Cybersecurity offensive, 'good hacker' patrols advance
The CEO of Italian start-up HN Security, Giannandrea Tateo, explains the costs and purposes of simulated cyber attacks to improve corporate security
7' min read
Key points
7' min read
The control tower of an Italian airport exchanges routine messages with the flight simulators that are training some pilots. Suddenly the messages derail from the routine and look decidedly strange, the pilots are astonished and wonder what the heck is going on. But the same astonishment shows on the faces of the air traffic controllers. It is a hacker attack, they guess. What they do not know, however, is that they are 'good hackers' or ethical hackers (in slang 'white hat', the white hats of western films) engaged in an Offensive security test, an oxymoron that encapsulates in a single word the activity of an expanding sector in the United States but also in Italy, in terms of services offered by specialised companies and professional training. In the increasingly strategic field of cybersecurity, which sees Italy growing but still lagging behind (we are in 11th place, for instance, in the MIT's Cyber Defence Index). The attack on the flight simulators is a real case, of the man in the middle type, explains Giannandrea Tateo, CEO of HN Security, a start-up founded in 2021, based in Turin with specialists also in Florence and Rome, and which is part of the Roman group Humanativa, of the entrepreneur Stefano Commini.
The 'white hats' of cybersecurity
.The 'good hackers', explains Tateo, 'provide their expertise and passion to test organisations' IT infrastructures for robustness and resilience'. A passion that for the older ones was born in basements in the early 2000s when they had fun and competed in hacking servers and IT infrastructures of the most diverse organisations, sometimes even risking prosecution. "Over the last twenty years, some have lost their way, others have made it a profession by putting themselves at the service of companies within ICT departments, and still others, the most visionary, have created real companies offering Offensive Security services to their clients". Offensive Security is the name given to this discipline to differentiate it from Defence Security, that set of hardware and software infrastructures whose purpose is to protect IT infrastructures and - in the event of hacker attacks - detect threats and isolate them to protect corporate assets..
Sweatshirt-wearing and tie-wearing managers
Ever since the days of Kevin Mitnik, alias 'Condor', who got out of an American prison in 2000 and founded his own security company, a planetary narrative has flourished around bad, good and 'converted' hackers over the last three decades, which the professionals working for HN security have certainly drunk from. "I know for a fact that some of my colleagues knew Mitnick personally, or H.D.Moore and others, but they do not boast about it in public. Our two senior technicians, Marco Ivaldi and Maurizio Agazzini,' says Tateo, 'are two of the most renowned white hats in this small but very specialised world of Offensive Security, where everyone knows and talks to each other. They both started in this sector in the 2000s, on infrastructures and systems that have now almost disappeared, then they had the ability and passion to adapt to the technological evolution. But in HN Security there are other younger white hats who are just as capable, especially on new technologies in the mobile field. How is the collaboration in the company between geeks in sweatshirts and management in ties? There is mutual respect and esteem, we complement each other, but by now I only wear the tie in some meetings with top management. Of course, when we have to go to a client and ask for business casual attire they tend to forget the business part...'.
How an offensive security startup is born and grows
HN Security was born three years ago precisely from the collaboration between these two 'souls', technical and entrepreneurial, or rather from the meeting between the president of Humanativa Stefano Commini and two of these pioneers of offensive security who developed their passion first in basements than in school desks. "Around them," Tateo recounts, "we built a group of friends and former colleagues animated by the same passion: identifying computer flaws and then suggesting the remedy. We have gone from a turnover of 700,000 euro in 2021 (with a positive Ebitda) to a forecast of 1,500 in 2024 and 2,000 in 2025 (with an Ebitda of 15%)'. Always investing heavily in people (today there are around 20 specialists) and training, which are strategic aspects of striving for excellence. "Our specialists follow an intense training programme and devote 20% of their time to research and development: one day a week in which they study while playing, sometimes competing against each other in an attempt to hack what comes their way, always within the limits of legality, of course. You have to be at least as good as your opponents to do our work'.
What kind of interventions and how much they cost
In addition to the man in the middle already seen, intervention types include the classic penetration test, a simulated authorised cyber attack on a computer system or network, performed to assess system protection. More comprehensive are Red team attacks, multi-layered simulations that aim to assess how a company's people, networks, applications and physical security controls are able to respond. "We are also pushing hard on activities that identify problems during the design and development of software, because detecting a flaw when it is already in production has an extremely high cost, up to 30 times. Our work stops with the production of a detailed report listing the vulnerabilities to which we associate 'Recommendations', i.e. actions to be taken to remove or mitigate the threat that should not be carried out by the same person (even if someone does). It's almost an ethical matter, I don't have to look for vulnerabilities in order to get more work afterwards'. An Offensive security project costs an average of 20 to 100 thousand Euros, but the cost to put in place remedies can be several orders of magnitude higher, making it very attractive to companies.


