code that will bypass firewalls, using existing software designed to breach security or even entering the premises under false pretenses and planting a virus directly into one of the company’s computers. You would be amazed at how easy it is to enter a facility under false pretenses and manage to gain access to a computer, if only for a short while which is all that is needed for seasoned computer hackers.

The most common method of gaining access, and by far the easiest for the attacker, is tricking a company’s users into giving them whatever they need to breach the network. These methods have many names: social engineering, phishing (yes, with a ‘ph’), scamming, but they basically all revolve around the same concept: taking advantage of a user’s unreadiness or unawareness in basic security prevention principles. I can say with high confidence that a large percentage of all breaches you ever heard of were initiated using one of these methods, and not one of the highly technical procedures we usually see portrayed in movies or series (though I do agree that, cinematically, they make for far more entertaining visuals).

The weakest link in any system is always the human element. You can spend hundreds of millions on information security (some of the larger companies do) and all of it can be rendered moot by one employee sticking the wrong USB stick in the wrong place (no pun intended), clicking on the wrong link or giving out personal credentials to the wrong person.

In my next piece, I will be discussing what makes it so easy for criminals to access and steal your data. If you don’t want to wait until its written, here is the short version: they get all the help they need from us, the users! To be fair though, there is blame to be spread all around, and we will get into that as well.

Instagram: @sehnaoui | Twitter: @sehnaoui