How do you know if your system is secure, if it has never been tested?
Combitech contributes to a safer and more secure society. An important part of this work is performed by our penetration testers. Their work is to simulate hacker attacks in order to find vulnerabilities and weaknesses in networks and systems. Three of Combitech’s sharpest pentesters, Christoffer Olsen at Combitech Denmark, Michael Johansson at Combitech Sweden and Olav Sortland Thoresen from Watchcom in Norway explain what they do, how they do it and why their work is vital to many companies.
What does it mean to be a pentester?
Michael: Simply put we try to hack our clients before a real hacker does so! A client can, for example, come to us with a newly developed app that needs testing before it reaches the market. We use the same tools and methodologies that real hackers would, in order to find out whether we can bypass the login system, hack any authentication solutions or in any other way penetrate the system and take control of the app.
Olav: Exactly, I see myself as a “hacker with permission”. Our job is to find vulnerabilities and weaknesses in the clients´ applications, networks or cloud services and try to exploit them.
Christoffer: Following a test, we deliver in-depth technical reports. With the help of our recommendations, our clients can improve the security of their systems.
Why should an organization perform penetration tests?
Michael: Ransomware and other attacks against corporations increase, most companies are far from aware of all the potential vulnerabilities in their systems, and often, unconsciously, leave weaknesses open.
Olav: IT systems can be big and complex, built on many applications that communicate with each other. It is difficult to know if all parts of the system are safe.
Christoffer: Pen testers provide insight to how secure a software or product is and indications as to what measures need to be taken in order to improve security. Having a pen tested product, software or solution is also a great selling point. Furthermore, there are rules and regulations to abide by. In some instances you might need to pen test your product or network in order to abide by international standards.
Olav: In the best of worlds a software would be tested regularly throughout the whole development process. However, that is not the case today in most organizations. A good alternative is to at least pen test regularly, perhaps annually, and whenever major changes are made.
Pen testing is a very technical field, how do you present your results to the client, where some might not be very tech savvy?
Christoffer: When you present results to a less tech savvy audience it is important to emphasize how the result will affect them and their system. Usually we spend less time on the technical specifications with such an audience. We always share an executive summary, where clients can read about the most important findings, and where focus is on economic and brand reputational risks. We also make a report specifically to the developers who will take action and address the technical vulnerabilities.
Are there different kinds of pen tests depending on what you are testing? IoT, IT systems and so forth? If yes, do you have different methodologies?
Christoffer: Absolutely, there are many different kinds of systems, products, solutions and software that can be pen tested. Overall, we use the same methodology, but there are many system-specific differences to be handled individually. We also take into account what kind of hacker that would potentially attack the system, and if it’s white, grey or black box testing.
What is the most exciting assignment you ever had?
Michael: All assignments are exciting, one day I work on a big corporate network and try to find entries, and the next day I try to hack my way into a car or a smaller IoT device such as a robotic vacuum cleaner. The variation makes the job so exciting!
Christoffer: I once participated in the testing of a physical peripheral device, where we had to develop a custom exploitation script from scratch in order to exploit the discovered vulnerability. It turned out to be a fundamental part of the solution, requiring a full rework of the product to mitigate the vulnerability.
Olav: To reveal critical vulnerabilities in Cisco Jabber was very exciting, the project taught me how responsible disclosure works and gave me valuable insight into how security vulnerabilities are handled in a large corporation. I also learned about the risks associated with building desktop applications using web technology and the vulnerabilities it can introduce.
Right now I am working on an internal network audit. In this type of audit, I have access to the customer’s internal network and attempt to find security vulnerabilities or misconfigurations that an attacker can use to elevate their privileges in the network. These audits often uncover serious vulnerabilities or misconfigurations and we are able to take control of the entire network in just a few days. The customer can use the findings from the audit to improve the security of their internal networking and thereby significantly reduce the risk of insider threats, ransomware infections and similar attacks.
Are there any differences in how Combitech works with pen testing in the Nordic countries?
Christoffer: We mostly work according to the same guidelines when we perform pen tests, but we can always learn from each other. In everything from methodology to presentations.
Olav: There are always minor differences in technique, methodology and practice. To be a part of this professional network is valuable and gives us all excellent opportunities to share experiences with, and learn from, eachothers. The fact that we work across borders in the Nordics provides added value to our customers. I really like collaborating with my Nordic colleagues and hope to do so more in the future.
It has to be important to keep up with new technology, trends and vulnerabilities in your job – how do you develop your competence and keep yourselves up to date?
Christoffer: In a rapidly changing world this is so important. I usually keep up with news and trends on Twitter, where my news feed is typically filled with new vulnerabilities, technical write-ups and thoughts on various Infosec topics. In addition, I try to participate in a few CTFs and do new certification trainings.
Michael: We have time dedicated to skills development every week. This is vital to us since software changes constantly, our sector develops incredibly fast. Just like Christoffer I participate in CTFs.
Yes Michael, you are involved in Midnight Sun CTF – can you tell us more about that?
Michael: CTF, Capture the Flag, is a competition, a sort of gamification. The idea of the competition is that someone has built a system that is in some way vulnerable. The goal is to find that vulnerability, use it and capture a flag as a proof that the task has been solved. Usually this is timed and the team that solves the task in the shortest time wins. Midnight Sun CTF is Sweden’s biggest and most highly ranked CTF competition where some of the best teams in the world come to Sweden to compete. I have been involved in leading the SAAB and Combitech sponsor team.
CTFs are excellent for developing our skills, a way to get practical experience and to try vulnerabilities in the real world. We then share our knowledge and experience with the other participants.
If you could choose – what would be your dream pen test, and why?
Olav: My dream pen test would involve the cross-over between IT-security and physical security. This could be pen testing an ATM machine, an airplane, a camera system or a power plant. Security is especially important in these systems and vulnerabilities could allow for “Hollywood style” hacks.
Christoffer: I am particularly interested in product and hardware security. To test a big interconnected device network and the devices themselves, would be incredibly interesting.
Michael: Hmm, a satellite would be cool. But I think my dream test would be a big corporate network since networks and network infrastructure is my specialty.
How do you become a pen tester?
Olav: I started early. My interest in computers started with video games, but I quickly became more interested in how they worked than in actually playing them. As a teenager I learned programming and started creating my own web games. I became interested in security after reading ”hacker stories” and watching presentations from the renowned security conference Defcon. My interest led me to a Master’s degree at NTNU, specializing in Information Security. During my last year I worked part-time at Watchcom, a job I found so rewarding and exciting that I continued working here full-time after my studies.
If you are interested in becoming a pen tester, I would recommend that you start by studying Linux and learn programming. Try to get some real-world experience, either as a volunteer or through an internship. And of course, stay up to date and keep on being curious.
Where do you see yourself in the future, what are you working on in three years? What are the career prospects in your profession?
Michael: Three years from now I will most likely still be working as a pen tester. This job gives so much variation from day to day that I never get bored! You gain experience every time you do a new test and eventually you can specialize in an area.
Christoffer: It is definitely a growing sector with job opportunities increasing. Everyone will need to adapt to changes and new technology, and that of course opens up to new attack vectors, keeping the importance of staying secure very high. In three years, I see myself working with penetration tests and exploring new and exciting areas within the field.
Olav: The job as a pen tester is constantly evolving, and I believe we will play an even more important role in the future security landscape. I look forward to continue working on exciting projects, hopefully together with my Nordic colleagues at Combitech.