Cybersecurity

Attacking her own company – as an ethical hacker

Pallavi Raja attacks. Every day. The IT security expert tests IT systems and applications for vulnerabilities, obtains access and tries to gain control. She’s not doing this for her own ends, though – her job is to protect the company.

 

A serious topic for virtually every company

“I test the IT systems, look for vulnerabilities, and offer proof-of-concept attacks in order to show that the attacks are feasible. I also make recommendations to the developers, so that they can eliminate the vulnerabilities found”, explains the 29-year-old. She is part of team that specifically looks for weak spots that external hackers could also exploit. In this daily hi-tech Good vs. Evil thriller, it goes without saying that Pallavi Raja is on the good side: “As an ethical hacker, I’m what’s known as a ‘white hat’, and my job is to protect the company against attacks by ‘black hats’.”

What sounds like an amusing computer game is a deadly serious topic for companies like ERGO. The number of IT attacks is constantly rising, as is the damage they cause. That’s why ERGO employs its own specialists whose job is to pretend to be enemy invaders and identify weak spots: white hats like Pallavi.

IT specialists like her have their own language, with terms like “white hat” and “black hat” or “zero day”. The latter refers to an unknown software security flaw which hackers can exploit to insert a virus or trojan. This flaw is called “zero day” because the software user has been aware of it for exactly zero days – in other words, not at all. Ethical hackers also talk about “penetration testing”, when they test the security of all system components.

Attack to protect

A typical working day for Pallavi Raja: “We’re currently carrying out penetration tests for a new web application before it goes live.” So how long does testing like this take? “For thorough testing, we usually need a week.   I try to gain illicit access to the website, gain administrator rights, insert malicious payloads in the user input field, obtain unauthorised access to the database and finally gain full control of the system, check it for bugs and other flaws. The penetration test ends with a report to the client on the weak spots identified during the test – including our recommendations for eliminating or reducing these vulnerabilities.”

The clients are never annoyed at the results, but are relieved. “Our colleagues are grateful if we find any serious errors. In fact, one even invited us for coffee, which was very nice”, recounts the ERGO employee. Once a critical vulnerability has been eliminated, Pallavi Raja and her colleagues test the applications or IT systems again. “If everything is then OK, we send our final report.”

A race between good and evil

How do ethical hackers manage to keep up with their adversaries? Quite simply, they keep on learning. “We do online training, for which we get certificates. We also attend European hacker conferences like hack.lu in Luxembourg.” There, Pallavi Raja and her colleagues meet IT experts from all over the world to bring them right up to date with information security. “This exchange is very important for us: What vulnerabilities have other white hat hackers found at companies and what new modes of attack have they discovered?”

"Better us than others"

Pallavi Raja loves her unusual job, and now finds it completely normal to be encouraged by ERGO to do something that would otherwise be illegal: “It’s better that we do it, rather than an external hacker.” And how does she protect herself against all types of cyberattacks on her personal devices? With tried-and-tested, comprehensive protection. Which is also what she recommends to all her ERGO colleagues: “I always have an up-to-date antivirus program installed, always use the latest software updates and am cautious on the internet – and especially so with emails that have links or file attachments.”

Text: Ingo Schenk