What does an ethical hacker do? An expert explains
Former security analysist and cyber security speaker, Glenn Wilkinson, sat down for this interview to describe his role as an ethical hacker. He also revealed the biggest cyber threat that businesses face and what they can do about it. Do not miss this insightful talk with one of the most respected voices in cyber security.
What does your role as an ethical hacker entail?
Being an ethical hacker means that my clients, who range from banks to governments to small startups to big companies, want me to help them secure their businesses. From their staff to their servers, everything in between, anything that holds data or transmits data.
The analogy I sometimes use is that it’s like hiring an ethical burglar and asking them to come and check your home security. Generally, the mindset that a burglar has, or the mindset that a hacker has, is a bit more inquisitive than the person who sets up the security. So, the person who instals the home alarm, or possibly sets up security at a company, the way they think is sometimes a bit more defensive, a bit more mundane.
As an ethical hacker, what largely drives you is curiosity. So, there's this thing in front of you, this barrier that's stopping you getting some interesting information, and you ask, how can I kind of go around the edge or dig underneath or climb over the top to try and get to that information?
It's often not as glamorous as you might see in the Hollywood way. Generally, if I'm asked to test to a bank’s security, it generally involves about four days of metaphorically banging your head against the wall, trying to find those weaknesses!
How can businesses identify potential cyber weaknesses in their organisation?
Generally speaking, a layered approach is good for cybersecurity, for home security, for life. If you diversify what you're doing, you stand a better chance if one system fails. Experts might try and tell you things like... segmenting the network, things like zero trust, making sure your software is up to date. There are all kinds of solutions these days, there's lots and lots of little things you can do as an organisation.
I'd say if you're watching, listening or looking for two or three things that you should do, keep your software up to date. If there's a vulnerability and your server software or your client-side software isn’t up to date, hackers can take advantage of it.
Also, make sure to use password managers, because if you're forcing your staff to remember 20 different passwords and change them every month, that doesn't work out well for anyone except the hackers. If you only have to remember one password to unlock the password manager, that's quite a secure approach. Make sure to pick a good password for your one password.
What I like to do is use these things called ‘canary tokens.’ Essentially, you embed information in Word documents, Excel documents or PDFs, and you leave these files lying around like trip wires. Canary tokens are a great way to know if you've been breached. I use those quite a lot.
What do you hope audiences take away from your talks?
What do I hope audience members take away from my talks... part of the reason why I give these public talks is I want to help people understand what I call the realm of the possible.
So, your IT guy will tell you, ‘don't click suspicious links, change your password 12 times a day to some ridiculous thing.’ The average user doesn't understand why they're being told to do these things. So, what I try and do in my talks is show you the realm of the possible, which means, what can hackers do? Why do they think the way they do and what opportunities do they have with the average person, at the average organisation?
So, as an example, I've got a talk where I demonstrate a real-world hack. So, I have a demo laptop, I send an email, and someone interacts with the email, and that gives me control of their laptop. We burrow deeper into the pretend network; I mean, smash and grab and exfiltrate data. I like to show the real software that hackers use, the real way hackers think and the way they approach your organisation, both the company and the individuals.
I get people excited and then they want to be on the same team as the IT department. I really enjoy showing people stuff that I'm passionate about, getting them excited, and then teaching them things and helping them stay safe online, both at work and at home.