A coffee with… Haris Pylarinos, CEO, Hack The Box

A lifelong gamer and self-taught hacker, Haris Pylarinos says that he’s been ethical hacking since he was 12 years old.

He worked as a systems and network engineer while gaining an Open University degree in Computing and IT, before co-founding gamified training platform, Hack The Box, in 2017.

The platform claims to use realistic simulations to train and upskill cyber defenders in the same way cyber criminals currently break into organisations today, with the aim of helping firms become more resilient to attacks.

In this A Coffee With…, we chat with Pylarinos about why the cyber security community needs Hack The Box, his experience as an ethical hacker, and what it takes to become one.

Why did you launch Hack The Box?

When I was a kid, I learned by doing, getting my hands dirty, and experimenting with things. That’s why I became good at ethical hacking. With out-of-the-box thinking required for this profession, you don’t follow a set of instructions, you must figure it out and carve new paths to find the solutions.

The effort required to create training materials can be huge. By the time it’s released, you have ethical fighters and defenders being taught outdated material while you’ve got cyber-criminals training in a way I was trained when I was a kid, but in live environments because they’re hacking organisations, banks, hospitals, governments, and other organisations. So, the criminals have an edge over the ethical hackers.

The Hack The Box platform is more of a hands-on, simulated environment where you don’t have instructions, rather it asks you to improvise and find the solution through that process.

I’ve added a lot of gamification on top due to my years as a gamer, and it’s a perfect match.

It’s all on a screen, so it can be super realistic because you’re virtually either hacking or defending infrastructure, and at the same time you’ve got all these scoring systems and achievements. While it feels like you are playing, it’s upskilling and increasing your knowledge without you noticing or getting bored.

Do you think there’s a correlation between ethical hackers and gamers?

Yeah, because most of the ethical hackers I know also appreciate gaming… If I had more time, I would play more video games!

Do you worry that the people you train will go to the ‘dark side’?

It’s not worth it for most people to become criminals. It’s not only the fear of getting caught, you can end up in jail obviously, it’s also the ethical part. Why profit from someone suffering? I think most people just want to become ethical hackers anyway.

It’s like saying if you train locksmiths, they might become burglars.

When you were doing ethical hacking yourself, what common issues did you find in businesses’ cyber security?

It’s the human element. Some of the technology-related vulnerabilities usually start with fooling someone into disclosing some information or doing something that will allow you to acquire more access to the organisation.

Once you pose as an employee, then the entire world is open in front of you because the attack surface is huge.

How does someone qualify to become an ethical hacker?

When you’ve got enough confidence to understand that everything is just a matter of time and perseverance to achieve your goal.

Computer savviness and being able to code helps, but the main skill required is your ability to learn fast. You’re always developing, and it doesn’t scare you to not know something.

At the beginning of a hack the default mode is that you don’t know what you have in front of you, but you’ve got to be good at exploring and experimenting to understand it and sometimes to understand it better than its creator, that’s the point when you start to uncover all of its vulnerability.

Is there a physical element to pen testing?

Most hackers start with a set of lock picks. I have locks on my desk and use the lock picks to open and close it. So, physical hacking is an extension of the usual hacking, but it is also more than bypassing locks or security measures. It’s also about figuring out a way of getting the job done, and a lot of creativity, saying the right things and doing the right things.

How do you switch off?

I don’t really switch off, I’ve adjusted my entire life around Hack The Box, but I try to have breaks or incorporate my personal life into the business. Let’s say, if I have a conference somewhere, I will take my daughter with me, and we will spend an extra day doing some sightseeing.