The world of ethical hacking is a constantly evolving reality, which requires updating, passion and a lot of curiosity, ethical hacking practices are increasingly in demand and allow us to complete a general picture of the degree of exposure a company has to cyber attacks.
Today we talk about this world with Michael Caruso Ethical Hacker by profession, with more than 10 years of experience in the world of Cybersecurity, who holds the roles of Practice Manager and Product Specialist leading the Ethical Hacking team of Advantio, a company founded in 2009 , a leader in the world of Payment Compliance, Ethical Hacking and managed services.
How do you become a penetration tester and Ethical Hacker?
To become a true Hacker you need curiosity and passion, ethical is when you choose to make it a profession and to do good, protect and prevent hacker attacks. You need to study a lot but you also need to start from the beginning, many kids today start this path by skipping important parts, such as networking, development and the systems part. Everyone can approach the world of hacking in a different way, there are those who are born as developers and then, thanks to curiosity and passion, try to go further and further and understand how applications and systems work more deeply and what are the ways to " circumvent” protections or features by making applications, scripts or machines perform operations for which they were not designed and derive a benefit from them. Others start from the systems world and others from the networking world or from the world of the SOC (Security Operation Center) or the part of "defense" and monitoring of computer systems.
However, study is not everything, because a very large amount of practice is needed, much more than that of study, because a hacker needs to "touch" and try with his own hands how to try to hack, get around obstacles to achieve his goal , whether it is peaceful, goliardic or malevolent.
Unfortunately, today, many companies carry out what is called "body rental" and these young people do not have the opportunity in many companies in the sector to test different environments, applications and systems, spending all the practice time on the training portals of the individual companies to which they are "resold" that do not give the same experience as a professional hacking activity. In Advantio, in just one year of work, our guys are able to see more than 50 different realities, different customers and technologies, growing more and more by combining work with study and hacking certifications.
What is your role at Advantio?
I am the Practice Manager and Product Specialist of Advantio's Ethical Hacker team.
How is technology affecting penetration testing methods?
Technology becomes increasingly closed, more automated and with the entry of Artificial Intelligence and "machine learning" many systems become increasingly secure and require less configuration time and/or leave the factory already with pre-configurations designed to be secure following leading security standards and best practices. The "problem" is that all of this will, at least for many years, be designed and thought out by human minds that can make mistakes and make mistakes. From here there will always be bugs and/or security problems that will be discovered and exploited on a small and large scale. This is why it is really important to invest in ethical hacking activities and periodically carry out security tests such as penetration tests to prevent both economic and image losses. Today most hackers, the unethical ones, prefer to attack people and not machines, because the more you go ahead and automate security, the less people tend to study, inform and update themselves. So attacks like Social Engineering, Phishing and Red Team are becoming more and more frequent, just look at how big companies like Uber, Riot Games and many others, have been attacked by targeting people and not systems. This is because many companies prefer to invest their entire budget in new generation software and hardware, thinking that this can protect them from any hacker attack but then a single phishing email is enough to bring down large international giants.
How are companies becoming more aware of the importance of penetration testing and how is this impacting the demand for industry professionals?
Over time, many more companies are becoming aware that security is becoming a fundamental requirement and no longer optional as it was a few years ago. Now many companies allocate new budgets dedicated to security, which previously only happened for large companies. Even the evolution of technologies has led to a major adjustment in companies, even those with few employees. Growth is evidently exponential and in recent years the demand for new experts in the cybersecurity sector has exceeded availability. This is a very important moment for young people who can ride the wave and quickly find work in the cybersecurity sector.
How is the demand for cybersecurity professionals growing and how are you preparing for this change? How do you see your role within the penetration testing industry?
The demand for professionals is growing exponentially and is colliding with the inevitable chronic shortage of adequate profiles. My way of adapting to this change passes from a more long-term approach to new potential talent: I prefer to give space to Junior profiles and train them internally, without looking, like many companies, for "mythological" profiles with high skills and practically unobtainable or outside market. My role within the world of pentesting is mainly oriented towards the management of an ethical hacking group which, unlike other people management positions, must have adequate technical preparation for managing a top-level technical team and be able to manage world of hacking and knowing how to guide them in the training and professional path that is constantly updated.
Are people easily fooled with social engineering techniques? How do they typically react to simulated attacks or social engineering?
People are much more impressionable and vulnerable than machines, they have feelings, moods. Social engineering techniques take advantage of this, they manipulate people and exploit their goodness and ignorance of today's threats to get to their goal. Everyone thinks of phishing as the usual email that tells you that you have won a latest generation smartphone or that a package you are waiting for is blocked at customs. The real attacks are much more advanced and when they happen unfortunately not everyone knows what actions need to be taken immediately to mitigate the problem. During our phishing campaigns, where we simulate various attacks for our customers, when we ask them at the end of the activity how many employees, who have clicked on our fake malicious links, or opened files with fake viruses, their answer in many cases was: Nobody. This is because either out of fear of being fired or out of ignorance or lack of procedures, many employees do not report these types of attacks to their company, leaving plenty of time for the attackers to complete further attacks.
What is your purpose when training on these topics?
The main purpose is to make people understand, raise awareness and also make people passionate about cybersecurity, especially the younger ones who then want to embark on a path in cybersecurity. I also try to get the message across to both technical and non-technical people and how cybersecurity is something that is now part of our lives. The example I give most often is that of my grandmother, who started using the new smartphones at the age of almost eighty. When the links arrive she suspects she has learned not to open them and understand if they are malicious or not, but the most important thing is that when she is not sure she sends them to me to check. Using simple words and practical examples is the most efficient way to convey your knowledge.
What path do you suggest to young people who would like to approach this profession? And which Certifications would you recommend to a penetration tester?
Starting from the beginning, even if this may seem like a longer path to approach the world of ethical hacking. Without networking foundations, operating systems and programming languages, entering the world of hacking could be an insurmountable wall and lead many people to give up and change their path.
If you don't have computer science backgrounds, starting from certifications such as the CCNA and some online developer courses are already a good start, obviously all accompanied by a lot of practice. Then to approach the real world of ethical hacking, certifications such as eJPT, eWPT and eCPPT or the CEH Master (both practical and theoretical) or the CREST, lay the foundations for starting to perform the first professional hacking activities. These then help a lot in preparing for more difficult certifications such as OSCP and the others that are part of the offensive security suite.
What excites or fascinates you most about this job?
What has always excited me since I was a child has always been technology. I wanted to understand how it worked and curiosity drove me to search and study the various things I didn't know using the internet. I've always been a person who got bored easily and wanted to learn and do new things.
Entering the world of ethical hacking began when I took a course and opened a Kali Linux machine for the first time, one of the most used operating systems in the world of hacking. That day, I managed to hack the first machine and make it do what I wanted. From that moment I knew it was what I wanted to do for the rest of my life. I never really saw it as a job but as a passion. Nowadays finding a job that when you get up in the morning you're happy to have to do it, unfortunately it's really difficult, but for me it's always been a new day full of things to learn and the curiosity of not knowing what I could discover fascinated me.
To date, having the opportunity to manage a team of ethical hackers is one of the greatest goals I have achieved, and having the opportunity to raise kids who, like myself many years ago, dreamed of making their dream a job It's one of the things that excites me the most.
The Future of Cybersecurity: What are the Emerging Trends in Cybersecurity Threats? And how is technology evolving to protect against these threats?
Artificial intelligence is catching on faster and faster even in the world of cybersecurity. This leads to much more frequent, automated and more advanced attacks. Just think how many hackers already use AI software like ChatGPT to generate scripts in seconds that can do anything given a simple written explanation. Obviously this tool has also been designed not to perform malicious requests and actions, the problem is that hackers have already found a way to bypass these controls and exploit it as they please with malicious requests disguised as harmless. In the end isn't AI always developed by humans?
Protect yourself, prevent, monitor and inform yourself, this is what we can do to protect ourselves. Protect ourselves with new and increasingly technological software and hardware. Prevent by carrying out periodic security checks such as penetration testing activities, automatic scans and other ethical hacking activities. Constantly monitor what we want to protect with MDR and SOC services. Inform yourself daily and always be updated on new threats.