Ethical Hacking: A Misunderstood Field

For many years the word hacker has been associated with a person whose bad intentions threaten others in the web. Gradually, this concept has expanded and even the Royal Spanish Academy (RAE) recognizes hackers as people with great skills in the handling of computers, said at Mexico Cybersecurity Summit 2021, Rafael Bucio, CEO of TPX, a cybersecurity company specialized in researching new vulnerabilities and information technologies. 

The recent and increasingly constant attacks carried out by cybercriminals, and the way the media portrays these individuals, made society “see hackers as villains,” said Bucio. But since the 1970s, there have been people revolutionizing the definition of hackers, paving the way for today's security professionals. One of them is Kevin Mitnick, an American computer security consultant who in 1995 was arrested for hacking into the security of companies and institutions such as AT&T and the FBI. “When he got out of prison he became a cybersecurity expert,” said Bucio. Likewise, John Draper, known as Captain Crunch, was the pioneer of the invention of the first so-called “blue boxes,” which allow calls to be made anywhere in the world by replicating the whistle tone. With this invention, he managed to call the Pope and the White House. The concept of a hacker keeps evolving. “A hacker is not only a person involved in IT or software development, ethical hacking is also a way of life,” said Bucio. 

What a Hacker is Not

To better understand the meaning of the word hacker, it is necessary to first understand what a hacker is not. According to Bucio, a hacker does not necessarily destroy or profit from other people's information. Nowadays there are different vectors that help cybercriminals to obtain information. One of them is within companies, he added, as there are insiders who may be employees or ex-employees looking to spy, make a profit or seek revenge for some kind of injustice. 

There are also direct and indirect cyber attacks. The first are targeted attacks done by cybercriminals who “know that the company they target has economic resources and they focus on getting access to this company's information.” Indirect attacks, on the other hand, are commonly used for ransomware attacks. “Such attacks come in through vulnerabilities in operating systems or applications that have not been fixed. They are indirect attacks that come in through emails or randomly targeted public networks.” A case in point is the WannaCry ransomware, which targets computers using Microsoft Windows. 

Cybercriminals are not only targeting end-users, Bucio said, but also the industrial sector. These attacks, in addition to causing large economic losses, can also lead to the loss of life. Cyberattacks that generate blackouts or put oil operations in danger are some of them.