Experts Explain the Importance of Ethical Hacking (Part 2 of 2)

This is part two of a two-part cybersecurity series.

As mentioned in part one of this two-part series, ethical hacking involves people who are legally hired to hack into data systems in order to expose the system's weak points. These weak areas can then be strengthened. Overall, organizations, with the help of professional ethical hackers, can bolster their system security to prevent their systems from being maliciously hacked.

Dave Howard, otherwise known as "Dave The IT Guy," has been a certified ethical hacker since 2009 and is the weekly host of the iHeartRadio app podcast "Bring Your Own Security." Regarding the definition of ethical hacking, Howard said it's important to keep the word "ethical" in mind.

"Many folks hear the word hack and instantly think bad guys, or criminals, or some government agency. Ethical hacking is when a person who has the same technical knowledge and skills as the bad guys uses those capabilities to help organizations see their shortcomings and how to fix them, again from the hacker's point of view," Howard said.

Howard's journey to becoming an ethical hacker began when he was working in his first IT-related position.

"I started in the IT field almost 20 years ago as a basic break/fix tech. Printers, keyboards, monitors, anything that could break, did. As I would spend nights or weekends reading about topics and trying things out on my own, the security field really became an interest. I studied for various certifications because, back then, that's how you could prove that you knew how to do the things you said you could do," Howard explained.

Howard said he discovered he had an interest in tech security and worked hard to learn as much as he could with the limited time he had.

"For about two years, I taught myself some basic and intermediate level hacking skills and practiced them against computers I owned, or my company's computer systems (with permission, of course)," Howard said. "During this time, I was still working a regular 40-50 work week doing things like building servers, installing wireless systems, installing routers and switched, all trying to be a well-rounded IT person with a very wide breadth of knowledge and hands-on experience. I was also a husband and father, so for someone to just say 'I want to be an ethical hacker' requires you to stay up late while the family is sleeping, getting only 3-5 hours of sleep before work, just to find the time to learn and hone your skills."

Howard got the chance to hone those skills in 2009 when the company he was working for decided to send him, and four other employees, to a two-week "Hacking School" program to help them learn more advanced hacking techniques. Howard explained that after he returned from hacking school, "a new division of our company was formed to sell PenTests (Penetration Testing) to clients and I was one of the five that would go and do the work. Sometimes it took only one of us, sometimes it took all five of us. There were a few times the PenTests were more than three months in length, having us really dig deep and look for all the ways a hacker could steal data or damage systems."

Since then, Howard has continued down the ethical hacking path. Regarding what he thinks the general public should know about ethical hackers, he said "ethical hackers are exactly who you want working in your company or at least advising the IT staff in your company. We WANT to be the good guys and we want to be able to stop the governments, the criminal organizations, the stalkers, and anyone else that uses the internet and illegal methods to stalk someone, steal their identity, or their company's way to make money."

He explained that there are many cyber threats that people should be aware of. After all, identity theft and other cybercrime can affect anyone and shouldn't be underestimated.

"In today's world, email with links and attachments, social media messaging, and postings and even text messages coming to your phone are the most likely culprits to getting your data, money, or identity," Howard said. "The bigger threats like an Equifax hack is simply something you cannot control. If a company has your data and they don't secure it properly, nothing you do will prevent that theft."

Howard provided a painful, personal example:

"My wife's computer was hacked about five years ago. She got an email from her sister (which was fake) and she clicked the picture that was sent. Several days later, a visit to the local branch of our bank informed us how we went from more than $7K cash to about $300 cash in a matter of hours. We found that the hackers had gained physical access to her hard drive and she had created a document that had all of her passwords that she could never remember. They found that document went to our bank's website and, logging in as her, initiated several overseas wire transfers to bank accounts that were closed as soon as the money arrived and was withdrawn. It was a very painful process to go through the bank's investigation to ensure WE were not trying to commit a fraud to keep our money and get theirs too. Also, back then, the local and regional law enforcement entities were still very new to cybercrime and really didn't have any resources or knowledge on how to help with something like this. A report was filed, questions asked and answered then thankfully through the FDIC and other entities our money was refunded to us. But that was a seven-month process that left a virtual scar."

To avoid becoming a victim of a cybercrime like he and his wife were, Howard advised that you "keep one email account that you NEVER promote/give out to the everyday person, etc. Use it ONLY to sign up for secure things like bank accounts, 401K, insurance, and any other private, financial place that you may need to login to. Don't give it to anyone else, so the likelihood of getting a fake email to that account is far less."

He also suggests that you "get a prepaid debit card from any number of sources and put money on it. When you shop (online or in a store and swipe it through) if it gets compromised (like the HomeDepot hack a few years ago), the only money you can possibly lose is what is on the card at that moment. If someone happens to get it while online, again, you can only lose a small amount."

Howard said it is important to "educate yourself on how to read a domain name. There are MANY ways to very easily trick someone into thinking they're going to the correct website. If you understand how domain names (URL's) work, you'll know within 10 seconds if you are going to a scam website or not."

He added, "don't post private info such as address, phone number, kids' names, etc., on a public forum. Even a Facebook page that you think is private to you and your friends has been proven recently to truly NOT be private. If you must send that type of info, there are free methods to encrypt the info via text, or at least post it online in a way the automated data-stealing programs won't get your information."

It all boils down to how cautious people are in their daily habits and interactions, Howard explained.

"I think, in the end, that people cannot have the attitude or way of thinking that included 'Well, I can't stop it, so why try?' Or they might think 'I'll never shop online or do banking, so I'm safe.' Both of these assumptions are wrong. With technology the way it is today, we have to be diligent about how we do things (see the advice given previously). But if you don't shop online and write a check at the store or mail it in to the utility company, the exact same info on that check (you name, address, routing number, and account number) is more than enough info to steal your identity or initiate a wire transfer by someone who knows their way through and around banking rules," Howard said. "Simply putting your head in the sand and thinking 'I don't know anything about computers' isn't good enough anymore. You must get educated on these topics, or have someone around you that you trust to monitor these sorts of things for you."