We adressed theese issues in our conversation with Stefano Aimonetti, OmnitechIT Security Analyst.
In today’s society, where companies are increasingly open to the world but, as such, more vulnerable to external threats, knowing IT security and becoming an expert in this subject have become relevant topics, especially because companies are struggling to find qualified personnel in this area.
What do we mean by Penetration Testing?
It is a simulation of a real IT attack, where the vulnerabilities detected are effectively exploited, towards a logical location or all the infrastructures of a company. So you put yourself directly in the shoes of a hypothetical attacker, trying to steal information, to ‘breach’ the site, to compromise services of a company so as to demonstrate how a technological vulnerability can cause financial damage (we have many examples of companies that have been ruined due to information exfiltration).
It is very important to know very well the methods used by the “bad guys”, stay up to date on new attack techniques and study the moves of the “enemy” to replicate them to our advantage and find appropriate countermeasures to increase the security level of the Company.
It is a simulation of a real IT security attack, or an attack as real as possible, towards logical location or all the infrastructures of a company. You put yourself directly in the shoes of a hypothetical attacker, trying to steal information, to breach the site of a company.
There are different kinds of hackers. Here below the split:
Black hat hackers are responsible for creating malware. They’re motivated by personal or financial gain, but can also participate in espionage, protests, or merely enjoy the thrill. Black hat hackers can be anyone from amateurs to highly experienced and knowledgeable individuals looking to spread malware, steal private data, like login credentials, along with financial and personal information. These hackers either steal, manipulate, or destroy system data.
Also known as “ethical hackers,” they’re often employed or contracted by companies and governmental entities, working as security specialists looking for vulnerabilities. While they employ the same methods as black hat hackers, they always have permission from the system’s owner, making their actions completely legal. They implement strategies like penetration tests, monitor in-place security systems, along with vulnerability assessments.
These individuals utilize aspects from black and white hat hackers, but will usually seek out vulnerabilities in a system without an owner’s permission or knowledge. Grey hat hackers aren’t malicious by nature, but do seek to have their efforts rewarded. Since grey hat hackers don’t have permission to access the system by its owner, their actions are ultimately considered illegal, despite any alarming findings they might reveal.
Being a “hacker”, white black or grey, identifies people with similar mindset. They are curious, have a strong problem solving attitude and the inner passion to discover how things work and how to change them (hopefully for the good).
This attitude could be found by example in the professional Video Games Players world, where teenagers are often passionate for strategy games. There you see the same passion, the same instinct and the same research to “capture the flag” (in jargon means “achieve the final mission”) that you recognize among Cyber Security specialists and hackers.
If not coming from gaming, another entry gate for hacking is the simulation. For example, if a student wish to learn and test his abilities in term of hacking, he/she can access specific labs, very often through a VPN (Virtual Private Network), which host vulnerable machines created ad-hoc to replicate attack scenarios (more or less realistic) in order to completely compromise the server. Often these are real challenges where the user must combine technical skills to “think out-of-the-box”, as happens in real activities.
Every conquered machine is a ‘flag’. At the end of the session, the moderator of the game establishes a ranking (the ones who ‘capture the flag’ on the top), and the winners take “points”. Considering that some ‘flags’ need special or even exceptional capabilities, only the expert can catch the flags, and could even be noticed possibly by security companies to offer him/her a job (unless black hackers gang are quick to recruit them beforehand!).
Security is one of the few disciplines where young generations can smoothly shift from gaming to work, leveraging game passion, curiosity, instinct, learning and making experience available for free in the web and, why not, make money. And they have by far more fun, compared with a traditional University approach.
Do you need a University degree to become a Security specialist? We could answer: not strictly required.
For example, both penetration testing and hacking do not require a specific University degree. This is because a lot of the information for these professions is online. The only limit for your skill improvement is your curiosity and your will to go and get this info. What the University could give you instead is method and approach, relationships and networks, knowledge sharing, etc. But your approach makes the difference. And even this could not be enough.
As reiterated, the knowledge basis for being an excellent CyberSecurity specialist are spread over the web and need constant updating.
Security matters change and evolve 5/6 time faster the speed of any other knowledge area. Needless to say, the traditional “8 hours” approach is not feasible. Being always up-to-date is actually a must. You study all life long, and this can also make you feel constantly alive and willing to do more and better.
Moreover, on this specific sector you need a transversal knowledge: you need to have a good base of networking, databases, operating systems, programming, application servers, enterprise products, etc. because you can never know what you will do in the next activity.
There are certifications that are mandatory to participate in Bids or public tenders. Without them, you cannot apply for the official tender. In addition, there are other certifications that are specific to Security but not so mandatory.
For example, there is a certification for Hacking for which the final exam lasts 24h and you must ‘capture’ and ‘unlock’ all the machines during the given period of time. It is a simulation of a true job, including the planning and reporting.
There are also certifications called Badges, that certify you have certain skills and capabilities. The IBM Corporation, for example, provides online certifications and Badges for Security with a variety of 113 different trainings.
If you are working in the Cyber Security industry or are interested in getting into the field, it is important to stay up to date on the latest trends and advancements. Reading blogs and checking in on popular websites is one of the best ways to do this. Here are a handful of our favorite cyber security blogs and websites, CLICK HERE.
There are plenty of Training as Massive online open Course. This is one example, but you can see offers from a long list of prestigious Universities across the world by CLICKING HERE.
There are multiple initiatives sponsored and driven by OmnitechIT. In fact, there is a dedicated department and a person responsible appointed to run Training, Education, external Courses, etc.
I recall I started my experience in OmnitechIT I attended in Rome ad hoc training about penetration test and hacking, driven by 2 skilled colleagues, Pietro Minniti and Alessandro Morsicani.
It is a fundamental activity for any Specialist and technical role within the Company to keep competences aligned with the latest market evolutions. OmnitechIT training and courses are potential options for people in technical roles within the company.
Cyber Security roles will be increasingly demanded by companies to protect themselves from today’s and future cyber threats.
The preparation for the role of Cyber Security Specialist starts from a scientific basis and through a mindset/attitude oriented to continuous learning, flexibility and problem solving skills.
The market offers important amount of online resources through which you can be constantly updated on best practices, and you can set a network with peers and experts in the field at worldwide level.
OmnitechIT is committed to cultivate, develop, identify and recruit talents in Cyber Security, in Italy and across other European countries.
OmnitechIT Team counts an important number of security experts and technicians dedicated to Cyber Security that can be a great resource for those who start working and have to manage effectively complex problems.
OmnitechIT Group fosters, whenever possible, the development of a culture of Cyber Security and data protection at national level. Through internal educational initiatives, with important Italian Universities and High School institutes.