Becoming an Ethical Hacker
By Gary Rivlin
4/5
()
Cybersecurity
Information Security
Ethical Hacking
Career Development
Incident Response
Genius Hacker
Mentor
Hero's Journey
Villain
Cat-And-Mouse Game
Self-Discovery
Rags to Riches
Call to Adventure
Whodunit
Race Against Time
Penetration Testing
Firefighting
Marketing
Bug Hunting
Personal Growth
About this ebook
It’s impossible to ignore the critical role cybersecurity plays within our society, politics, and the global order. In Becoming an Ethical Hacker, investigative reporter Gary Rivlin offers an easy-to-digest primer on what white hat hacking is, how it began, and where it’s going, while providing vivid case studies illustrating how to become one of these “white hats” who specializes in ensuring the security of an organization’s information systems. He shows how companies pay these specialists to break into their protected systems and networks to test and assess their security. Readers will learn how these white hats use their skills to improve security by exposing vulnerabilities before malicious hackers can detect and exploit them. Weaving practical how-to advice with inspiring case studies, Rivlin provides concrete, practical steps anyone can take to pursue a career in the growing field of cybersecurity.
Gary Rivlin
Gary Rivlin is a Pulitzer Prize–winning investigative reporter who has been writing about technology since the mid-1990s and the rise of the internet. He is the author of nine books, including Saving Main Street and Katrina: After the Flood. His work has appeared in the New York Times, Newsweek, Fortune, GQ, and Wired, among other publications. He is a two-time Gerald Loeb Award winner and former reporter for the New York Times. He lives in New York with his wife, theater director Daisy Walker, and two sons.
Read more from Gary Rivlin
Katrina: After the Flood Rating: 4 out of 5 stars4/5Becoming a Sports Agent Rating: 0 out of 5 stars0 ratingsThe Godfather of Silicon Valley: Ron Conway and the Fall of the Dot-coms Rating: 5 out of 5 stars5/5Fire on the Prairie: Harold Washington, Chicago Politics, and the Roots of the Obama Presidency Rating: 4 out of 5 stars4/5
Related to Becoming an Ethical Hacker
Related ebooks
Hacking the Hacker: Learn From the Experts Who Take Down Hackers Rating: 4 out of 5 stars4/5Hacking into Hackers’ Head: A step towards creating CyberSecurity awareness Rating: 5 out of 5 stars5/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5How to Hack Like a Pornstar Rating: 5 out of 5 stars5/5The Cyber Attack Survival Manual: Tools for Surviving Everything from Identity Theft to the Digital Apocalypse Rating: 0 out of 5 stars0 ratingsHow to Hack Like a Pornstar: A Step by Step Process for Breaking into a BANK Rating: 5 out of 5 stars5/5Cyber Curiosity: A Beginner's Guide to Cybersecurity Rating: 0 out of 5 stars0 ratingsHow to Investigate Like a Rockstar: Hacking the Planet Rating: 0 out of 5 stars0 ratingsHow to Hack Like a Pornstar: Hacking the Planet, #1 Rating: 5 out of 5 stars5/5How to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5Make Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5Ultimate Guide for Being Anonymous: Hacking the Planet, #4 Rating: 5 out of 5 stars5/5Cybersecurity: The Hacker Proof Guide To Cybersecurity, Internet Safety, Cybercrime, & Preventing Attacks Rating: 0 out of 5 stars0 ratingsHow to Hack Like a Legend: Hacking the Planet, #7 Rating: 5 out of 5 stars5/5Hacking: Computer Hacking for beginners, how to hack, and understanding computer security! Rating: 5 out of 5 stars5/5Hacking Rating: 3 out of 5 stars3/5Hacking: A Comprehensive Guide to Computer Hacking and Cybersecurity Rating: 0 out of 5 stars0 ratingsHacking the Future: Privacy, Identity, and Anonymity on the Web Rating: 3 out of 5 stars3/5Compsec: For the Home User Rating: 0 out of 5 stars0 ratingsDeep Web Secrecy and Security: an inter-active guide to the Deep Web and beyond Rating: 4 out of 5 stars4/5A First Course In Ethical Hacking Rating: 0 out of 5 stars0 ratingsDarknet Rating: 4 out of 5 stars4/5Tor and the Deep Web Rating: 0 out of 5 stars0 ratingsWireless Hacking 101 Rating: 5 out of 5 stars5/5The Darknet Superpack Rating: 0 out of 5 stars0 ratingsAn Introduction to Hacking and Crimeware: A Pocket Guide Rating: 0 out of 5 stars0 ratingsSummary of Kevin D. Mitnick's The Art of Invisibility Rating: 0 out of 5 stars0 ratingsDeep Web for Journalists: Comms, Counter-Surveillance, Search Rating: 5 out of 5 stars5/5
Teaching Methods & Materials For You
Financial Feminist: Overcome the Patriarchy's Bullsh*t to Master Your Money and Build a Life You Love Rating: 4 out of 5 stars4/5Never Split the Difference: Negotiating As If Your Life Depended On It Rating: 4 out of 5 stars4/5Dumbing Us Down - 25th Anniversary Edition: The Hidden Curriculum of Compulsory Schooling Rating: 4 out of 5 stars4/5On Writing Well, 30th Anniversary Edition: An Informal Guide to Writing Nonfiction Rating: 4 out of 5 stars4/5The Anxious Generation - Workbook Rating: 0 out of 5 stars0 ratingsVerbal Judo, Second Edition: The Gentle Art of Persuasion Rating: 4 out of 5 stars4/5Grit: The Power of Passion and Perseverance Rating: 4 out of 5 stars4/5Personal Finance for Beginners - A Simple Guide to Take Control of Your Financial Situation Rating: 5 out of 5 stars5/5Lies My Teacher Told Me: Everything Your American History Textbook Got Wrong Rating: 4 out of 5 stars4/5Jack Reacher Reading Order: The Complete Lee Child’s Reading List Of Jack Reacher Series Rating: 4 out of 5 stars4/5Weapons of Mass Instruction: A Schoolteacher's Journey Through the Dark World of Compulsory Schooling Rating: 4 out of 5 stars4/5The Dance of Anger: A Woman's Guide to Changing the Patterns of Intimate Relationships Rating: 4 out of 5 stars4/5The 5 Love Languages of Children: The Secret to Loving Children Effectively Rating: 4 out of 5 stars4/5Principles: Life and Work Rating: 4 out of 5 stars4/5The Three Bears Rating: 5 out of 5 stars5/5Fluent in 3 Months: How Anyone at Any Age Can Learn to Speak Any Language from Anywhere in the World Rating: 3 out of 5 stars3/5Writing to Learn: How to Write - and Think - Clearly About Any Subject at All Rating: 4 out of 5 stars4/5Speed Reading: Learn to Read a 200+ Page Book in 1 Hour: Mind Hack, #1 Rating: 5 out of 5 stars5/5Closing of the American Mind Rating: 4 out of 5 stars4/5How to Take Smart Notes. One Simple Technique to Boost Writing, Learning and Thinking Rating: 4 out of 5 stars4/5Why Does He Do That?: Inside the Minds of Angry and Controlling Men Rating: 4 out of 5 stars4/5The Short and Tragic Life of Robert Peace: A Brilliant Young Man Who Left Newark for the Ivy League Rating: 4 out of 5 stars4/5Good to Great: Why Some Companies Make the Leap...And Others Don't Rating: 4 out of 5 stars4/5Inside American Education Rating: 4 out of 5 stars4/5The Teenage Liberation Handbook: How to Quit School and Get a Real Life and Education Rating: 4 out of 5 stars4/5
Related categories
Reviews for Becoming an Ethical Hacker
2 ratings0 reviews
Book preview
Becoming an Ethical Hacker - Gary Rivlin
PROLOGUE
Angela Gunn is fried. This is one of those frantic periods when it feels as if she works in an ER or at a fire station rather than holding a staff position with a computer security firm. It’s just after Labor Day 2018, and she’s chosen as our meeting place a café with a dive-bar vibe in a trendy stretch of Seattle’s downtown. Called Bedlam, Gunn declared the place thematically appropriate
for any discussion that involves her life and job. A frazzled Gunn plops down in a seat across from mine. I’m a hot mess today,
she declares.
This is her life every August, Gunn explains. Invariably, it’s the same around Christmas and New Year’s as well. She’s busiest when the rest of the world is on vacation and online fraud peaks. People attack when they think your guard is down,
Gunn says. At the time of my visit, she was juggling three cases. That made for a hectic August that spilled into September. All three were coming to a close, but she had been roped into a fourth. I was up till four a.m. last night and it wasn’t even one of my cases,
she says. The late hours were because she needed to speak with the firm’s malware—malicious software—specialist, who lives in Australia. A brilliant guy. I respect the hell out of him,
Gunn says. I just wish he didn’t live nineteen time zones away.
Her job over the next twenty-four to forty-eight hours will be to find the people her firm needs for this latest case. My guy can’t get here so I need to find boots on the ground,
she says. So now it’s about making alliances with people known for wearing hats that are some shade of white.
Gunn orders a tall Rose Mocha latte that the menu describes with flowery prose: Imagine walking in a garden, cool and in the bright sun, a fountain splashing softly, the faint sweet scent of roses & chocolate full of Eastern promise.
After reading it out loud to me, Gunn starts rattling off jokes about the new Seattle (she first moved to the city in the late 1990s) and for good measure takes a couple of biting digs at Amazon, which she and others I meet with while in town cast as an Evil Empire, practically swallowing whole the city they love. She brightens when her Rose Mocha arrives. It’s been a rough few weeks, Gunn tells me, I could use a cool walk through a garden right about now.
It’s people like Gunn that organizations large and small call if they’ve had a data breach or suspect they have. People in the industry—cybersecurity, if you’d like, though Gunn’s preference is information security, or info-sec
for short—call this incident response.
To my mind, though, they’re the online world’s firefighters: those who rush to put out the flames and then assess the damage. Ten years ago, Gunn was working as a tech journalist. Now she works full-time for a long-standing British security firm called BAE Systems, which hired her a couple of years earlier to help them establish a presence in Seattle. Her title is incident response consultant,
and it’s her job to assemble the small crew she needs for each case. Typically, that includes an analyst who can pore over computer logs, a malware specialist, and those she dubs forensic workers, except without the formaldehyde smell and ripped-open chest cavities.
That’s if she can find any live bodies to do the work.
Right now, I’d sell a right toe for a forensics guy,
Gunn says. Like a lot of people in info-sec right now, we’re agonizingly understaffed.
That morning she had been on the University of Washington campus for the quarterly gathering of the Seattle-area computer security group to which she belongs. As usual, that day’s talk, about the special precautions a security team must take to protect power grids, water treatment centers, and other critical infrastructure, was off-the-record. The idea, she explains, is to create a safe space for people so they can speak freely without fear of the consequences. It’s a network of trust. Except when it comes to stealing everyone’s best people,
she says. People don’t say hello so much as let one another know what postings they have that remain open. A typical conversation goes, ‘Oh my God, where did you land?’ They’ll say Amazon and you ask, ‘Oooo, are you okay?’
Gunn has been in the business for eight years—if not quite an old hand, then someone who has learned a lot since taking a job at Microsoft, in 2010, where she helped manage the company’s message to the wider world when a bug hit Windows or another Microsoft product.
People in security are changing jobs it seems every year, if not every six months,
Gunn says. At the meeting just now, I was like, ‘Maybe one of you guys is my next analyst.’ Except they’re hoping I’ll join their team.
A 2015 report by the job analytics firm Burning Glass Technologies found that postings for cybersecurity had grown more than three times faster than other information technology (IT) positions, and roughly twelve times faster than all other jobs. The firm also reported that those working cybersecurity on average earn nearly 10 percent more than others in IT.I
• • •
IT WASN’T THAT LONG ago that computer security was more of a niche job category—a wise career choice, perhaps, but a specialty that relegated an employee to a backwater of the computing world. The release of the 1983 movie WarGames woke up many to the importance of cybersecurity in a digital age, including then president Ronald Reagan, who saw the movie the day after its release. Reagan was among those frightened by its depiction of Matthew Broderick as a teen tech whiz who unwittingly breaks into a military computer and nearly triggers World War III. Fifteen months later, in September 1984, the National Security Agency, or NSA, released a policy directive dryly titled, National Policy on Telecommunications and Automated Information Systems Security.
The generals and spy chiefs around Reagan concluded that the film wasn’t as far-fetched as they might have hoped. The government’s systems, the policy directive said, were highly susceptible
to attack by foreign powers, terrorist groups, and criminals. Yet networking was still an esoteric issue then, even among computer scientists, and personal computers were only starting to appear inside corporate America and in people’s homes. Most people working info-sec then toiled in the bowels of the Pentagon or worked for a big defense contractor.
Slowly, the rest of the world woke up to cybersecurity and the importance of protecting computers, networks, applications, and data from unauthorized access. The invention in the late 1980s of the World Wide Web
helped to popularize the internet throughout the 1990s (the web is a user-friendly interface built on top of the internet). But the move online brought with it worms, viruses, and malware. Commerce came to the internet, along with thieves and scammers. We bought security software packages from companies such as McAfee and Symantec, but then used passwords often no more sophisticated than 12345 or a spouse’s name. People talked about computer security but it still wasn’t something most colleges taught. The spread of wireless network—Wi-Fi—made it easy for us to connect our laptops, including work laptops, to the open networks in cafés, airports, and libraries, potentially exposing our personal information to those tech savvy enough to hack into a network. Wi-Fi also inspired wardriving
—people creeping along in a car, searching for un-secure networks to infiltrate, maybe for the fun of it, maybe for more nefarious reasons—which, eventually, schooled us on the importance of a secure network.
The advent of thumb drives—USB memory sticks—proved an easy way to transfer documents from one computer to another but also an efficient way to infect a machine with malware. The nanny cams and other gizmos we linked to our networks posed another threat, punching holes in our firewalls and offering potential back doors into our private lives. All these consumer-grade devices are made as cheaply as possible,
said Mark Seiden, who has been working in computer security since the 1990s. They use old, unpatched software and a lot of it isn’t even upgradeable.
Our smartphones and the tablets we’ve connected to our networks tend to have better security than these cheap, more disposable items, but there’s the so-called Internet of Things, which is this idea that cheap computer chips will be added to everyday items, including the internet-connected devices that transform the places we live into a smart home
: smart locks on our front doors and smart thermostats and smart lights, all connected to the same Wi-Fi networks we use to do our banking and carry on private conversations. And now, of course, there are the listening devices people have welcomed into their homes in the form of the voice-activated assistants sitting on the kitchen counters of tens of millions of Americans. Is it any wonder that old hands like Seiden speak of an attacker’s advantage
? You’re a business that does everything right but an employee installs a device on the network which has a vulnerability and it opens you up,
Seiden said. He should know: for years he has jobbed himself out to big companies looking for help testing their defenses. With everything we’re connecting to our networks, there’s definitely an attacker advantage today,
Seiden noted. Cybercrime caused an estimated $3 trillion in damages in 2015, according to the research firm Cybersecurity Ventures. It expects that figure to double to $6 trillion by 2021.II
We survived phishing scams and browser popups and the danger when opening attachments from unknown senders and hijacked Facebook accounts. Yet we now have ransomware. Risk being exposed in front of your friends, spouse, or employer unless the victim sends bitcoin to the hackers who intercepted something incriminating or embarrassing. Or the hostage could be the user’s system. The victim must spend a small fortune cleaning up the malware some no-goodniks have slipped onto their server—or pay the ransom and get back to business. Victims of this second type of attack have included Fortune 500 companies, hospitals, and even police departments. Our financial lives exist online, along with our photos, texts, and medical records. Corporations store their most precious secrets in the cloud, along with ours, including our credit card numbers, social security numbers, and passwords. Yet for more than a decade, we’ve been reading about the huge data breaches hitting one big company after another, including Uber, Google, eBay, and Equifax. Reported data breaches in the United States hit a high of more than 1,500 in 2017—a jump of nearly 45 percent over the previous year.III
Among those hit in 2018: Facebook, where flaws in its code gave hackers access to fifty million accounts, including those of Mark Zuckerberg and his nearly-as-famous number two, Sheryl Sandberg.
Our power grid, our cars, our everyday devices—basically everything is online and able to be attacked,
Georgia Weidman, the author of Penetration Testing: A Hands-On Introduction to Hacking, told the New York Times in 2018. Our water supply is increasingly digitized, and therefore more vulnerable to attack.