This white-hat hacker is using his elite skills to protect companies from cyberattacks. If Hollywood is to be believed, hackers are always brilliant but awkward teenagers who spend their days and nights in their mom’s basement stealing military blueprints or taking down multinational companies.
Craig Swan could not be any further from this archetype. With a colourful history in the cybersecurity industry, he’s worked as an ethical hacker and security analyst at some of SA’s biggest financial services companies. Here, he is employed to think like a hacker so that he can protect the business from malicious attacks. We asked him how he goes about getting things done.
How should we think about cybersecurity?
One of my heroes is a guy called Charl van der Walt, a co-founder of cybersecurity firm SensePost. He would say that you don’t need to outrun the lion if you can outrun the guy next to you. Basically, if you make it really tough for someone to attack you, the bad guys will go somewhere else. Ultimately, it’s important to act proactively, rather than reactively.
What does an ethical hacker do, exactly?
Hacking is like trying to change the spark plugs in your car through the exhaust pipe. You kind of know where things should be and how things work, but you only have a small window into what’s happening inside. Ethical hackers break into systems to find any possible vulnerabilities and weaknesses. They will then share this information with the people who created the software or the system so that they can fix it. It may sound corny, but ethical hackers generally want to make the world a better, safer place.
When I was starting out, I kept seeing the same problems over and over again, but no one was fixing them. So instead of just telling people that they were doing something wrong, I decided to work with them to do things better.
What is the most popular hacking myth?
One of the biggest misconceptions about hacking is that you can just sit down and hack anything if you’re good at it. Actually, most of it is about circumstance. You need an opportunity or a mistake that you can exploit. Without a vulnerability to exploit, you can’t actually hack into anything. Of course, with just a small piece of information, skilled hackers can research further and manipulate things.
Your advice for people getting into this field?
You need an offensive mindset and understanding of what the bad guys can do. There are lots of internships with companies who generally offer their own training and boot camps. A university degree with a computer-science background is useful, but not essential. The main requirement is having an enquiring mind.
How has this industry developed in SA?
South Africa has a pretty good cyber- security industry. There’s a different mindset in South Africa where the focus is on prevention. In America, for example, anyone can walk into a shop and swipe their credit card without ever putting in a PIN number or signing anything. In countries like this, they rely on serious consequences and law enforcement to deter people, rather than prevention.
Here, you’re spending money on security to prevent a potential crime, so you could be preventing nothing at all. If you have more serious consequences, you can spend less money and people are less likely to commit those crimes in the first place.
Will I get hacked?
Probably not. You need to ask why someone would want to hack you in the first place. If there’s a mass hack on a large social network and they got your password and username, chances are the average Joe wasn’t being targeted at all.
If you use unique passwords for all your different accounts and have multi-factor authentication, the chances of you being hacked are really low. But if you’re a wealthy person or you run a big business, you’ll have more people coming after you. It all comes down to what you have that others might want.