An interview with our in-house hacker

To keep your systems and networks secure, you need to know your weaknesses before someone else does. That’s why we have an in-house hacker, who tests your security in the same way a threat actor would and ensures those gaps in your security are fixed.

But what do they actually do? Read our short interview with our anonymous hacker below and if you need advice or support from our cyber security experts get in touch with our Business Development team.

Q: What does an in-house hacker do?

The purpose of a hacker (or penetration tester) is to find vulnerabilities that could be exploited by a threat actor by using those same tools, techniques and procedures that a threat actor may use. It is important to be able to think like an attacker but also understand the target system in order to properly produce informed remediation advice or mitigation strategies. Not only do we discover vulnerabilities and quantify them in terms of risk we also help defenders understand how to detect and respond to attacks

Q: How did you get into the world of white hat hacking?

I started out as a systems administrator. Learning and understanding how to design, implement and secure Information Systems. From there it was a natural curiosity to attempt to understand how effective these systems where at resisting attacks. These skills and methodologies can only be learnt with practice. There are many ‘vulnerable by design’ systems available online to practice with the tools and learn these techniques. Remember: never attempt to hack a system that you don’t own or have explicit permission to test.

I believe the best ‘hackers’ are those that have spent time in fields such as systems administration, web application development or software development. These professions build a foundational knowledge and detailed nuanced view of technology. This experience can be used as a hacker as you will know where the common weaknesses are to be found, where systems builders make mistakes and how defenses function

Q: What’s your favorite part of the job?

I have two favorite parts of the job. The first is those eureka moments when trying to hack into a particularly secure system and then suddenly everything drops into place, all the hard work has paid off and I finally break in. – Normally to dismay of the system owner. The second is revisiting a client after a successful assessment to find that their systems are now in a securer position that the last time I visited

Q: What’s the most common issue you find?

The most common issues I find are configurational weaknesses. These can be difficult for automated systems to detect. The foremost of these issues is usually human error. - Weak passwords on privileged accounts, unsecured out of the box (OOB) configurations, or artifacts left behind from build process are usually what I find the most

Q: How have you managed to continue your work during the pandemic? 

The pandemic has brought about some challenges. Namely not being able to visit customers onsite. A common form of penetration testing is an internal penetration test. This is where an assessment is performed from the perspective that an external actor already has breached the perimeter or from an insider threat such as a disgruntled employee.  These assessments are normally conducted onsite. We have now developed a capability of doing this remotely. We deliver a physical or virtual appliance to site which securely connects back to our offices so that we may perform an assessment as if we were physically present. For more information on this capability, see our article here.

Q: What one tip would you give to companies who are reviewing their cyber security?

I’m not sure who said it first, but I’ve always been fond of the quote “Security is a journey, not a destination”. All infosec professionals agree that no system will ever be 100% secure. Security assessments should be used to validate vulnerability management process, assuring they are effective. They can also be used to demonstrate how to detect attacks and what an effective response should be. As proven by the numerous high profile security breaches we read about in the news every year. - It is not a case of “if we will be hacked”, but “when”. Having the tools, people and processes in place and have them validated is vitally important for a good cyber security posture.