Ibad Shah and Etizaz Mohsin, two of Pakistan’s top infosec (information security) experts have been invited to speak at the world’s largest and most notable hacker convention called DEFCON in its Red Team Village.
While both of them have represented Pakistan at different global speaking gigs, this will be the first-ever representation at DEFCON.
In Red Team engagements, security professionals enact attack scenarios to discover the vulnerabilities in their infrastructure. It is a full-scope attack simulation to assess the security controls of the organization. This includes testing for not just vulnerabilities within the technology, but of the people within the organization as well.
Both Eitzaz and Ibad are certified ethical hackers, infosec researchers, and professional red teamers (ethical hackers who test how well an organization would fare in the face of a real attack). Etizaz is one of the few in the world and the only Pakistani to achieve the most difficult certification (OSEE).
Being security enthusiasts, they have spent many years penetration testing and conducting vulnerability assessments. Ibad Shah alone has facilitated many companies – such as Huawei, ZTE, MuslimPro, and FourSquare – in testing systems’ defenses and fixing critical vulnerabilities.
For a layman, the term ‘hacker’ still has the ring of a malicious act conducted by programming wizards to harm an organization’s information security systems or steal critical data.
And the perception is not totally ill-founded as in Pakistan and other parts of the world, such data breaches are not totally unheard of. Motivated either by malice or mischief, these hackers gain unauthorized access into computer systems by exploiting weaknesses or using bugs
The vulnerability is only increasing as more companies move to cloud, and employ emerging technologies like artificial intelligence and machine learning. With the growing volume of information generated, collected, cleaned, analyzed, and monetized, there is also an increased risk of elements that will try to steal this information or hold it hostage.
This has given rise to a community of ‘bug bounty hunters’: hackers who are paid to find vulnerabilities in software and websites. Today, they are routinely hired by organizations to look into the vulnerabilities of their systems and networks and develop solutions to prevent data breaches.
Organizations allow infosec engineers to bypass their system security and identify the loopholes. This, unlike malicious hacking, is a planned, approved, and legal process.
“Ethical hacking is proving to be another multi-million dollar industry around the globe,” shares Ibad Shah.
“With predictions of skill shortage of around four million, the industry has huge gaps to be filled. Professionals currently working in the industry have been pursuing different educational trainings or learning on their own. This means if our universities start introducing cybersecurity in their curriculum, this will not only benefit the local industry here in Pakistan, but we will also be able to contribute on a global level,” he adds.
Ibad also pointed to how doing this can also help in boosting the local economy through international remittances as bug bounty hunters earn thousands of dollars in other parts of the world.
“We need regulators and law enforcement agencies to sit together, devise data security policy and asset classification on the national level, as well as build Computer Emergency Response Team (CERT),” shares Etizaz Mohsin.
“Corporate and govt. organizations need to adopt responsible disclosure programs allowing researchers like us to help them upscale their cybersecurity posture. At the end of the day, it’s all about working in good faith collaboratively,” he adds.