 |
| Image from Unsplash |
After years, it was time for me to go back to training. I looked for one where the chance would be small that I’d learn very little; something that tends to happen quickly when you’ve been around the block in this field. A course on ethical hacking more than met that requirement.
For more
than three decades, I’ve viewed the world from the right side of the line. My
work revolves around security policies, risk analyses, and compliance, to name
just a few things. I read and hear about what goes on on the wrong side of the
line and try to make life as difficult as possible for the folks who hang out
there. With this hacking course, I wanted to see the world from their side for
once. Because, as Sun Tzu already knew in the fifth century BC: ‘Know your
enemy and know yourself, and you will not have to fear the outcome of a hundred
battles.’
But what
is ethical hacking, exactly? Broadly speaking, there are two kinds of hackers:
the good and the bad. The latter usually make the news, for instance through
data breaches at the police or at telco Odido, both here in the Netherlands.
That’s how hacking is known to the general public: unlawfully breaking into
computer systems. The people who do this come in many shapes and sizes. At the
bottom of the ladder you find the script kiddies: people who use ready‑made
recipes to do things without really understanding how they work. And right at
the top you have organized crime and state actors.
But
there are also benevolent hackers. Like their malicious counterparts, they look
for weaknesses in defenses. The big difference is that they don’t exploit those
weaknesses for personal gain; they responsibly report them to the organization
where they found the vulnerability. You can hire ethical hackers to test your
systems, but some also operate on their own initiative. Quite often, if they
play by certain rules, they even receive a reward. That can range from a T‑shirt
to (a lot of) money.
Of
course, after a five‑day course I am far from a seasoned hacker. Quite the
contrary: last week my head was spinning from hacking tools with countless
options, the many ports that can be attacked, and lots of other things that any
self‑respecting hacker is expected to know by heart. Back in the MS‑DOS era,
you also had to do everything from the command line (the C:\ prompt), but by
today’s standards that feels rather archaic. And yet that’s still how things
work in that world, only now with Linux instead of MS‑DOS.
The most
important thing I learned is that hacking involves quite a lot, but that once
you’ve mastered the tricks, it can be remarkably easy – at least if your opponent doesn’t
defend themselves well. In the simple scenario we practiced, you find the IP
address of your target, check which ports are open, investigate whether known
vulnerabilities exist for the services running there, and boom, you’re in.
Obviously, it’s (hopefully!) not always that easy, but the principle is likely
the same: the hacker looks for weak spots in the defense. And you’d much rather
have those vulnerabilities discovered by an ethical hacker than by a criminal.
That only helps, of course, if you then actually act on the findings.
Fortunately, everyone understands that. Right?
I’ve
always had admiration for colleagues who do this for a living. Now that I
better understand what they do, that respect has received a serious upgrade.
It’s important, rewarding puzzle work that requires a great deal of knowledge
and skill. They make discoveries that sometimes cause quite a stir. And then
you see them walking around beaming. A fine sight.
Finally,
I’d like to share something entirely different that I learned and that anyone
who uses AI chatbots such as Copilot, ChatGPT, and Claude can enjoy. It’s about
ELI5. That stands for ‘explain like I’m five’ and ensures that answers are
phrased in simple terms and don’t assume prior knowledge. Not baby talk, but
often using nice analogies. Just try something like: ‘ELI5: Explain what an IP
address is.’
And in the big bad world…
- You can even hack a coffee machine.
- The Russians might be in your router (tip: reboot it from time to time).
- It’s not only the Dutch police who have been hacked.
- A romance scammer ends up in prison after accidentally trying to lure a colleague.
- Even astronauts suffer from IT problems.
- This trick exposes North Korean fake job applicants.
- Security legend Mikko Hyppönen has taken a different path these days: he fights drones.
- This new AI model is considered too dangerous to be released publicly for now.
- Some presidents still have room to grow when it comes to security awareness.
- Iranian state hackers have their sights set on critical infrastructure in the United States.
No comments:
Post a Comment