Hackers are bad, scary, criminal, and worst of all, they wear hoodies, right? Hackers don’t belong in enterprise technology teams, right? Wrong! Quick caveat: Don’t break laws. Don’t break corporate policy. Personally, I’ve been fascinated by hackers my whole life, probably since I first saw War Games. While I don’t consider myself a hacker, I’ve done some light hacking over the years.

Shortly after I went to school and learned Windows networking, I visited a friend’s house and he showed me his new computer. I noticed he had high-speed internet (somewhat rare back then) and I asked him who is provider was. He said, “I don’t know, I just turned it on and it works.” At that point, I asked him if he’d like to know which of his neighbor’s internet he is using. He said, “you can do that?” I said, “I don’t know, let’s find out…” In a matter of seconds, I mapped the local network and found his neighbor’s printers, media libraries, and file shares. I opened up his file share and found a resume which contained his home address. “Bingo, it’s this guy.” Ironically, his resume led off with “seeking a position in information security.” I wanted to edit his resume to say “don’t hire me. I don’t know what I’m doing,” but my friend talked me out of it.

At this point my friend turned to me in amazement and said, “where did you learn how to hack?!?” I didn’t technically hack, crack, exploit, or social-engineer anything. I just used my Windows networking knowledge. That experience opened my eyes to what hacking really is. It’s simply thinking outside the “happy path.” Do the unintended, and see where it leads.

Several years later, I went to my first SANS class, where I learned hacking and anti-hacking defense techniques. While nearly all of those specific tactics are now obsolete, I learned how to think like a hacker and look for security weaknesses in technology. Those thinking patterns serve me well to this day.

Hack all the things. Doing the unintended is really fun.

While working for one of my previous companies, we had a cloud app that had a mobile offering, but the mobile enrollment was disabled. At least that’s what the administrators thought. They hid the mobile enrollment menu options from the user interface. I simply googled public user manuals on how to do mobile enrollment, and I found screenshots with the url structure that held that functionality. I wondered to myself, “is this really disabled, or is it just hidden?” I found out by typing the url into the app, and boom: The mobile enrollment feature rendered. Sweetness. I got to be the guy that had the feature that everyone else wanted, but couldn’t have.

I was using another cloud app that limited certain edit functionality, which I thought was really lame. I wasn’t satisfied, so I started researching ways to bypass the user interface. I found the RESTful API, loaded up some browser extensions, and edited the uneditable with JSON. I was very pleased with myself and shared my “hack” with other users. Eventually the administrator caught wind of it and said, “uhh, thanks… I think… Are you SUPPOSED to do that?” I don’t know if I’m supposed to, but I can, and I did. If I’m not supposed to do that, then close the loophole and stop me. That’s thinking like a hacker.

These are some fun and harmless stories, but let’s get serious for a moment. Information security is a real threat. I hold a position in my current company (and at previous companies) that is directly accountable for the security of our technology environment. There are criminal hackers that are out to exploit companies of all shapes and sizes. While we have numerous technical means to defend our organization, we need to enlist the help of everyone in the organization to do the job successfully.

The role of the general business user is pretty straightforward: “Be aware, be careful, and don’t get duped. If you see something, say something.” There’s more to it than that, but that’s the basic idea. The role of the technical folks is “think like a hacker” or even better: “hack all the things.” Seriously, I want to find out about our weaknesses from the friendlies. The only way to do that is to start hacking.

You may think that security is someone else’s job, but everyone in technical role has a special responsibility due to their immersion in-context and their understanding of the inner-workings of specific technologies. This depth and context isn’t available to outside security consultants or even your internal IT security team. We need every technician, engineer, and developer to put on their hacker hoodie every-so-often to harden our tech to its maximum potential.

It’s not just about security vulnerabilities, but also availability vulnerabilities. Delta Airlines global operations went down earlier this week. It wasn’t because they didn’t have high availability and disaster recovery “check the box” solutions. I’m sure they did, but those solutions didn’t work at their time of need. We need to cause our systems to fail in ways that they aren’t expecting to fail, and see how they respond. Had Delta done that, 2,000 more planes would have flown this week.

Don’t be a hater. Hackers are people too.

I am not h4x0r 31337! I don’t even qualify as a n00b script kiddie. I just like to try the unintended and see what happens. The real hackers bring me awe and amazement. One of my favorite hackers (a.k.a. Security Researcher) is Chris Roberts. He may (or may not) have controlled a flight from his passenger seat by hacking the in-flight entertainment system and gaining access to the thrust control system. We may never know what really happened, but his stunt got him detained by the FBI and banned from flying United Airlines.

Good hackers sometimes do questionable things to get attention. Why? Because we don’t listen to them. We don’t take them seriously. We treat them like enemies instead of friends. There is a philosophical lesson to be learned here, but I’m not the best one to teach it. Instead, I encourage each of you to watch to Keren Elazari’s famous Ted Talk that has gained more than 1.7M views.

In conclusion, we get stronger by hacking ourselves before the bad guys do. Stay within the guardrails of law and policy. Serve the business by doing potentially disruptive activities within appropriate maintenance windows and approvals. Disclose findings responsibly. With that understanding, hack all the things!

Have any fun hacking stories to share? Put them in the comments below!