Not all hackers are bad. No, really, it's true! We aren't the biggest fan of people who steal your information for nefarious purposes, but there are a ton of upstanding people out there using hacking skills for good.
One such person is Agne Marija Bucyte, a Junior Ethical Hacker at Baltic Amadeus who has decided to turn her hacking skills and computer knowledge into her profession. As an ethical hacker, it is Agne’s job to protect businesses from bad guys and help anyone who's in better protection online.
What is it like to be an ethical hacker in reality? What's their workday look like? And how can you become a white-knight hacker and get into the field? Well, we were lucky enough to sit down with Agne and ask all sorts of questions about ethical hacking.
Below is everything Agne had to say about life as an ethical hacker and how you can better protect yourself from those other hackers who've joined the dark side:
Q&A with Ethical Hacker Agne Marija Bucyte
What is ethical hacking? And how does it differ from general, black hat, or illegal hacking?
The difference between ethical hacking and black hat, or illegal hacking, is that ethical hacking is done with permission and good intent.
For example, suppose I am curious to test a local banking website (to do penetration testing). In that case, I must first email the bank and get permission to look for vulnerabilities or data breaches. Usually, a contract is drafted, and an NDA is signed. If I don't get such permission to do penetration testing, I may get myself into a lot of serious legal trouble.
Hacking without permission, even with good intent, is considered illegal. Therefore, permission is a big must. If I find any vulnerabilities, I have to report them to the bank and not share them with anyone else or make them known on social media. That's what the NDA is for.
So, basically, if I do the same without permission, it would be considered illegal hacking.
Black hat is when you are hacking without permission and with malicious intent. For example, to leak the data vulnerabilities and ask for a ransom, blackmail, or push a political agenda.
How can you get permission to hack a website?
Some companies have hacking competitions where they allow others to hack certain parts of their website. For example, Vilnius Municipality, my hometown, runs a contest called "Hack Me if You Can" to test its digital infrastructure.
If you are working as an ethical hacker at a company (like in my case), then the client directly hires you to do penetration testing. In this case, you also must sign an NDA and arrange all other pertinent details. For example, if you can or cannot test during working hours. Some clients ask for the testing to be explicitly done after work hours or specifically on weekends.
What's your story? How did you get into hacking in the first place? And how did you become an ethical hacker?
My story is a bit "random." I was studying programming engineering and taking English classes at the same time. One day the lecturer gave us homework to read an English book that would be related to our profession.
In my mind, I was definitely not going to read a book about coding languages because another part of the homework was to present a summary of the book to other students. So, I started looking into what I could read that would be interesting to other students as well, and I found a book, "Ghost in the Wires: My Adventures as the World's Most Wanted Hacker" by Kevin Mitnick. He's well-known as one of the most famous hackers in the world. The book was his autobiography, and it was completely fascinating.
While reading it, I got introduced to what ethical hacking is. Actually, the author was first doing illegal hacking and only later "transformed" into an ethical hacker. His story was super interesting and made me want to look more into hacking in general.
When I started working as a French Customer Success Manager at a VPN company, I noticed that they were gathering a group of 10-15 people interested in hacking. I volunteered and was accepted into the group. We were given tasks, and we would meet every two weeks to discuss the job and the issues or difficulties regarding the tasks.
After the course had ended and we completed the project, the company posted a job position for a junior hacker. I applied, but I did not get hired. However, I didn't want to give up as I realized that the cybersecurity industry has a ton to offer, and I wanted to learn more.
I later applied for the Junior Ethical Hacker position at a different company, and I got it. Ironically, I always told my friends that I would never be interested in cybersecurity, but here I am!
When I remember that I also applied for many other jobs at the very beginning before securing my first offer and didn't even land one working as a sales consultant at an electronics shop, I'm reminded of a quote–if one door closes, another opens.
What are the challenges of becoming an ethical hacker?
I'd say that the main challenge is that ethical hacking is not really beginner friendly because it is difficult to figure out where to begin, even though there is plenty of free material online!
My recommendation to others would be to get some kind of ethical hacking certification. For example, I have CompTIA Pentest+ certification. This certificate covers the basics and is not as expensive as other certificates.
As for the practical part, the best way to start is by checking out the Damn Vulnerable Web Application (DVWA). Within this application, you can set the difficulty level, practice all types of penetrations, and increase the difficulty as you get better.
From what you just told me, it seems that the Ethical Hacker position should be in high demand. What's your experience with that?
Indeed, the Ethical Hacker position is in very high demand. Finding a job is very easy, and if you have the right experience, you will likely receive offers on LinkedIn almost daily.
What's the most impressive hack you ever accomplished, and what was your motivation behind it?
Due to the NDA, I cannot go into detail, but I'll try to explain it vaguely. I recently found a high-level security breach in the database of a client I work with. If a black hat hacker got their hands on this, the damage could have been catastrophic, mainly because the breach was in a customer database containing personal information.
Do you do any hacks in your free time?
Yes, when I find time, I look for companies that allow penetration testing for hackers outside of the company. I then contact them about details (contract and NDA). Once this is arranged, I start looking for security breaches and send the reports back. Usually, the breaches are not at a high level.
I must mention a few important things about these hacks: I always have to report the breaches back to the company and do not share them on social media channels. I cannot perform any denial of service attacks (DoS) that would disrupt their services. I can never exploit the vulnerabilities that I find, especially if they are in the customer databases.
How do you make a living? What is your day-to-day life as a hacker?
As I mentioned, I make a living by working as an ethical hacker for one company. People usually think that all I do the whole day is penetration testing or hacking. However, that's not the case. I also write articles about hacking.
Furthermore, I also prepare penetration testing reports for clients. This actually takes up the biggest part of my day. Within these reports, I need to explain in detail how I performed the attack, how it can be replicated, and what to do to avoid it in the future.
Another big task that I am responsible for is cybersecurity awareness training.
On top of that, I also do penetration testing after work. The current project that I am working on is the "Hack Me if You Can" project for Vilnius Municipality. When I have more free time, I also visit HackerOne, where companies give lists of sites you can legally hack.
To sum it all up, my day as a hacker usually consists of penetration testing, reporting, writing, and cybersecurity course preparation.
Could you tell us about any projects you are currently working on?
I am currently working on cybersecurity training for two separate clients. Such training is usually done once per year, and I have to prepare the material, slides, quizzes, etc., depending on precisely what the client wants.
Another project I am working on is network penetration testing. I am looking for vulnerabilities in the network and looking for any network security breaches. Once again, I cannot disclose many details due to the NDA I signed.
What are the best and worst parts of being an ethical hacker?
The best part about being an ethical hacker is that you are always learning something new. The cybersecurity field is ever-changing, and you can never stop learning.
The worst part, which I also mentioned as one of the best parts, is that there are so many new things to learn, and often you don't know where to start or what to learn.
Again, this is not a beginner-friendly field, and often you can feel lost. You have to put in a lot of effort and have serious motivation to become a good hacker. A lot of the time, people underestimate this profession and think it's easy.
What skills do you need to become an ethical hacker? How can someone acquire these skills, and are there any courses you recommend?
The main skill you need is the hacker mindset. By that, I mean that you have to be very curious, have extreme attention to detail, and like to "dig deep." If you don't possess these skills, you will most likely not find vulnerabilities as you have to be curious about every single function of a website and test it.
Also, you have to have a lot of motivation, determination, and patience, as it takes a lot of time and effort to look for security breaches and vulnerabilities on websites. Finally, you must have the desire to learn about ethical hacking, and keep in mind that you won't always be successful.
The best way to start is by acquiring a certificate. You can choose from many different certifications. My personal favorite choice is CompTia Pentest+.
What is an ethical hacker really capable of? How does it compare with what people hear in the media or see in movies?
I noticed that hackers are usually portrayed as villains in the media. No one really talks about ethical hacking and its benefits. You hear only the bad stories.
However, hackers are often shown as the good guys in movies. For example, take "Mr. Robot." Hackers are portrayed as heroes, making you want to root for them.
Other movies about hacking are "Who Am I" and "The Girl with the Dragon Tattoo." These are great if you want to look at real hacker life and are curious to learn more about ethical hacking.
Of course, many opinions depend on the type of online search you do about hackers. If you are mostly interested in cybercrime, then this is the type of content you will be seeing most based on what you search for, but there are plenty of good stories online too.
I guess ethical hacking is generally not as attractive as it's usually a good or ordinary story, and that's probably why many people are unaware of ethical hacking.
Do you think that perhaps people are unaware of how dangerous the lack of security on the internet can be? And what are the most common security vulnerabilities you come across?
Yes, definitely. Usually, people are not taking cybersecurity seriously as they think it's not essential or will never happen to them—until it does. Also, many people don't want to put effort and time into cybersecurity, as they think that what they do is already enough, and most of the time, this is not the case.
In my opinion, it's better to learn from the mistakes of others than have your most precious data leaked into online forums due to weak passwords and little awareness about cybersecurity.
The most popular security issues among online users are passwords. People are using very weak passwords or the same passwords everywhere. A lot of the time, they don't even change the default passwords that are given upon registration. Also, 2FA is not commonly used among most internet users.
Another issue is phishing. People are unaware of what phishing is and often click on dubious links in the emails they receive. Since the pandemic started and more people started working from home, phishing attacks have increased significantly. However, people's knowledge about it didn't.
Finally, another common security issue is operating system updates. A lot of people simply ignore the newest updates, so they are much more easily exposed to security breaches. Make sure to update your operating system as soon as there are new updates.
Could you share some examples of the easiest hacks related to online users' lack of cybersecurity knowledge?
Once again, the easiest hack would be boosting password strength. The most common password is people's names or cities. Such generic passwords are easy, soft targets.
Also, after data breaches, people don't change their passwords when passwords are leaked, for example, in the 2012 LinkedIn breach. They remain vulnerable to hacker attacks, mainly if they use the same password everywhere.
What are people doing wrong that leaves them exposed to hacks? What tools or tips would you recommend to help regular people stay safe online?
They use weak passwords or the same passwords everywhere, or they don't update their passwords after data breaches.
My tip to others would be to better educate themselves about cybersecurity and phishing attacks and always use strong passwords.
I recommend checking if your email, password, or phone number has been compromised at HaveIbeenpwned.com and following ESET cybersecurity webinars.
Also, there is plenty of information about cybersecurity on YouTube. Everything is super easily accessible if you want to learn more!
Don't Try This At Home!
Diving headfirst into the hacking world without knowing right from wrong could land you in deep trouble. If you want to get involved with ethical hacking, follow Agne's advice and get certified.
There are a lot of malicious hackers out there, but there are just as many good ones working to make the internet a better, safer place. With passionate and capable ethical hackers like Agne leading the charge and secure online services like Internxt becoming mainstream, we should have the internet cleaned up in no time!