Andrew recently joined Toro as a Senior Security Consultant. With hundreds of pen tests under his belt, we interviewed Andrew to find out how he got into penetration testing, a memorable test experience and his recommendations for anyone looking at getting into the field.
Can you share how your journey into pen testing began?
My journey into pen testing evolved organically, starting with a degree in Civil Engineering followed by a Masters in Computer and Information Systems.
From an early age, I have always been fascinated by how things work and understanding the intricate details. While playing computer games, I observed instances of piracy, sparking my curiosity to explore how it was done and contemplate potential measures to prevent it.
Following my Masters, I started my career as a programmer. I believe this provided me with a good grounding in penetration testing as my experience not only provided me with a strong understanding of the programmer's mindset but also taught me the nuances of software ecosystems – their strengths, weaknesses, and potential pitfalls.
As I pursued my programming journey, the widespread accessibility of the internet marked a fascinating turning point. The emergence of numerous technologies during this period deepened my fascination with cyber security.
In 2015, I officially transitioned into cyber security, starting with industrial control systems. Engaging in ICS/SCADA research, I became part of a research project that conceptualised potential cyber threats to a power generation company within the European Union. My role included developing a concept of how an attacker could manipulate SCADA network communications to wreak havoc. Leveraging my programming background, I developed software used in a demonstration and validated a potential attack scenario.
Following this role, I secured my first job in penetration testing within the Education Sector witnessing both the team's expansion and the rapid growth of penetration testing. After 5 years in this role, I wanted to take my experience and apply it to a wider range of industries and that’s what led me to join Toro.
Could you describe a memorable pen test engagement?
Tasked with reviewing a desktop application in an institute, I found a significant security risk that could have proved disastrous had it been exploited by an attacker. The desktop application managed sensitive information such as student and parent details, along with financial data.
Upon closer inspection, I discovered that although the login process to access the application was encrypted, the subsequent data transmission to the database lacked security due to poor architecture. The application, written in Microsoft .NET technology, revealed a text file named "creds" which contained two lines of encrypted text, used for connecting to the database. The application used a DLL to decrypt the text file to give database access. Recognising the vendor’s reluctance to provide individual accounts for each user, I decompiled the DLL to obtain the full source code, including the hard coded key for encryption and decryption.
This allowed me to connect to the database and granted me full database administrator privileges. The system-level account enabled me to navigate beyond the database, onto the server, and exert complete control of the system.
I reported these vulnerabilities to the institution, they took the matter to the vendor, who acknowledged the flaws and proposed an update.
The updated version had a significant overhaul in architecture and had shifted to a different programming language. Surprisingly, the vendor had not proactively pushed these updates to the customers, raising concerns about the widespread vulnerability across various colleges using the same system. The institution took immediate action, ensuring the updated version was implemented to address the critical security gaps.
If this gap had been found by hacker, they could have easily installed ransomware which could have shut down the college for months. Sadly, I've seen many stories in the news of where this has happened to similar institutions, but what is worse is that this could have been easily prevented by just following best practice.
Why do you think pen testing is such a valuable tool?
Many organisations are aware that they might have vulnerabilities but are unsure where to start. They may not have the staff with the skills to perform pen testing or system reviews.
Third-party reports can not only provide leverage for budgeting but also an additional set of eyes to uncover potential threats.
What’s next for pen testing?
Pen testing will always be in demand. Pen testers are continuously learning, keeping abreast of new cyber security techniques, and adopting best practices.
While discussions about AI potentially taking over pen testing have surfaced, such a transition could pose significant risks. While AI may manage certain aspects of pen testing, the indispensable elements of human intuition and experience will continue to play a crucial role.
To find out how Toro can support you with a penetration test please contact the team.