Welcome to the first of a series of posts addressing what it takes to be an ethical hacker, written by Perspective Risk’s Penetration Tester Marius Cociorba.
Each week he discusses one element he considers key to being a security consultant, especially in the context of pen testing. References to further reading are included where helpful.
Volumes have been written about careers in the infosec industry, many of which influenced Marius when he began his journey in cyber security. We hope his take on the subject will help those similarly starting out, and resonate with those already in the field. We start by looking into the mind of an ethical hacker.
The Mindset of an Ethical Hacker
The first element that separates ethical hacking from other disciplines in the technology industry is a specific mindset. Contrary to today’s negative connotations associated with the term hacker, the original definition is someone who enjoys tinkering with a system (physical or not) to make it perform differently to that intended by its creator.
Let’s consider a scenario: you’ve been asked to assess a web application. From the outside, the design looks professional and is adorned with ‘Verified & Secure’ trust badges for the purpose of reassuring visitors they are in safe hands.
Browsing the site, you encounter a login page for administrators looking suitably commanding: Authorised users only! You try some basic username and password combinations, and the tool lets you know that admin: changeme1 worked. You’re in!
Looking around, you find a form that allows you to update your profile photo. Playing with the feature, you spot that the app doesn’t check the file is actually a photo. Knowing it runs on PHP, you upload a PHP script that lets you execute commands on the server itself – easy win!
You can cultivate this state of mind every day by going beyond what the regular user experiences and observing more. Let’s say you can control your new car from an application on your phone:
- How does the app communicate with the car? Is your phone directly interfacing with the car’s systems? Are there intermediate systems at work? Is it using 3G or a proprietary radio protocol?
- What kind of traffic is the app sending when you press the button to turn on your climate control? Is it encrypted? Could you intercept and manipulate it to control someone else’s car? How does the app verify you’re the rightful owner?
If you’re curious about the real life case study that inspired this example, look no further than this research by Troy Hunt: Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs.
In a nutshell, the mindset is all about looking beyond appearances and methodically evaluating how a target system works, and why. This approach inevitably reveals a weakness or afterthought with the potential to compromise the system.
In a world where classic vulnerabilities, such as SQL Injection or Cross-Site Scripting, are well documented and mostly prevented through development, it’s only through working in a detailed, methodical way that you can identify subtle vulnerabilities which would not crop up on a scanner report.
About the Author
Marius Cociorba’s journey into the world of security was circuitous. His first role was in technical support for a financial software company during a placement year of his Computer Science degree. After graduation, he joined a graduate scheme run by a large technology consulting firm and enjoyed a variety of projects, from system migration to equipping engineers with mobile devices used to manage assets.
Marius has long been fascinated by the world of hacking since he learned how to code small websites in HTML and PHP in his teens. He continues to study attack techniques. One of his fondest memories is getting his first buffer overflow working in a vulnerable MP3 player software, and making a copy of Calculator appear on the screen; a trivial task to achieve when looking at how far exploit development has come, but valuable in understanding the fundamentals of attacking software.
After a few other roles where he helped with security matters alongside other responsibilities, he reached a point where he knew he wanted to be in security full-time. Marius went on to achieve OSCP (Offensive Security Certified Professional) certification – possibly one of the tougher challenges out there with its 24 hour long exam – and started looking for full-time penetration testing roles. This brought him to Perspective Risk, where he has proved to be a hugely likeable and respected figure with colleagues and customers alike and where he’s been happily auditing systems since.
If you would like further information on ethical hacking, or to appoint Marius and the team for a penetration test or another of our services, we’d be glad to hear from you. Click here to contact us.