On Board Online • April 27, 2026

By Amanda Cammarano

ERIE 1 BOCES

Schools can be prime targets for cybercriminals. One way to stay cyber safe? Voluntarily get hacked.

It's called ethical hacking. With authorization, a cybersecurity expert called a white hat hacker tries to infiltrate a school's network. Known as a penetration test, or "pen test," it involves spending time trying to crack passwords and access sensitive data. Ethical hackers also seek to uncover software vulnerabilities that could aid a malevolent or black hat hacker.

Schools in western New York State get tested regularly by Rich Drzaz, a white hat hacker employed by the Western New York Regional Information Center, located at Erie 1 BOCES. A specialist in data protection, security and compliance, Drzaz first got interested in cybersecurity when he learned about elderly people being scammed online. "It frustrated me," he recalled. "They were already vulnerable, and I wanted to do something about it."

His love of video games made hacking feel like a fun challenge, and Drzaz immersed himself in learning how operating systems, networks and applications work. Then he sought white hat credentials from a company called Offensive Security, which has identified 20 skills needed by white hat hackers including familiarity with a variety of computer languages, cryptography, reverse engineering, analytical thinking and report writing.

Fortune magazine has described Offensive Security as "a cybersecurity training business best known for its popular certification programs ... [and] developing Kali Linux, an open source toolset used by penetration testers the world over."

Drzaz took an Offensive Security course described as focusing on "advanced ethical hacking skills." The current version of the course has 669 hours of content.

The course concluded with a 72-hour exam that consisted of 48 hours of hacking followed by 24 hours to complete a detailed report.

"It was as much a time management challenge as it was a hacking one," Drzaz said. He passed and earned certification as an Offensive Security Experienced Penetration Tester. This credential validates skills in "penetration testing, focusing on evasion techniques and real-world adversarial tactics," according to OffSec.com.

A typical pen test starts with a scan to try to identify weak spots. Then Drzaz gets to work. "I'm trying to capture email addresses, crack a password, or access data that should be locked down," he explained.

And what's a good day for him? "When I fail. If I can't get in, that means the district is doing all the right things." If he does succeed, Drzaz provides detailed reports and helps districts strengthen defenses. He may offer guidance and resources for staff conversations about cybersecurity.

When he's off the clock, Drzaz still hacks ethically. He enjoys "bug bounties," online challenges where companies and organizations invite hackers to find vulnerabilities within their own systems. "It's practice," he said, "and it keeps me sharp on the latest tricks attackers use and the latest defenses to stop them."

Amanda Cammarano is Communications and Partnerships Coordinator for WNYRIC/Technology Services. This story is adapted from an article she authored for the Winter 2026 issue of the Erie 1 BOCES Journal and is used with permission.