You are known as an ethical hacker. Could you tell us more about what got you started?
Back to six or seven years ago, I relied on Twitter to publish some vulnerabilities that I found on either mobile applications or on websites. My work analysis also encompassed governmental websites or applications in specific countries, such as India, the U.S., France, Russia, or even China.
Curiosity is the main reason why I initiated myself in cybersecurity. I wanted to know more about what was inside my own smartphone, and how it all works: this was the core motivation that animated me at the time to become a hacker. Indeed, a hacker is a person who wants to understand how digital tools, software, and overall systems are working. The idea behind being to test their limits and find a way to misuse the system so as to find the vulnerabilities.
How would you define ethical hacking, and what role do you believe it plays in the broader landscape of cybersecurity?
Ethical hacking is the practice of performing security assessments, relying on the same techniques that hackers use. The goal being to use and apply cyberhackers’ tactics and strategies to identify potential weaknesses and reinforce a company’s protection from both data and security breaches. In other words, ethical hackers aim to misuse systems and find vulnerabilities in order to alert and help threat-exposed companies. It is all about using skills to serve a good cause.
You founded the Predicta Lab platform back in 2020 to help people evaluate their digital footprint and identify their digital vulnerabilities. How does it work and what does it enable in terms of data management?
Predicta Lab was established back in 2020, and is actually an OSINT (Open Source Intelligence) platform. The idea is to prevent our clients from digital threats. And we basically try to create some quality content in French, but also in English, regarding OSINT in general.
Predicta Lab consists of three main activities. The first one being to provide training, in the form of 3-day in-person sessions to either beginners or seasoned professionals. I for instance train students, journalists, or experienced OSINT analysts.
On the second hand, we realize online investigations and reports to underline the importance of digital footprint safety. Note that we all have a digital footprint, which can provide a lot of information about you. And this can be particularly hazardous for public people, such as politicians, CEOs, board members, etc. Regardless, it proves essential to reduce your digital footprint by deleting useless personal information from the Internet. So our goal here is to evaluate our clients’ digital footprint and eventually advise them on how to reduce it.
As explained earlier, we created an OSINT platform, which actually refers to a digital investigation platform which helps us and our clients search anything. You can for instance enter an email address, a pseudonym, a company name, a phone number, a full name, on the search bar and, from that, the platform searches information on the open web, the deep web, the dark web, and also messaging applications – among other sources. It helps investigators in their work as the platform helps them save time and obtain a good overview of the situation.
When it comes to data management, Predicta Lab of course complies with GDPR. As there is no dedicated legal framework for OSINT’s activities as of today, they need for now to fit in the existing European regulations in force – which is this case GDPR.
How do you stay up-to-date with the latest cybersecurity threats and vulnerabilities, and what role does research and experimentation play in your work?
It can be challenging to stay up-to-date in the cybersecurity sector. I put in place a global application to help me in my daily monitoring. And during all these years, I have been updating a list of OSINT influencers and other experts. In parallel, I rely on Twitter to read the latest information on cybersecurity, trends, new tools, etc.
Besides, experimentation is indeed really important. For example, when a new vulnerability is popping up, I test proof of concept. And I am also trying to find proof of concept myself. And as I do multiple conferences, it helps me boost my monitoring so as to stay up-to-date for each of them. I generally complete my presentations with demos. It is highly appreciated as it helps illustrate a given situation, and people want to see how it all works. This is why I do these experiments for my conferences.
Can you explain the process of conducting a vulnerability assessment on an organization’s data protection systems, and which factors do you consider when evaluating security controls?
When you start evaluating the security of a system, you have to focus on the basic notions. The first thing is the attack surface. You have to list all of the assets of the company. The latter has to know which information is available on the internet, what is exposed, which systems are exposed, in the case a hacker wants to target it.
Once there is a good view of the attack surface and the assets, you will have some systems which are more vulnerable than others. For instance, the main website is surely good-looking, with lots of features and more secure compared to others, but you can have a website which is not very obvious because this a subdomain’s subdomain and this could be the entry point for hackers in the company’s data.
So the first phase is to list all the assets. And the other actions will depend on the type of the system found.
What advice would you give to organizations that are looking to improve their data protection and cybersecurity practices, and what steps should they take to minimize the risk of data breaches and cyber attacks?
The first thing I have to say is: you will be hacked. It is indisputable. This is not a matter of if, but rather of when it will happen. And when you switch to this mindset, you have to ask yourself: “what do I have to do? How will I react?”.
There is a metaphor I used to to illustrate this. In the military, soldiers are training a lot and repeating the same exercises again and again. Why are they doing that? Because they want to have the good reaction once on the frontline.
And this is the same thing in cybersecurity. You should not wait to experience the attack to start thinking about what to do. It is important to prepare ahead of time the specific process to follow in case of a cyber attack. You need to know what to do in order to ensure business continuity, to restore everything, and isolate the attacker.
So the main piece of advice I would give on this is to train. Train again and again. Companies need to educate their employees to take care of security and acquire the right understanding. And also, you have to regularly test your infrastructures by both internal and external individuals in order to stay at a good level of security.