One of the coolest jobs I can imagine is to be a hacker, preferably an ethical hacker or penetration tester if you like. But what do they really do, and what may a day for them look like? We had a talk with the senior penetration tester here at Nemko, Øyvind Storhaug, to learn more.
So Øyvind, when a company is hiring you for a pen test, what do they get?
It will, of course, vary, but the first thing we will do is scan the system to search for possible weaknesses which may be exploited in the following penetration test later. What we are looking for can, for instance, be weaknesses in AD services which are handling permissions and access, possibilities of downgrading encryption or a way to brute force password login by rapidly trying out millions of combinations.
We read in the news that hackers may cause big harm to systems and companies; how do you ensure you are not adversely creating damages?
That is a very relevant question, and there are several ways we are addressing this. First – all our pen-testers are certified for doing such testing. Also, before we do anything, we go through the scope of testing with the client to avoid critical systems. This can, e.g., be a web shop generating the revenue of a company or other highly critical services – think, e.g. of patient records of a hospital.
If critical systems are not tested – that sounds like a problem?
- well, the critical parts may be tested, for instance, by performing the testing on an exact copy of the system, or we may agree to do a vulnerability scan only.
So, when you are testing a system, what do you want to find?
Ideally, for the customer – nothing, but what I am looking for is to get full access to a system with system privileges. As mentioned, this may be achieved, e.g. by being able to downgrade security, get into an alternative log-in system with lower security and thereby get access, find old and outdated versions of programs like e.g. FTPs, web servers etc. or misconfigured firewalls which may be exploited.
Øyvind Storhaug
Senior Penetration Tester (aka Ethical Hacker) at Nemko
And, is pen-testing a one-off exercise or more Subscription service?
I would not call pen testing suitable for subscription as such because of the need to scope the testing each time, but performing regular pen-test, e.g. every 6 or 12 months, is chosen by some companies to heighten their level of security.
Vulnerability scans, on the other hand, are well suited as a subscription service, and monthly scans are recommended. This will shorten the time from a vulnerability is discovered till it is closed, and new vulnerabilities for existing systems and programs are being found on a daily basis.
And finally, what would you say is the benefit of companies using the Nemko services? We are not the largest company offering this service.
Correct, Nemko is not the biggest, but we are actually the oldest pure IT security company in Norway, and we have the capability of being flexible in our services and can adapt the testing to the need of the customers.
The big take-out for using our services is basically a more secure network, discovering and addressing vulnerabilities before anyone also does, shortening the time for closing vulnerabilities, and verifying common secure settings of the systems, including recommended hardening settings. It’s really all about taking down risks.
And by the way, is it true that ethical hackers like yourself sit in the basement wearing a hoodie and with a soda on the desk?
Hehe – no, that is not correct – I sit on the first floor.