Would you pay someone to hack into your own system?

“To beat a hacker, you need to think like a hacker,” says senior IT consultant and certified ethical hacker, Patrick Eulogius Yau.

The term ‘ethical hacking’ was coined in 1995 by former IBM Vice President of Internet Technology, John Patrick, to describe the process in which a system is knowingly tested for any vulnerabilities.

Ethical hacking is now commonplace in the cyber security industry, serving as a way for businesses to identify and fix any weaknesses before a real hack occurs.

“An ethical hacker is a trusted person who attempts to penetrate an organisation’s IT systems and networks using the same knowledge and tools as a malicious hacker, but in a legitimate and ethical manner,” says Yau.

“Ethical hacking is a series of processes to determine the target system’s vulnerabilities and weaknesses.

“The result is used to recommend preventive and corrective countermeasures that mitigate the risk of a cyber attack.”

Why the need?

Yau became an IT Controls Assessment auditor in 1993, where he covered security policy, password policy and access control.

Since then, he has seen cyber crime sophisticate, and the stakes get higher.

“People are now concerned with privacy,” says Yau. “Attacks are getting more severe and the cost of being attacked is getting higher, but there is a lack of skilled cyber security professionals.”

Despite this, ethical hacking has emerged as a way for businesses, and even government, to ensure they are one step ahead of a cyber attack.

“The main benefit of ethical hacking is to help businesses understand where the cyber security weaknesses are in their systems and networks.”

“Ethical hacking can help to protect government systems and networks in order to fight against cyber terrorism and national security breaches.

“Security is a continuous process -- if you are secure this minute that does not mean you are secure the next minute -- therefore, continuous testing with the latest tools and techniques is necessary.”

Although such measures require high levels of upkeep, Yau explains that taking the initiative will benefit the business overall.

“Businesses will be in a strong position to ensure their most sensitive data and reputation are well protected," he said.

Organisations looking to protect their networks using an ethical hacker can expect to pay upwards of $8,000 for five days' work.

What makes a good hacker?

Yau’s ethical hacking certification was provided by EC-Council and is designed to “immerse you into the hacker mindset.”

“Generally speaking, an ethical hacking course is training people to be a legitimate threat agent.”

He explained that an ethical hacker must be skilled in password cracking, phishing, denial-of-service, spamming, email hacking, routers and firewalls hacking, handheld devices hacking, GPS hacking and WiFi hacking.

But with this vast portfolio of malicious skills to their name, Yau explains, the most critical component of ethical hacking for students to learn is “to have good professional ethics and conduct.”

While completing their ethical hacking certification, students are made to sign an ethical code of conduct, something many businesses also enforce.

However, Yau believes more stringent measures are required to make sure that ethical hackers remain ethical.

“In my opinion, knowledge, tools and skills can be trained but ethics and professional conduct are difficult to train, since they involve attitude and personal character.

“Training institutions should consider performing screening to ensure it has the ‘right and proper’ students.”

Creating Australia’s next cyber experts

Although he has spent almost the entirety of his career working in Asia, Yau was formally trained in Australia, receiving a Bachelor of Science in Computer Science and a Master of Commerce in Information Systems from the University of New South Wales.

It was this theoretical grounding in the IT industry that allowed him to begin to explore the world of cyber security.

“From a technical perspective, you need know the concepts of operating system, database, network and system development before you can apply security.”

However, what really brought Yau success in the industry was when he began to combine international qualifications and on-the-job training with his academic training.

He recommends any up-and-comers follow his lead.

“Cyber security is an evolving industry and staying abreast of the latest trends, threats, and changes is critical.

“Hence, obtaining both an academic degree and a good mix of overseas certifications in the field of IT or cyber security is ideal for today’s era."

He also highlighted the development of postgraduate programs in cyber security, which are now being offered in Australia, as beneficial to the industry.

Spotting the weaknesses

As a consultant, Yau works with businesses from different industries on their cyber security development.

What this has taught him is that some industries are better placed than others.

“Healthcare industries are particularly vulnerable in comparison to retail and financial industries.

“These store patient information, medical information, payment information and other intellectual properties.

“Attackers can use identity theft or ransomware to attack healthcare industries, preventing organisations from accessing critical system or information.

“The result of this could be catastrophic due to loss of sensitive or proprietary information and the disruption to regular operations.”

He also explained that as technology continues to develop, the cyber risks we face will get even scarier.

“IoT devices incorporated into patients’ bodies for medical purposes pose a risk.

“With IoT hacking, attackers could exercise direct control over medical equipment, such as shutting down or locking out the equipment.

“The consequences are fatal -- it can be literally life and death.”

Patrick Yau is an ACS Certified Professional (Cyber Security).

In our CYBER EXPERTS SERIES, Information Age talks to cyber security leaders across Australia and beyond about the biggest threats facing the industry, how they got into cyber security, and what keeps them up at night.