In this interview with
March 17, 2024 •
How do hackers hack?
What tools and techniques are commonly used against organizations to gain unauthorized access into systems?
Where can we learn about the mindset of hackers and how to best protect our personal and professional data?
How can you disrupt (or stop) your information from being stolen?
WHO IS MISHAAL KHAN?
A few weeks back, I was in Las Vegas for the World Game Protection Conference as an invited keynote speaker covering ransomware stories. The presentation immediately prior to mine on the main stage was given by Mishaal Khan, who gave an entertaining keynote that demonstrated how hackers “do their thing” — often with information that is openly available to everyone online.
Not only did I enjoy and learn from Khan’s presentation, I had several follow-up conversations with him regarding cybersecurity, hacking, industry trends and much more. I was impressed with his passion, expertise and role as a vCISO and cybersecurity practice lead, in addition to his hacking roles. Mishaal is also an advocate for better online privacy, and he offers tips to audiences on how to protect your data.
You can learn more about Khan at his website bio. He’s co-author of The Phantom CISO, and he leans into the “hacker with a hoody” persona — which many in the cybersecurity industry shy away from. He also offers many presentations, podcasts and other online cyber resources at his website.
Dan Lohrmann (DL): Have you always wanted to be a hacker? When did you discover that you “think like a hacker”?
Mishaal Khan (MK): Ever since my middle school days, I’ve been immersed in a world of gadgets and computer parts, all thanks to my dad’s computer repair shop. Surrounded by the hum of computer fans, I couldn’t help but be drawn into the intricate workings of computers. As my understanding of hardware grew, I found myself tinkering endlessly — overclocking CPUs, beefing up cooling systems with extra fans, and expanding memory and storage capacities. But it wasn’t just the hardware that fascinated me — it was the allure of unlocking hidden potential within software that truly ignited my passion.
As I started PC gaming, I stumbled upon cheat codes in classics like DOOM, sparking curiosity. What if I could manipulate the very fabric of the game itself? This led me down a path of exploration, looking into source files and tweaking lines of code to bend games to my will, skipping levels with a few keystrokes.
But my journey didn’t stop there. With the dawn of the Internet, I found myself venturing into the wild frontier of web design. Here, the boundaries were even more fluid, and the possibilities seemed endless. As I honed my skills, I discovered the thrill of breaking websites only to rebuild them stronger and more resilient than before. It was a dance between creativity and chaos, where every bug squashed and every glitch conquered only fueled my hunger for more.
That’s when I realized I was thinking like a hacker — not in the sense of malicious intent, but in the relentless pursuit of understanding how things really worked. The rush of cracking codes and unraveling complexities became addictive, driving me to push the boundaries further with each new challenge. And I haven’t stopped since.
DL: Tell us about your career journey in hacking/professional cyber work.
MK: I started my professional career with networking, learning how information travels across the Internet. Understanding this process, from typing on a keyboard to seeing the results on a screen, became my strongest skill and formed a strong baseline for my expertise.
Even though I knew a lot about ethical hacking, I couldn’t land a job in cybersecurity because I didn’t have any relevant certifications or experience. So I decided to start my own company. I offered basic cybersecurity services to nonprofits and startups for free, like assessing their security posture, making their devices more secure, setting up security tools, testing their systems for vulnerabilities and performing penetration testing.
I hustled hard and attended events, blogging, speaking and building my personal brand. Slowly but surely, I started to get noticed and began to get some decent business. Eventually, bigger companies took notice and hired me to lead their cybersecurity efforts. That’s when I launched a virtual CISO practice, offering security services to other organizations. This marked the peak of my journey from small beginnings to becoming a leader in the industry and eventually publishing a book about it.
DL: What is OSINT?
MK: One of my earliest interests was getting into online investigations, mining the Internet for information. Whether it was uncovering hidden data within image files or piecing together clues from social media profiles, I found satisfaction in using these skills to assist others when they had problems with hackers or stalkers. Over time, this field has evolved into what is now known as Open Source Intelligence gathering, or OSINT.
OSINT revolves around gathering publicly available information and transforming it into actionable intelligence. This intelligence can be utilized for various purposes, such as identifying wrongdoers, verifying facts, locating missing individuals, performing due diligence or uncovering the truth behind complex situations. With amount of data available these days, it’s a powerful tool for both individuals and organizations seeking to navigate the digital landscape effectively.
DL: Why is it so easy to use OSINT to hack an individual or organization?
MK: Most hacks nowadays rely heavily on social engineering tactics, where hackers don’t target systems directly but instead exploit human vulnerabilities. By leveraging publicly available information, hackers manipulate individuals into unwittingly aiding their schemes. This is where OSINT comes into play as the initial step in a hacker’s reconnaissance process.
The more information a hacker gathers about their target, the more potent their attack becomes. Imagine if a hacker knows your specific interests or even your whereabouts based on your social media activity. Armed with this knowledge, they can craft convincing phishing emails or vishing calls, tricking you into clicking on malicious links or divulging sensitive information you wouldn’t normally share. It’s a sobering reminder of how crucial it is to safeguard our online presence and remain vigilant against such tactics.
DL: What two or three things could an average person do to help their lives be more private (and secure)?
MK: If you adopt a hacker’s mindset, your priority should be safeguarding information they could exploit. A key defense tactic is refraining from sharing personal details on social media platforms, such as your location, phone numbers, personal email addresses and family members’ information. This simple step can thwart the majority of social engineering attacks.
Additionally, removing yourself from notorious data brokers and people-search websites can make it more challenging for malicious actors to obtain your home address or personal cellphone number. Taking it a step further, I highly recommend freezing your credit on the top credit bureaus’ websites. This proactive measure can prevent common identity theft scams that rely on using your Social Security number.
Lastly, fortifying the security of your crucial online accounts, including emails, banks, social media and utilities, is paramount. Utilize robust passwords generated by password managers and implement multifactor authentication wherever possible. These simple measures significantly enhance protection against unauthorized access to your accounts and potential breaches.
DL: You have spoken at several state cyber summits and other events recently. Tell us about what you present.
MK: I love entertaining audiences with simple yet awe-inspiring hacks, putting them right at the heart of the action to witness the intricacies of cyber attacks firsthand. My mission is to raise awareness about the methods hackers employ, empowering individuals to take meaningful steps toward protecting themselves. By shedding light on how hackers hack, I aim to make security measures more impactful and relevant to everyone.
I believe it’s crucial to equip everyone with security awareness, transcending the boundaries between cybersecurity and other domains it influences. By bridging this gap, we can foster a more secure digital landscape for individuals and organizations alike.
DL: Anything else you want to add?
MK: The fight for privacy and security is real, and we are seriously lagging behind. Collectively, we have the responsibility to use our skills to protect those around us, even if it takes one individual at a time. Let’s rise to the challenge and make a difference, one step at a time.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
*** This is a Security Bloggers Network syndicated blog from Lohrmann on Cybersecurity authored by Lohrmann on Cybersecurity. Read the original post at: https://www.govtech.com/blogs/lohrmann-on-cybersecurity/how-to-think-like-a-hacker-and-defend-your-data