Everything you need to know
(or almost) about ethical hacking

How do you become an ethical hacker?

The activity is relatively new and still shrouded in mystery. Not so long ago, no one talked about it at all. Over the past decade or so, it has become more commonplace, and the demand is no longer limited to large companies. Personally, I got into it in my fourth year of university. One of our professors gave us access to a vulnerable server and asked us to hack it. I discovered that there was a specific methodology for doing so and that I could make it my profession. For my end-of-studies internship, I worked at Deloitte in Amsterdam on a pentesting assignment. I was hired straight afterwards and that launched my career.

When I returned to France, I had trouble finding work as a pentester and really felt that France was lagging behind in adopting this approach. In terms of cybersecurity, we were mainly using methods based on defence checklists. So I worked in defensive cybersecurity until 2018, when I decided to start my own business and return to pentesting. Today, 100% of my work is in offensive cybersecurity, 80% of which is ethical hacking. We also carry out phishing campaigns and train developers and network engineers in hacking practices so that they understand in concrete terms what they need to protect themselves from.

Trust is a real issue in our business. Hackers have technical capabilities that are generally frightening. We can test systems in black box mode, i.e. completely independently, without receiving special access from the company's Chief Information Officer (CIO), and we can also test with authorised access in order to identify as many vulnerabilities as possible. When we are given specific access, it establishes a very strong relationship of trust.

We always step in after the risk analysis has been carried out upstream by the CIO or the chief information security officer (CISO). This analysis covers the basics of cybersecurity: backup, firewall, EDR, proxies, etc. We come in once this analysis has been done and the CIO believes that the company's networks are secure. We test everything methodically and systematically. Is authentication secure? What are the vulnerabilities of the services? How is the SSL certificate configured? I have never submitted a blank report. Each flaw is explained in detail in a report that we submit to companies, including a description of the anomaly and its impact, recommendations, and evidence so that the company's internal services can reproduce the bug. We stop at making recommendations; we don't make the adjustments. If we work with a company for two weeks, there can be up to six months of work behind it if all our recommendations are implemented. The follow-up work by the company's developers is fundamental because, in order to better protect themselves, it is imperative that they understand that a particular way of coding can lead to a particular vulnerability. It is only by making internal adjustments that information systems can be strengthened.

What types of companies use your services?

Any company that has an information system – in other words, a computer network – is susceptible to hacking. Simply because it is connected to the internet and anything connected to the internet must be secured. For digital service companies that develop applications, vulnerability begins with the first employee. For others, I would say that it starts with around 30 employees. The risk must of course be assessed according to the nature of the business. With 50 or more employees, it is rare not to be affected. On my level, I work mainly with SMEs. Although there is more competition today than there was fifteen years ago, the market remains huge and there is room for everyone. I’ve also noted that the profession is becoming increasingly attractive. I receive requests for work-study programmes every month.

What are the challenges?

It is important to note that, according to regulations, companies that are hacked are required to report it. In France, essential entities, important entities and OIVs (Organismes d'Importance Vitale, or entities of vital importance) are subject to mandatory penetration testing and the organisations that hack them must have PASSI certification (Prestataires d'audit de la sécurité des systèmes d'information, or information system security audit providers), which is issued by the Agence nationale de la sécurité des systèmes d'information (ANSSI, or National Information Systems Security Agency). These entities, which are subject to such constraints, cover strategic sectors (finance, energy, transport, communication, etc.) and are at high risk of exposure to cyber-malicious acts. However, it should be noted that this PASSI certification remains difficult for small pentest companies to obtain. It is expensive and the administrative process is quite burdensome for small organisations. ANSSI has just created another certification, known as ‘substantial’, which appears to be more accessible.

At European level, several regulations have come into force. Since January, DORA (Digital Operational Resilience Act) has imposed digital security obligations on all financial operators in Member States and their service providers. This applies to credit institutions, investment firms, payment and electronic money institutions (including crypto-assets), insurance and reinsurance organisations, cloud and outsourced backup service providers, hosts of sensitive data, publishers of critical software, particularly those related to cybersecurity and payments, and providers of electronic signature and digital identity services.

It complements the NIS 2 Directive – Network and Information Security – which recommended that essential entities, important entities and OIVs use security solutions certified by ANSSI to ensure data security (several technologies are possible, including end-to-end encryption).

What needs to be understood more generally is that, given the increase in cyberattacks and the global context, control requirements are everywhere, from the most critical sectors, including their subcontractors, to very small businesses. Offensive cybersecurity is more relevant than ever. The challenge now is to find those who remain ethical...