QWhat are the qualities required to become an Ethical Hacker?
Interview with Fabien Spagnolo, Head of Ethical Hacking and Technical Assessment at Orange Cyberdefense.
In the movie War Games, David Lightman, a self-taught computer genius, occasionally hacks video games. While he thinks he’s at the controls of a new virtual game, he’s actually just broken into a U.S. Army computer. Thus begins the plot of the film and our meeting with Fabien Spagnolo, Head of Ethical Hacking and Technical Assessment at Orange Cyberdefense.
Since first watching the film which was originally released in 1983, Fabien has been a big fan of the fight against cyber threats. We discussed Ethical Hacking, his unusual job role and the qualities required to become a “White Hat”.
Explain to us the Ethical Hacking.
Fabien Spagnolo – Our job is to evaluate our customers’ level of protection against cyber threats. We test their infrastructure to see if it has vulnerabilities that would allow a malicious and motivated hacker to enter their defense system. To do this – with their consent – we attack them like a hacker would.
Our method? Understand those who perform this type of cyber crime and emulate their modes of operation. We replicate the techniques and means they could put in place to reach our client’s security ecosystem. There are many ways to attack a target. Websites, networks, applications, e-mails but also telephones and access badges to certain premises…at Orange Cyberdefense, we verify all potential intrusion points to organisational systems.
Are all the 60 ethical hackers on your team Mrs or Mr Robot?
There are many different hacker portraits generated by TV and movies. Good and bad. More or less close to reality. There are similarities between real-life and fictional scenarios. Like the characters in some of these fictions, we have really brilliant people.
However, fictional characters are many times caricatures. Ethical hackers do not live in the dark, we do not wear hoodies, we are social beings and we communicate. I am especially interested on these two last traits – both for potential new recruits as well as with the existing team.
Why this requirement?
Because it is part of our activity to reassure our clients and to provide them with our conclusions in an intelligible manner. It is essential to be adapt our language in order to effectively explain to our customer how we proceeded and how to correct vulnerabilities we found.
That is why when I receive a resume, in addition to the technical skills I look at whether the candidate has the communication and interpersonal skills required to succeed. Participation in the university’s junior company, in the student council or in team and associative activities can be proofpoints of these skills.
When you were 9 - 10 years old, you were learning computer programming on your own. You were doing reverse engineering. Do you have to start early, practice at home and be self-taught?
Not everyone has a professional vocation early on in their lives. My story was mainly driven by curiosity. If this curiosity develops early, it’s an advantage. A good ethical hacker is a very curious and resourceful person. She or he digs, tries to get around the security defences and doesn’t stop at the first hurdle. If she or he does not feel the desire to go deeper, to look further, to go behind the scenes, and to persevere, this is probably not the right role. As for already practising ethical hacking, this shows the candidate’s motivation and will likely increase our interest to recruit her or him.
Of course, ethical hacking must be done legally. To practice, there are hacking challenges and legal hacking platforms. Candidates can test their skills, get a score and get listed in rankings. If they mention they participate in these challenges at the interview, we look at their ranking. I would say that you have to be self-taught, have this curiosity, the desire to contribute to cyber security projects, to be proactive. Whilst this does not fully replace a solid technical background, it enriches it.
When a young candidate comes to see us, she or he must already know about networks, systems and even better if she or he already knows how to use some specialist tools in the field (Nessus, Burp, Metasploit).
We do not close doors to atypical profiles if they possess these skills.
The majority of candidates that come to us today has followed a computer engineering course, some with a Master degree in cybersecurity.
Threats are becoming more complex, and unexpected. How to stay ahead of what is elusive?
The ecosystem of professionals and the community of ethical hackers is highly skilled.
The best way to be stay up to date on threats and the needs of our customers is to participate in conferences like Hack in Paris and Black Hat for example.
Orange Cyberdefense participates and contributes to both. These conferences are also a great opportunity to meet the profiles we are looking to hire: auditors, penetration testers, project managers.
Internally, we regularly organize a “Tech Lunch” on Fridays. These are important team moments during which we exchange information and learnings from events we have attended, like the Toulouse Hacking Convention or Hack Night. We share customer issues and feedback, and we tell each other what we have read and heard during the week or during the month.
How do you see the evolution of the ethical hacker profession?
Our role is already evolving: it no longer consists solely of an exhaustive survey of technical vulnerabilities. We go beyond this to assess more broadly the effectiveness of detection and response devices (SOC). We will have to establish an even closer proximity with our customers and their business context. Finally, the evolution of the profession will logically follow the evolution of hacking techniques. This includes a priori an increased diversification and sophistication of attack vectors.
About the blogger
Fabien Spagnolo is head of Orange Cyberdefense Ethical Hacking activities and has over 16 years of experience in cyber security.
Following courses at IUT Informatique in Lyon and a Master’s degree from Epitech in Paris, Fabien Spagnolo joined a security solutions integrator. During this first role he began to perform intrusion tests for customers.
In 2009, he joined Lexsi, a cyber security services firm. As a project manager, he lead pentest audits and further extended his skills via audit, compliance and SSI governance projects related to ISO 27001. He moved to Lexsi’s Consulting division to lead a team of 10 consultants working to develop customers’ security policies, perform risk analyses and solution benchmarks. He moved on to lead Orange Cyberdefense Ethical Hacking team in 2016.