Hacking for a good cause? Yes, it exists.
You work as an ethical hacker. What exactly do you do?
Glenn: An ethical hacker, or a white hat hacker, is employed by companies to expose weaknesses and security flaws in computer systems and networks. Actually, as an ethical hacker it is your job to get into the mind of a black hat hacker, a hacker with bad intentions. You work just like they do: you look for ways to get into the system. Except that your aim is different: malicious hackers want to cause as much damage as possible, while ethical hackers look for holes and then plug them.
So what happens if we identify a risk in one of the many ING systems during such a penetration test? We send the information to the team that is responsible for that application. That team can then take the appropriate action.
At ING Belgium our team of 15 Security Engineers carry out penetration tests on our systems full time. That really is necessary, because an ordinary hacker sometimes takes years to hack into a system. We do not have that kind of time, so we have to work as efficiently as possible. Sometimes as a team, sometimes alone.
What does an ethical hacker’s office look like?
Glenn: In your mind’s eye you probably see the clichéd image associated with a hacker. A small, dark room where we hide out behind a wall of monitors. Not at all. At ING we sit among the web developers and IT staff with our laptops. If you passed my desk, you would never guess that it is the workstation of a hacker.
Our workday also looks just like any other employee’s: we work flexible hours and are allowed to work from home one day a week. But we like working from the office, because only then can we function properly and efficiently as a team.
Hackers and teamwork, do they go together?
Glenn: We are not lone wolves, we are team players. We all have the same aim: to safeguard the digital world. And we help one another to expand our knowledge. Once a month my team and I stay behind at the office for a little while after work. We order some pizza and a colleague gives a presentation on a topic related to hacking.
We are not lone wolves, we are team players. We all have the same aim: to safeguard the digital world.
There never used to be real ethical hacking communities before, but they have made their appearance in recent years. Take OWASP, for example. Professionals in the sector use that platform to share techniques and information on computer security with one another.
Do all ethical hackers have a criminal record?
Hacking has always been illegal. Some ethical hackers could therefore well have a criminal record if they ever hacked a system without permission in the past. But that is not so for many of them. If you work for a company as a security engineer, you agree to abide by a few rules of engagement. They clearly state that the company has instructed you to penetrate a system. You also declare that you have no malicious intentions and that you will share your findings with the customer who hired you. This allows you to hack legally.
Ethical hackers are therefore not criminals. We use our knowledge to make companies and systems more secure. To help people. And even more than that, if ethical hacking did not exist malicious hackers would have a field day. The world would have a very big problem on its hands. That applies for banks too. If you place a heap of gold in a safe, it is heavily guarded. Why would you not do the same with your digital platforms?
What ING project did you as an ethical hacker play a critical role in?
Glenn: (laughs) Sorry, I can’t really tell you much about that. Confidentiality, you know? What I can say is that I have helped a few large businesses in the past. For example, I discovered that a large number of Android operating systems on mobile devices could be hacked. The problem was that sensitive information was leaked that could be read very easily by any application on the device. This meant that one could monitor someone’s screen taps and eventually obtain their passwords in that way.
How does one actually become an ethical hacker?
Glenn: First, you need to learn how to programme by following a course to become a software developer, for example. Only once you have mastered that, will you understand how computer systems function. That is vitally important if you want to become a good security engineer, because minor nuances and details often make the world of difference with penetration tests. To then learn how to hack takes practise, practise and more practise. Fortunately that can be done legally today. (laughs)
Glenn, originally from the Netherlands, has been living in Belgium with his Kenyan wife and their daughter for a few years now. He breathes computer code. Where did it all start? “With a computer game.” Once he discovered that some of his opponents had hacked the game, he also wanted to be able to do it. He was thirteen at the time. Glenn is the project leader of the OWASP flagship project called Security Knowledge Framework, gives security courses at companies through his company def[dev]eu, and he also potters around with small hardware projects when he has time. Why would he dedicate his whole life to the world of hacking? “Because I would like to make the digital world just a little safer. What started out as a hobby and a passion is now my career.”