That's what an ethical hacker does

IT expert Pallavi Raja works as information security officer at ITERGO

People & stories, 26.07.2019

Pallavi Raja spends all day attacking ERGO, from first thing in the morning until it’s time to go home. The IT expert attacks websites and networks, gains illicit Access and edits data. But she’s not doing this for malicious purposes or for personal gain: she’s employed by ERGO and ITERGO specifically to hack into our systems. Pallavi Raja is an ethical hacker – and her job is to protect the company. 

Looking at her, you would never guess that she earns a living doing something that under ordinary circumstances is dangerous and criminal: Pallavi Raja is an amiable, slightly shy young woman. Originally from India, she gained a master’s degree in Electronics Engineering from the University of Bremen and joined ERGO as an information protection expert in April 2017. Since April 2018, she has been one of ITERGO’s information security officers.

White Hat that protects against Black Hats

So what does that involve, exactly? „I test the network systems, hunt for vulnerabilities and offer Proof of Concept (PoC) attacks in order to show that the attacks are feasible“, explains the 28-year-old. She is part of a team of four and her job is to look for weak spots that potential external hackers could exploit. In this daily high-tech Good vs. Evil thriller it goes without saying that Pallavi Raja is on the good side: „As an ethical hacker, I am a so-called ‘White Hat’; my job is to protect a company against the attacks of ‘Black Hats’“

What sounds like an amusing computer game is in reality a deadly serious topic for large enterprises like ERGO. The number of hacker attacks is steadily rising, as is the damage these attacks cause. ERGO employs a team of specialists whose job it is to pretend to be enemy invaders and identify weak spots: ethical hackers like Pallavi Raja.

IT specialists like Raja have their own language, which uses terms like „White Hat“ and „Black Hat“. Or „Zero Day“. The latter refers to an unknown software safety flaw which hackers can exploit by inserting a virus or a trojan. This flaw is called zero day because the software user has been aware of it for exactly zero days – in other words, not at all. Another term frequently used by ethical hackers is „penetration testing“, when they test the safety of all system components.

Attack to protect

Pallavi Raja and her co-workers receive their assignments from ITERGO project managers. A typical brief could be to carry out penetration tests for a new website before it goes live. So how long does a test like this take? „Usually roughly a week. I try to gain illicit access to the website, gain administrator rights, manipulate content, check it for bugs and other flaws. If we identify any critical findings, we let the project manager know so that these errors can be rectified immediately. Once testing has been completed, we send a report with the results plus our recommendations.“

The project managers are never annoyed at the results, but are relieved. „Our colleagues are grateful if we find any serious errors. In fact, one even invited us to coffee, which was very nice.“ Once the safety breach has been repaired, Pallavi Raja and her co-workers go back and test the website or network system again. „If everything is ok, we write our final Report.“

A race between good and evil

How do ethical hackers manage to keep up with their adversaries? Quite simply, they keep on learning in order to stay ahead of the latest developments. „We do online training and get certificates. We also attend European hacker conferences.“ Here, Pallavi Raja and her colleagues meet IT experts from all over the world to get the latest info on information security. „This dialogue is very important for us: which security gaps have other White Hat hackers exposed, which new modes of attack have they discovered?“

Better us than others

Pallavi Raja loves her unusual job, and she finds nothing strange in being encouraged by ERGO to do something that in other hands would be completely illegal: „It’s better that we do it than others!“ So how does she protect her personal Computers against cyber attacks? Raja’s recommendation for her ERGO colleagues is to ensure they have tried-and-tested, comprehensive protection: „I always have a good, up-to-date anti-Virus programme installed, always download the latest Software updates, am cautious in anything I do online and vet websites to check they are trustworthy.“

From Uli Dönch