Tales from the field

my name is Kyle and I work at a company called Nettitude as a security consultant / penetration tester and I’m originally from Northern Ireland and I moved to England in 2012 to attend Coventry University, I did computer science as my undergraduate degree and then moved over to the cyber security masters and kind of fell in love with security and then was lucky enough to get a job really around the corner in leamington at Nettude and I’ve been working there since September I do the same role as Kyle a penetration tester at Nettitude, I did a computing undergrad at Coventry University and then did the Masters course.

Now we like specialize in penetration testing which is like a small area of the course what we tend to do is we’ll get an application in front of us and it’s mostly like a security audit, identify which vulnerabilities are there within the application and just do the test and then reporting the reporting is the best bet I mean definitely you can have a lot of the business that the company does is mostly web applications because everybody has a website - and but you get other things like external infrastructure tests which is you get given the IP address of a machine that is connected the internet somewhere and you perform scans against it and you try to hack your way in and do different things like that there’s internal infrastructure tests where you’ll be sent to a client’s sites who say you know a bank you have to go in and you get that into the bank and you plug into the network and wreak some havoc or there’s social engineering engagements where you get to be real bad guys and break into buildings try and lie your way through security controls

so what we’ll typically do is there’s a bit of reconnaissance so say you’ve got you abc.com and abc.com runs this framework and is hosted on this type of web server all that kind of stuff that’s all stuff that you can find out without being too intrusive and that you could sort of find out just by browsing the internet usually so a lot of it is go in and making sure you know what you’re going up against whenever the tests officially starts.

Depending on if the application I was like a login functionality what we’ll typically do is there’s tools you can use tools like nmap burp suite and necess say you do use that commercially as well quite a lot so you can use different tools to scrape things like a LinkedIn and Facebook and stuff like that to generate a list of email addresses for people who work with a company and then you can then perform like password guessing attacks, brute force attacks to try and log in as different users and things like that learning how the industry works was a big one and so we thought you get a job you go in you hack stuff you leave but what you learn very quickly is that it’s all about delivering value to different clients you know a client is paying this money to learn about where their security holes are but want to fix them and why we can help them do that so reporting is a massive part of it being able to write a good narrative to people who are technical or non-technical to highlight how much risk there is because if you say to CEO like you’ve got SQL injection in your back-end database they’re gonna be like what does that mean but if you say I can read everybody’s credit card information then you know it’s a lot more impact the report at the end of the test is the only tangible thing that the customer gets like they don’t they’re not watching you throughout the entire test so that’s a massive part of pentesting it was like delivering a report that they can understand and then sort of work off the back of to fix the issues that you find.

we’re pretty lucky and that it’s it can be hard for us to break the law because we work for a company and we don’t work for ourselves they have processes in order to make sure that we always have authorized an authorization to test what we are testing so we have these authorization forms that need to be signed by two people from the client they need to be signed by ourselves they need to have the scope of what we were attacking in and if things are out of scope then you’re not allowed to touch them all that sort of stuff you just have to be really really careful when you’re testing to make sure that you do stay in scope because especially web technologies now are so complicated they’ll ping off 20 different things to load a webpage and some not stuff my periscope so you have to leave that part of the application alone things like that.

More so related to the company’s ethical framework and I think it’s an industry standard that you kind of clean up after yourself cuz a lot of it is fuzzing and dumping random files on the systems to see what happens and stuff like that you’re supposed to clean up after yourself and one of the drawbacks of automated tools is that they can run very very fast and get out of control sometimes in the authorization form like it might be wrong as well so you have to sort the vigilant to make sure you like checking this is like exactly what they want testing if not then you can’t you can’t start testing because then you’re breaking the law so go back a double check with the clients make sure everything’s in order so you can actually test it so one of the more like exciting aspects of the job something that maybe more experienced testers will do is social engineering so they’ll have like a point of contact in the company that speaks to the tester and essentially what the testers job is is to get inside the building and get on their internal network it depends how good people are at lying and then once they’re like at someone’s computer they’ve got like a sticky note which has their password on it so they can just log into someone’s computer while everyone from the business is like here wondering who the hell this guy is maybe like someone will go like yeah who are you in this video I’m just part of IT support and people like more often or not will just buy it there’s a guy we work with is bit of an Einstein he’s very very good at what he does but he’s got the gift of the gab and on one of his red team engagements on the infrastructure of the company they were trying to hack into they didn’t let you run dot exe files on Windows because you know you can use that to a whole bunch of malicious stuff and so what Rob did was Rob found somebody in HR started talking about gay pride and some event they were running for it spoke to this women for about half an hour and then convinced her to download a text file rename it from you know whatever dot txt to whatever dot exe and then run it so that he could compromise her machine and I remember whenever we all heard about this there was maybe like three seconds of complete silence and then everybody’s breaking down laughing and not that you’re laughing at people you know being socially engineered & convinced to do these things but just how preposterous it was that he was able to do that yeah social engineering is where it’s at definitely!