In part one of this series, we sat down with Huw Evans for some great insight. This time, we sat down with Charles for a slightly different perspective.
Charles MacCorquodale has been building and securing systems for most of his life. For the past five years, he has focused on assessment through penetration testing and red teaming.
When he’s not sifting through systems with the mindset of a hacker, you’ll find Charles giving back to the IT community by teaching courses on ethical hacking, mentoring newcomers, and participating in local capture the flag competitions.
Q: What is ethical hacking, and how is it different from malicious hacking?
A: The main difference between a malicious hacker and an ethical one is this. An ethical hacker will show you all their cards at the end of the game and tell you how you can stop them from playing those cards ever again.
Q: Are there different types of ethical hacking?
A: From a technique perspective, yes. You’ve got red teams (the attackers) and blue teams (the protectors).
Red teaming is more appealing in the marketplace because it’s more objective-driven. When conducting a penetration test, every vulnerability exposes your crown jewels, your data, or worse, your client’s data. That is what we are after when conducting these tests.
The blue team is much broader. In essence, everybody’s job is security.
Let’s say you call the help desk, and the person working there asks for your ID. They run you through a series of annoying questions before you get your help – that’s security. They need to make sure you are who you say you are.
The person tediously configuring the system overnight is also security. When an attacker looks for configuration flaws, they are looking for laziness or skipped steps. We consider all these activities blue teaming because they all contribute to defence.
When I train ethical hackers, I tell them the blue team is the harder job. Being on the red team is much easier because it only takes one mistake for an attacker to get in. I look for someone who was having a bad day. Perhaps they were tired, or maybe their phone rang before they finished the job. That’s all it takes.
Q: What are some of the drawbacks to ethical hacking?
A: One of the biggest issues is that some systems don’t like to be scanned. The original designers of anything industrial never meant their systems to be network-connected with laptops. If I do a big security sweep of a system with a power grid, the scan might not like what it sees on the network.
I’ve also gone after ancient websites with a database. After just touching on things to see if they were vulnerable, I ended up bringing the whole thing down because it was just that old. Whatever I asked the system to do completely flooded its memory, and we had to reset it as a result.
A flooded memory is precisely the kind of thing you want an ethical hacker to find. In the case of the old website, I knew what I was testing, where I was testing, and who to call when I broke it. I explained what I did, and within five minutes, we knew where the problem was and how to fix it.
A malicious hacker isn’t going to give you that courtesy.
Q: Aren’t there security risks when you hire an ethical hacker?
A: There are security risks when you hire an ethical hacker, so be sure to use someone reputable. The biggest part of the contract is the confidentiality agreement, which prohibits the hacker from talking about the job so that everyone is protected.
Most ethical hackers are fiercely protective of their reputations. They may never get another hacking job if they have even a tiny ding on their record.
It’s a small industry. If you cross the line and apply for a different job, it will come out in references — and not officially. There is an industry network, or underlayer, where ethical hackers stay in touch. If a potential employer reaches out and asks about Bob Smith and someone says, “eh, he’s done some shady stuff,” he’s not getting that job.
Q: Do you worry about the legal implications of ethical hacking?
A: We have rules of engagement that protect us from wandering into legal trouble. To stay safe, you have to stick to what you agree upon in the contract.
Doing so is easier said than done, however, especially with scope creep.
I once had a client ask me to stay away from a specific division within the company. It was the end of the quarter for them, so the company didn’t want us to touch anything. When I started poking around in the allowable areas, the things I was hunting kept running and hiding in the off-limits area. I had to leave them alone. I didn’t like giving up the chase, but my hands were tied. Those are the rules.
Q: How have things changed since you became an ethical hacker?
A: Over just the past five years or so, hacking has become much more complex. If I’m not constantly training, I fall behind.
Today’s cybersecurity is more behavioural and less signature-focused. Instead of looking for suspicious .exe files, modern security tools are designed to take notice when multiple actions take place that seem fishy when done together.
For example, an unauthenticated user asks for database access, then asks for a network connection, then asks for admin rights. IT is then notified of these potentially malicious activities.
Q: Is data more or less secure than it was five years ago?
A: I’ve noticed an increase in business-to-business security issues, especially among startups. Generally, startups operate under the directive of speed. The key is to get your MVP out to market first; you secure it later.
Lean startup, agile development — it’s a rush to get to market first. If you don’t, you lose your opportunity – and that creates a whole new risk exposure. Security and testing security take time. If you don’t want to slow things down, then you don’t consider security.
Suppose your product is a CRM, and you’re the hot new startup. If a client puts their data in your system and you get breached, your client is held responsible for that data loss. This could potentially destroy both businesses, both reputationally and financially.
Q: Looking ahead five years, what do you predict will be the most significant data security threat to businesses?
A: I think we need to be paying attention to policy. We’re going to see more third-party and governmental restrictions on which vendors we can use, which countries we can do business with, and even which technologies we’re allowed to implement in certain regions.
When we start making these policy compromises, it affects our ability to secure devices – which hurts everybody.
Q: Switching gears to your personal experiences working as an ethical hacker, what skills do you need to be an ethical hacker?
A: To be an effective hacker, you have to think differently and be ready to ask uncomfortable questions. Information-gathering tactics that may be offensive in a different context are essential when you are an ethical hacker.
You also need a diverse IT background, and you have to be a quick researcher. You can’t know everything, but you have to know everything.
My advice for all the people coming out of school who want the sexy hacking job is to work at a call center and get a job on a help desk. Do all the IT jobs. When you do break something for a client, you can help them fix it.
Let’s say I didn’t have a background in web, databases, and networking. If I didn’t know how all of these pieces work together, I wouldn’t know who I should call about a security issue I found and what I did to trigger it.
Q: What’s your favourite hacking technique?
A: I try not to focus on any specific technology because it’s going to change tomorrow. Instead, I like to attack logic.
I look for assumptions that people make: Is the sign-up process step 1, 2, 3, 12? Can I jump steps? What assumptions have you made that my crazy thinking can circumvent?
Q: What vulnerability do you come across most frequently?
A: Hands down, it’s missed patches and outdated systems. I’ve heard people say, “I don’t have the $5,000 to replace that system.” But in reality, that $5,000 is going to cost them $1 million.
People have a hundred excuses about why they can’t patch their systems today, but today is when I’m looking.
Another common vulnerability is input validation. Never trust the users. If you’re going to give me a box on your website to put in a phone number, you better make sure I put in a phone number because I’m going to be putting in programming. I’m going to try to break that form.
Q: Based on your experience as an ethical hacker with IT Weapons, what advice would you like to pass along to IT security teams?
A: From a business perspective, know that it’s OK to hire someone to help with ethical hacking. When you partner with someone you trust, you can trust that they will do it well and do it securely. Budgets are tight right now. Consider what will cost more: a security assessment or rebuilding everything from the ground up?
Q: How does IT Weapons differentiate itself in the ethical hacking industry?
A: IT Weapons provides actionable information, not super fancy reports. Many companies fluff up the language and put a bunch of pomp and circumstance into the findings to make it sound much more complicated than it needs to be.
But our clients are SMB (small and medium businesses). They don’t need fluff. They just need to know what their risks are and how they can mitigate them. That’s how I phrase my reports: what’s the most valuable information I can give the client that they can start using today?
Ethical hacking is a highly effective way to find and fix security vulnerabilities before malicious hackers do. But for maximum protection, you need to take a holistic approach. Download Cyber Security 101 to learn how to create a comprehensive security strategy for today’s and tomorrow’s biggest threats.