News

White hat
Cyber Security

The Story of a White Hat Hacker

Thu, 07/03/2014 - 16:47

The Person

Tom is employed as a cybersecurity consultant in town. Some call him an ethical hacker or white hat hacker; he doesn’t care. In his thirties, he's at the golden age of life. Nonetheless, Tom can seldom have one or two quiet dinners with his wife and kid in a month. Work-life balance means not much to him. Often he starts his job at mid-night in a freezing data centre or a deadly quiet office.

 

An indisputable introvert he doesn't like talking aimlessly in pubs with folks. He loves day dreaming since high school, even now. All the paper works are nicely handled by his team lead like the engagement letter, predefined goal, scope, timeline, responsibilities, bla, bla, bla ...

 

Tom is mediocre at school, but his intense interest in cybersecurity spells out in his quick earning of numerous credentials like CISSP, CISA, CISM, CEH...., most of them were obtained through self-study and experiments in self-built lab. Though poor in talks Tom has razor-edge mind. He spends days and nights mostly out of his own time on collecting, analyzing and simulating the cyber attacks and defenses. He loves practical skills rather than having fancy talks. But he knows that he gets to deliver proper test results on which the client and stakeholders rely upon to make decisions on business and technology.

Still Water Runs Deep

So far so good for Tom. Here came a simple pen test job in disguise. He was given two websites intended for whistle-blowers for East and West side of a conglomerate. Seemingly too simplistic a job Tom skipped the planning phase and risk analysis on identifying the hot spots. He jumped right into auto tool scanning and returned with perfect clean results – absolutely no unnecessary services or open ports. Perfect. The job could be completed within time frame and the perfect results would please the client’s management. Tome smiled.

 

Out of curiosity he looked at the scanning event log and found his tool’s scanning activities went initially smooth and then after one to two seconds the scanning was kept delaying and delaying, until time out. His experience told him an intrusion protection system at work. Tom then configured his tool in firewall/IDS bypass mode. But all to no success. He added decoys (fake source IPs) in his tool and crossed his fingers. The tool returned the name and model of the device and stopped. At the network layer Tom was empty-handed.

 

Tom poured a cup of strong coffee and stared across his shoulder at wall. Now it was two o’clock, he had four more hours to go before handing the environment back to the client’s IT for their housekeeping tasks before online at 8:30. Tom’s heart started to bang. He activated the application test tool at once but it found only minor issues.

Lesson Learnt

Tom punched against the wall in the quiet office. Now three o’clock. His mind wondered off a while and all of sudden he returned back to the starting point – the sources of cyber attacks (sources of risk) and the potential weaknesses (vulnerabilities) in the mind of hackers. Yes, complaint message input, stored and transmitted – these are the hot spots. Then Tom hurried off to prepare some test scripts and commands on the fly and tested with results closer to reality. He tuned the auto tools and cross checked the outputs with higher level of confidence. Tom took a couple of screen dumps and collected the testing results. He blew his whistle and went home at six in the early morning.