I’m a Hacker
What does that mean anyway?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.
🔒 Related Stories: Cybersecurity Careers | Pentesting
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you want to know where the word hacker came from and why it is did not start out as a bad thing, check out my book at the bottom of this post. I’m not going to go over that in this post.
This is the post for my Mom and all the other people who don’t know what a penetration tester is and what I do for a living. Before I get into that, I want to explain how I got to be a penetration tester. My career started out in networking. I worked my way into a telecom analyst position. I then moved into software engineering so I understand something about how systems are designed and developed. Then I ran my own company. I hosted systems including e-commerce systems and mail systems and databases and firewalls. I know how these things are configured, operated, and interact. I hosted them in a rack in a data center (and in my homes in the beginning a long, long time ago but that is in one of my other stories.)
In other words, I didn’t just train to be a penetration tester. It started with understanding a lot of other things about how computers and systems work. Once you understand how they work, you have an idea of what might work to break them or manipulate them. And if you can break or manipulate a system, that’s where the hacking and penetration testing and security vulnerabilities come into play.
That’s when you can steal data because something broken spit out some information it shouldn’t. That information may be the actual data you’re after, or it may simply be a clue as to how you might break into the next part of the system. You might see an error message that gives you some idea how the thing you broke is handling encoding behind the scenes. From there you might be able to craft a different command that the system interprets as executable code and that might get you into the next system, or give you some juicy credentials. You might get some sensitive data or the ultimate prize — the credential that let you create anything and control anything in the environment.
In an on-premises world (like an office or in a data center) most companies use Active Directory. If you can get the credentials for the Active Directory server then you have the keys to the kingdom, so to speak. Those credentials define all the roles and permissions within an organizations, like who can access what and what permissions applications have on the network.
In a cloud environment where I typically operate, I’m trying to get access to the roles and permissions the applications use in most cases and see if I can leverage those to do some dirty work. I may be able to trick an application to do something for me. I may be able to submit a link that gets stored in a system that someone clicks later which sends me over to my hacker web site and harvests some credentials for an admin portal. Or maybe I can store some executable code that runs when someone opens a page to look at an error message. I demonstrated that at the end of my talk at RSA 2020 on an API running in AWS.
Some people simply run tools to perform penetration testing. There are professional and free tools and the most popular ones are Burp and ZAP (Zed Attack Proxy).
There are many, many other tools for penetration testing but those are a starting point for anyone testing web applications in the cloud. But the thing is, if you try to use those tools on a bug bounty often the blatant scans are disallowed. A bug bounty is a way companies allow people to test the security of their systems and report flaws for money. Most companies running bug bounties have already run all those basic types of scans so they don’t want people bombarding their systems with those tools.
Also if that’s the only thing you’re doing it’s really not enough. Those tools are a good starting point. I love Burp! It’s amazing and it’s always getting better. You should definitely check out and follow any research by James Kettle, the researcher who works for Portswigger, the company that develops Burp.
Beyond that is where a background in IT, software development and engineering, and networking will help. Those skills not only help you understand and reverse engineer how the systems work. You also need to be able to tell people how to fix the problem. If you’ve never architected a system then you might provide a simple solution like “Patch this” or “Change this one piece of code here.” But what companies really need is a more holistic solution to stop all the vulnerabilities that are occurring, not just that one vulnerability.
That’s where the difference between assessments and penetration tests and bug bounties come into play. When I perform an assessment or a penetration test, I’m typically looking at the level of the team holistically and the overall network to provide guidance to close the gaps at a higher level than a single vulnerability. Having worked in companies for over 25 years — I can’t even remember and don’t want to count how long — helps me understand how companies operate and how system architectures work.
And by the way, defending is much harder than attacking. So if you want a real challenge, work on the blue team — or the team that defends the company, rather than the red team — the one that breaks in. However, it’s important for both the red team and the blue team to understand both sides if they want to be truly effective. The job of the red team is to test the blue team and help them get better. The job of the blue team is to defend against the red team (and real attackers!) so they have to understand something about how they operate.
As for me, I work externally, as an outside set of eyes. I come in and evaluate an environment for security problems and gaps and tell companies how to fix them. Some companies are required to get a penetration test to evaluate the security of their systems every year due to some regulation they have to follow, so they will hire me to test the systems and write the necessary report. But for me, its about more than breaking in and writing a report. My goal is and always has been — how to stop the breaches before they occur — rather than cleaning up after the fact.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
