Breaking into the mind of a hacker
“One of the best things that companies can do right now is to adopt a little bit of a hacker mind-set,” ethical hacker, Jennifer Arcuri advises.
But what exactly is a hacker mind-set?
“It’s the ability to think and act like your adversary and to react to them,” she explains.
Jennifer leads Hacker House, a team of computer hackers who strive for innovation in information security. They help organisations understand the cyber risks facing them today through training on computer hacking, electronic surveillance, counter measures, espionage, exploits and malicious code.
The idea of ethical hacking – that is breaking things apart and seeing where things are vulnerable to an attack – is an absolute necessity that comes with putting your life online and being more connected, Jennifer states.
“Cybercrime is at an all-time high because tech is moving so fast and we (as an industry and society) are trying to catch up with where is best to stay safe. 90% of attacks are done by bots scanning the internet. It’s dots on machines and it’s not personal,'” she adds.
Jennifer says that we need to separate “cybercrime” from actual an “curiosity of how things work”. “Hacking goes back to the basics of breaking apart a computer, seeing how it operates and then making it more secure once you know your potential vulnerabilities,” she explains.
Also of interest: What is privacy by design?
Reframing the term “hacker”
“Hacking can be used to progress an industry,” she states. By way of example, she refers to smart devices such as insulin pumps and pacemakers and the accompanying fanfare which initially claimed they were safe. “It took a bunch of hackers and academics to pull them apart and say, ‘actually, no, they are not completely secure,'” she points out.
When we reframe how we think about hacking, we see that it’s not just about card fraud and identity theft because not all hackers are the same.
“These skills are 1000% more valuable to organisations today than they ever were because everything is digital and requires the protection of digital assets. So you need people to think like your adversary and you have to have a team that is prepared for what happens if you do go under attack,” Jennifer adds.
If your business has everything in the cloud, for example, she advises to ask the right questions such as, “Where are your backups?” “Have you tested those backups?” “Are those backups encrypted?”
“I think more than ever it’s increasingly important for companies to scale and train up their teams internally. You only want to hire a red team when you absolutely need it,” Jennifer states.
But aren’t white hats just black hats in disguise?
She doesn’t agree. “A lot of these kids are just bored. Of course they’ve all dabbled in the dark stuff,” she says, but more often than not they’ve been reined by their conscience and see the wiser choice before them.
Also of interest: Does cyber security need a makeunder?
Jennifer feels that the media’s often sinister and nefarious portrayal of hackers is unfair. She alludes to the stigma attached to ex black hats and cites Kevin Mitnick as someone who’s been tarnished by the “once a criminal, always a criminal” label, despite paying his punishment. “You’ve got to give the guy at least a chance,” she adds.
The government and industry, much to Jennifer’s delight, have been more welcoming of ethical hacking into industry. This is a sign to young hackers that there is a more legitimate way of earning money as a white hat. “Nothing goes without being caught and every great hacker knows that,” she affirms.
Derided, initially, as “a group of black hats” when they started out four years ago, Hacker House is increasingly sought by corporates who recognise the need to improve their security culture.
“We were just a bunch of guys who decided to look at how the industry is failing. If we were all so secure with these consultants and pen testing then we wouldn’t be having all these continued attacks,” she says.
Look who’s laughing now.
Jennifer Arcuri is an advisor to hackers and founders in Silicon Valley, as well as founders for schools across the UK. Her TED talk can be viewed here.
Also of interest: Should a music degree stop you from a career in cyber security?