Ethical hackers are used by many businesses to hack networks and systems on purpose, and to find vulnerabilities in their own IT systems. These types of hackers - also known as white hat hackers – are hired to compromise networks and investigate vulnerabilities, and they may be an effective tool for investigating the security in the organization's IT systems. They use the same tools as hackers, but remaining on the right side of the law, to improve the security of companies and organizations, before an actual criminal breaks in.
We have spoken with Tom Van de Wiele, who is an ethical hacker and works for the company F-Secure in their "red team". His job is to infiltrate and compromise IT-systems and infrastructure in companies or organizations, and to find weak points in their security systems before an actual hacker does.
”We always find a way in. If we didn't get any employees to click on a phishing email, then we will drive to the office and physically break into the building.
- Tom Van de Wiele, F-Secure
We always find a way in
It is a part of the process, that they “get caught red-handed” by the company at some point during the test period. Van de Wieles' team are hired to test the entire company's response when a security incident happens: “We always find a way in. If we didn’t get any of the employees to click on a phishing email, then we will drive to the office and physically break into the building”. He underlines, that everything they do, is on the right side of the law. Van de Wieles' team sets up targets together with the company and develop a threat model in which they define the targets in advance.
Van de Wiele and his red team do penetration tests and breaks in through the Internet or in the building to steal the most valuable and critical secrets in the company, e.g., trading algorithms, access to critical cloud services and SAP databases. They can also, with permission from the company, plant software and a back door, or steal a physically valuable item in the building. They are hired to think and act just like the cybercriminals.
A hacker's mindset since childhood
Van de Wiele has been interested in the Internet and computers since he was 11 years old. Here he picked spare parts from containers and garbage bins and started building computers on his own. He bought his first computer game for his own hard-earned money, but the game denied him access. Therefore, it became his obsession to find out, how to gain access to the game, and it was at that moment that Van de Viele's hacker mindset sprouted. He became fascinated, and almost obsessed with gaining the access and control of the game in question. According to Van de Wiele, it is exactly the obsession with "breaking in" that characterizes a good hacker: "We bend everything, break and subvert everything, and try everything, to see how far we can get". Van de Wiele is a self-taught ethical hacker, and along the way he has had mentors who have inspired him and taught him a lot. Tom Van de Wiele started his career as a Linux system administrator 20 years ago, and he is now a Principal Security Consultant.
Trust is a threath
Van de Wiele explains that Danes are very trusting towards each other, but this can backfire in safety matters, because trust is not a security model. With IT security, it is generally important, that security procedures are the same for everyone, and that all employees know what to do if they experience a security breach or a suspect incident. Van de Wiele tells about an awareness task at which he could walk around freely and take pictures of the employees faces without anyone was questioning his presence. "The employees looked at me without saying anything, and they even looked at my access card, where my name was Mickey Mouse. After 5 minutes, there was an employee who finally tapped me on the shoulder. He asked if I would please disable the flash from the camera as it disturbed the employees". Van de Wiele explains, that the trusting culture in Denmark is way to widespread, and that it can cause a major security threat to the companies. Therefore, the security culture is crucial for the security and it’s important, that the employees are attentive and vigilant.
According to Van de Wiele, it’s doesn’t come naturally for Danes to question or confront others. The general attitude is often that if you do not work in the security department, then it is not your job to keep an eye on security. But Van de Wiele says that: “Technically, everyone works with security. The security procedure should be the same for everyone in the company- and it should be easy for everyone to contribute- both for the ones, who have been working in the office for one day or for 20 years”.
Important observation of physical behavior
Van de Wieles' team is also trained in social engineering, where they observe human behavior and body language. In this way, they can quickly spot unwanted guests or dishonest employees. According to Van de Wiele, it is extremely easy for cybercriminals to physically enter the building, despite security doors and access cards. Van de Wiele also observed that many Danes have their access cards visible in public, and that his team can clone the cards very easily and in a relatively short time. Also, an experienced hacker knows how to trigger the sensor at the door, which is either based on temperature or movement, by using compressed air to bypass a one-way automatic door.
Security in the future
According to Van de Wiele, ethical hackers will also be vital in the future. He believes that it’s one of the most effective ways a company can test the sum of their security procedures and measures, and then determine if their security is sufficient to protect valuable data.
Van de Wiele says that there are no systems that are 100% secure. This means that the security measures that can be taken are primarily aimed at making it more difficult for hackers to penetrate. When it is more difficult, it will become more expensive and extra time consuming. But according to Van de Wiele, it will always be necessary to test and optimize security measures. He concludes: “We have no hope of protecting our selves, if we don’t know what we are protecting, or where it is being exposed and how it can be abused“.