A career in ethical hacking - key lessons from an ethical hacker

Header of Dan Weis Cyber Security Specialist for A career in ethical hacking UNSW Online
Header of Dan Weis Cyber Security Specialist for A career in ethical hacking UNSW Online
Cyber Security

When he was US Secretary of Defense, Donald Rumsfeld made famous the concept of known knowns, known unknowns and unknown unknowns. The first two relate to what we know that we know and what we know that we don’t know.
 
Unknown unknowns refers to situations that are so unexpected that they would never have been considered. When it comes to cyber threats, it’s these situations that require a robust ethical framework.
 
Ethical hacking is a practice that got its name from information technology (IT) experts who used their powers for good to alert organisations to vulnerabilities in their networks, servers and applications.
 
Ethical hacking has experienced many upgrades to become the cyber security profession which employs ethical cyber skills.
 
Dan Weis is Senior Cyber Security Specialist and Lead Penetration Tester at Nexon Asia Pacific, a company that provides business IT solutions from computer to cloud and everything in between.
 
“The security industry is very welcoming, and everyone has the same goal – to protect their organisation, other organisations, as well as individuals from cyber-attacks,” reflects Mr Weis.
 
In addition to sharing a day in the life of a cyber security professional, Mr Weis explains how ethical cyber skills can improve your cyber security job outlook.

 

Information security depends on ethical cyber skills

One of the most basic ethical decisions about cyber security was taken out of the hands of Australian businesses at the beginning of 2018. The Notifiable Data Breaches (NDB) scheme of the Privacy Act became law.
 
Any organisation covered by the Privacy Act 1988 must notify affected individuals and authorities about information security breaches. This could be due to cyber-attacks, a device being lost or stolen, or when information is mistakenly given to the wrong person.
 
While that legislation puts cyber security experts and their employers on a level playing field, it still leaves countless ethical questions unresolved. To behave ethically isn’t necessarily difficult, but it does require critical thinking.
 
In the binary world of technology, if the cyber security industry doesn’t have clearly defined ethical standards, then the good guys (penetration testers and red teams) are almost indistinguishable from black-hat criminals.
 
After all, some of the most valuable tools of cyber security analysts are those that are used by cyber criminals – the only difference is the intent of the user.

 

Cybercrime knows no boundaries

It takes a big cyber-attack to make the news these days – something international and far-reaching like the Solarwinds breach.
 
It’s suspected that Russian hackers inserted malware into the software of IT Management company Solarwinds. That software was trusted and used by US government agencies such as the Pentagon and the Commerce, Justice, Treasury and Homeland Security departments.
 
Solarwinds is also used in the corporate world by IT companies like Intel, Microsoft, Nvidia and about 18,000 other businesses.
 
Since the Solarwinds incursion, there’s been a number of alarming cyber security issues, but few have captured the attention of the mainstream news.
 
In the first two months of 2021, cyber-attacks were reported in Australia at Oxfam, Segafredo Zanetti and Carnegie Clean Energy.
 
Around the same time, the file transfer appliance (FTA) Accellion was hacked.
 
Designed for the secure transfer of sensitive documents, Accellion is used by the Australian Securities and Investment Commission, the Reserve Bank of New Zealand, Transport for New South Wales, and SingTel. Law firms Allens and Jones Day as well as the radiology service PRP Diagnostic Imaging were also affected.
 
While the fallout from all of these cyber security events is still being measured, another Australian business has been realising the cost of its own security breach.
 
ASX listed company Isentia reported an almost $6m loss in its half-year earnings after a cyber-attack in late 2020. It took almost three weeks to restore services at the media monitoring business, resulting in over $3m in discounts and credits for affected customers.
 
Isentia spent an additional $1m to resolve the technical side of the attack and expects more negative impacts on future earnings because many projects were delayed by the incident.
 
It’s no surprise that politicians and cyber security consultants are describing these attacks as relentless and overwhelming. Research firm Canalys says 12 billion records were compromised in 2020, with ransomware attacks alone increasing by 60 per cent.

 

A day in the life of an ethical hacker

a day in the life of an ethical hacker

IT security expert Dan Weis was one of the first 10 people in the world to become a Certified Ethical Hacker. He also holds another 22 industry certifications and as a result, his nickname amongst the cyber security team is ‘the general’.
 
Working full-time in computer security, Dan enjoys the problem-solving and risk management elements of a job where every day is different.
 
“Some days I’m working on wireless pentests, webapps, or network security. The next day I might be performing a physical assessment.”
 
In a physical assessment it’s not uncommon for Dan to dress up as an air conditioning service guy to try to breach an organisation’s physical security systems. In some organisations that means getting past a security checkpoint, in others it’s a reception desk or an open door to an office or workshop.
 
“The next day might be phishing or vishing staff or providing CISO services and consulting with senior leaders of an organisation.”
 
Phishing is a form of social engineering that uses authentic looking emails to convince recipients to click through to a link that downloads malware onto operating systems. Vishing is the verbal equivalent that takes place on the phone.
 
In his book Hack Proof Yourself! Dan tells the story of the time he called reception to say he was preparing for an upcoming presentation at the business and needed the wifi password. The receptionist asked if he wanted the guest network or the corporate network – then proceeded to handover the keys to the virtual kingdom.
 
Providing Chief Information Security Officer (CISO) services is one part of Dan’s job when he doesn’t pretend to be someone else. This more serious side of the role is also balanced out by some serious deskwork.
 
“Reporting also plays a big part in most engagements. A lot of the time it's 40 per cent testing and the rest allocated to reporting. But a lot of organisations separate those functions so the pentesters only test, not do the reporting.”
 
So, it pays to research your employer to find out if their approach to reporting suits your approach to penetration testing. You should also find out how they manage the high stakes thrill ride of Immediate Response (IR).
 
“We often assist with IR engagements as well, where an organisation has been hacked and is in a panic and needs some expertise to assist them.”
 
It’s difficult to pin down a day in the life of a cyber security analyst because the challenges are so unique and the solutions equally varied. The one thing that’s common to all roles is the need for a broad skill set of both technical skills and soft skills.
 
“Variety is the main reason I’ve been performing pentests for around 11 years. You never know what to expect. Every environment is unique and it's very rewarding as well – helping customers to ensure they are secure.”

 

Using ethical cyber skills in cyber security jobs

The traditional image of an ethical hacker is a teenage computer expert in his parents’ spare room, wearing only underpants and testing the defences of businesses they’ve never met. While penetration testing is certainly a key part of cyber security jobs, there are still some old-school ‘ethical hackers’ bringing the industry into disrepute.
 
“We often hear from clients where apparent ‘hackers’ have performed a test of their webapp, found all these vulnerabilities and want money to fix the vulnerabilities,” explains Mr Weis.
 
Another form of ‘ethical hacker’ presents themselves as Robin Hood-like characters that extort money from businesses to give to charity. Darkside is a group of supposedly ‘ethical hackers’ who behave in this way and recently hit Australian coffee company Segafredo Zanetti with a cyber-attack.
 
In 2019, Darkside attempted to donate US$10,000 to two US charities – Children International and The Water Project. Thanks, but no thanks was the response from the charities.
 
According to Mr Weis, “Ethical testers want to help organisations to make sure they don’t become the next headline, while being as transparent as possible regarding the vulnerabilities or security issues identified.”
 
Here’s three key ethical insights to keep in mind as you advance along your career path in cyber security.

Infographic key lessons from an ethical hacker

It’s about trust

When you think about cyber security from the customer’s perspective, the need for ethical practices becomes very clear. While the level of technical understanding will vary, every business knows that cyber security engineers will be able to access their most sensitive information.
 
Inviting cyber security behind a business’ firewalls requires the same level of trust as accountants, lawyers and auditors.
 
A business like Nexon Asia Pacific goes through a process of onboarding clients to establish a relationship of trust before any penetration testing takes place.
 
“We have legal documents in place giving us permission to test the clients’ services. They have our defined methodologies, processes, how we go about our test and what they can expect during testing – as well as deliverables,” explains Mr Weiss.
 
“They know that their data is protected via legal agreements and non-disclosure documents and that their data won’t ever be exposed, and this is the clear delineation between ethical and non-ethical hackers.”

 

Always have permission

One of Mr Weis’ penetration testing activities is phishing or vishing – trying to influence an individual to click on a link, or verbally hand over sensitive information. If the goal is to deceive somebody, how can you obtain prior consent from them?
 
Red teaming is where cyber security professionals are hired by an organisation to play the role of the enemy. While it may be only the Chief Information Security Officer who knows that this sort of penetration testing is underway, they’ve given permission.
 
By behaving ethically and ensuring they always have permission for their activities, cyber security professionals minimise harm to systems, organisations and individuals.

 

Disclose all vulnerabilities

In the TV series Mr Robot, Rami Malek plays a cyber security professional called Elliot who discovers an unusual file on his client’s server. When Elliot responds to a distributed denial-of-service (DDoS) attack, he stops after coming across a file which contains a message for him – “leave me here”.
 
After a brief internal ethical argument on the floor of the server room, Elliot decides to isolate the file, rather than deleting it. The consequences of that action lead to four seasons of bingeworthy viewing.
 
Whether or not the file was instrumental to the DDoS attack, Elliot had an ethical obligation to disclose all vulnerabilities.
 
It’s important to note that pursuing all vulnerabilities may not be ethical, as you won’t necessarily have permission – however, disclosing all vulnerabilities is essential for ethical cyber security.

 

Upgrade to an ethical cyber security career

UNSW’s Master of Cyber Security online has been designed to arm you with an ethical toolkit that ensures you can manage any unknown unknowns. In addition to completing a course called Cyber Security Ethics, you’ll focus on ethics in penetration testing, digital forensics and once more for good measure when you tackle advanced penetration testing.
 
While ethics is infused into this master’s program, it’s about much more than helping you to decide between doing something ethically or unethically. It’s about having the ethical and legal understanding to advise your colleagues, your clients and even your employer.
 
You’ll have a broad library of ethical case studies to argue from, as well as frameworks to work through that enable you to make ethical decisions – whether those unknowns are known or unknown.
 
UNSW’s Master of Cyber Security is a 100% online, accelerated program, meaning you can study anywhere at any time, and graduate in as little as two years without taking time out of the workforce. Completion time dependent on individual study path, RPL, leave and course availability. Please speak to a Student Advisor for more information.

Your next step in your cyber security career is a known known.
 
Learn to recognise and respond to ethical challenges within the field of cyber with UNSW’s 100% online Master of Cyber Security.