How to excel at penetration testing

[00:00:01] CS: Today on Cyber Work, Gemma Moore of Cyberis joins me to talk all things penetration testing. Gemma has been a pen tester since before that was a term, and she talks about the difference between pen testing in 2004 versus 2021, the excitement and drudgery of the job, share some fun pen testing stories as well. If you're an aspiring pen tester, this is an episode you will not want to miss, and it's all today on Cyber Work.

But first let's talk about this ebook published by Infosec. It's titled Developing Cybersecurity Talent and Teams, and it's free to read if you just go to infosecinstitute.com/ebook. It collects practical team development ideas for industry leaders sourced from professionals from Raytheon, KPMG Cyber, Booz Allen, NICE, JPMorgan, Chase, and more. Did I mention it's free? It still is. Go to infosecinstitute.com/ebook and start learning today. Without further ado, on with the show.

[00:00:59] GM: Welcome to this week's episode of the Cyber Work with Infosec podcast. Each week we talked with a different industry thought leader about cybersecurity trends, the way those trends affect the work of infosec professionals and offer tips for breaking in or moving up the ladder in the cybersecurity industry. With over a decade in the security consultancy industry, Gemma Moore has worked across various sectors delivering infrastructure and application penetration testing, information risk assessment, due diligence compliance auditing, network forensics analysis and social engineering exercises. Gemma is an expert in penetration testing and simulated targeted attacks.

Having been a check team leader since 2007, she holds the highest level of CREST Certifications in infrastructure, applications and simulated attacks. CREST being an international not for profit accreditation and certification body that represents and supports the technical information security market.

In recognition of her outstanding level of commitment to the industry and the highest level of excellence in CREST examinations, Gemma was selected to receive a lifetime CREST Fellowship Award in 2017. She's a member of the CREST GB Executive and chairs the crest penetration testing Steering Committee. Since we have such an internationally recognized pen tester with us today, I'd be derelict in my duty if we didn't talk with Gemma about her pentesting career and get her advice for aspiring pen testers. We'll also be talking a bit about security as it regards human costs of social engineering, which is the title of a recent article Gemma wrote. So there're lots to get excited about today. So let's get started.

Gemma, thank you very much for joining me today. Welcome to Cyber Work.

[00:02:29] GM: Thank you. Thanks for having me.

[00:02:31] CW: So we'd like to start by getting the story of our guest’s cybersecurity journey in their own words. Your background indicates that you studied computer engineering as far back as college. What was the initial draw of computers and tech? And were there any particular moments or highlights that made you want to pursue this as your life's work?

[00:02:50] GM: It's funny, I'm probably not the type of person that you would imagine when I was growing up would have ended up being in computing or technology or penetration tester. Particularly penetration testing, I like coloring inside the lines. I like following the rules. That's not what you normally expect from a penetration tester. And I'm also not the type of person that sort of came into this with a burning ambition and a clear view that 10 years down the line I'd be a penetration tester, or I’d really wanted to be in computing. I've always been more go with the flow. Is this fun at the moment? Am I enjoying myself type of person.

So I wasn't one of those people that played with computers when they were little. I didn't even have a computer, in fact, until I think I was about 15. My sister and I used to fight over it, and I usually one. I spent all this time online talking to people. And the people that I was talking to were people that were building systems and people that were programming. And generally, most of the people I ended up talking to online back in the day were working with computers, and they were a nice bunch of people. So the real truth is that when I was choosing my degree subjects, I was looking for a bit of a change. It wasn't something that was taught in school. But I'd had all these really positive interactions with friends that I'd met online, all of whom worked in technology and computing.

And so I thought, “Well, if I'm going to have to have a real job and be a grown up and enter a career, let’s go and enter into a career where I think I'm going to enjoy the people that I'll be with,” and it will be those techy people that I've spent all that time talking on the Internet with. And turns out, it was fun. It did suit me. I had a great time learning sort of computer engineering computing while I was at Imperial College. And my whole degree course was full of those nice people that I've been talking to online.

[00:04:33] CS: Now the people you were talking to online, were you talking sort of technical things? Were you were you just sort of chatting socially? Or were you sort of learning like, “Oh, this kind of person is interested in this sort of thing.” Or, “Oh , here's the thing I didn't know about with regards to penetration testing or some other thing.” So what were those early sort of computer conversations like?

[00:04:54] GM: It was mostly social stuff. So it was chat rooms and things like that. I mean, chat rooms back them were vastly different to any kind of Internet chat now. We're talking like sort of

’99, 2000, Yahoo chat type thing. And the cool people were the ones that could do web design, or that understood scripting, or that can make things happen. And you just get talking. And then they’d talk about their job. And they were doing sysadmin or something. Or they were doing networking admin. Because those were the people that had the time to hang around on Yahoo chat all day. It was students or people that work with computers.

[00:05:26] CS: Yeah. And just that general comfort level of – We’re a part of that first generation of people who are comfortable just sort of being online for a certain portion of the day. And I think it sort of – It filters into everything, right?

[00:05:39] GM: Well, I made friends online that I still talk to today. And in fact, I married one of them.

[00:05:42] CS: Oh, fantastic. Yeah. Yeah. My wife and I talked about if there's like a social gathering of people we know from the Internet. It's like we're going to meet our imaginary friends. Because you talk to your parents and they're always like, “How do you know these people?” And you're like, “Well, I know them through a small box on my desk.”

So tell me about your learning pathway into pen testing and red teaming. You started, obviously, we mentioned in computer engineering in college. But how did you acquire the skills, knowledge and experience to be this world-class pen tester? What were some resources that you frequently made use of, whether it was certifications, or books, or forums, or CTFs, or colleagues? And what were some experiences where you really felt your skills leveling up as a pen tester.

[00:06:22] GM: So it was a different world pen testing back when I got into it. I started in pen testing in 2004. And it was almost an accident. So when I graduated, lots and lots of my fellow graduates were going to work for investment banks and big accountancy firms, and they were going to be sys admins, or network admins, or developers. And I didn't quite see myself fitting in any of those roles. But I wasn't sure where I did fit. And I sort of stumbled across this advert for a trainee security consultant, which was a trainee penetration tester under a different title. And it sounded like fun. So I applied. I thought, “Let's have a go. This sounds like fun. And I was lucky enough to get the job. And I fell in love.” I love penetration testing.

And the thing about penetration testing is that you just don't have time to get bored. You touch all sorts of things all the time. Every job is a different job. Every system is a different system, different application, different customers. And so you never get bored. But if you've talked about learning pathways and what the environment was like back then, it was much less mature as a market. So there wasn't all the wealth of resources that you've got now. So think about OWASP. OWASP wasn't founded until 2001. So when I started, it was only three years old. The web application security project, people didn't know about that at the time. And Metasploit, which everyone now will know, is ubiquitous. That wasn't released until 2003. So those kind of exploit frameworks thing, Metasploit was probably one of the first that people knew about. And that didn’t exist. That’s just been released.

[00:07:56] CW: Yeah, hot on the market.

[00:07:57] GM: Yeah, it was a bit of a wild west back then. And not only did the resources that you've got now do not exist. Buyers also didn't really know what they were getting. There wasn't a lot of formality and professionalism around what a penetration test was. Back in the day, a buyer who was buying a penetration test didn't necessarily know what it was they were asking for. So it was a really exciting time to be part of the market, because I've seen it develop and change and mature over time. But the flip side is, when it came to learning, there wasn't a hell of a lot out there. So when I started, Hacking Exposed was the book that was my Bible for ages, because it was the most comprehensive book that was out there at the time that everybody had. It was really clear, really easy to understand. And as resources go, that was a pretty good one for me.

When it comes to learning, these days you've got things like labs, training platforms that you can use for free, you can get hands-on experience through things like TryHackMe, and Hack The Box, and PortSwigger’s Web Application Security Academy. There're loads of labs there. You can go and educate yourself. Bug bounty programs exist. You can legally go and get experience of hacking real systems and sometimes get paid for doing it. That just wasn't a thing back when I started.

And different people learn different ways. Some people learn well from self-study. Other people learn or retain knowledge better from being taught. As I say, I'm not your typical pen tester. I know a lot of pen testers who prefer self-study and self-learning. Myself, I have a very visual memory. So if I want to retain knowledge, the way I learned best is learning from colleagues and having them demonstrate things to me.

[00:09:49] CW: Yeah, going back to the whole online community thing.

[00:09:53] GM: Exactly, exactly. I've always retained knowledge better when I can visualize what's happening or see a demo happening in my head. These days, great thing is you've got YouTube. And YouTube is absolutely full of people who have videoed them doing something, demonstrating something, talking about their techniques. And it's all just there for you to get for free. It's brilliant for visual learners like me.

For me, when I started, my first job was in a very small team. I think there are about four of us. I spent a couple of years there. We did what would probably these days mostly be called vulnerability scanning. There's a lot of tooling, a lot of scripts running on external perimeters and on web applications. And I suppose we didn't really do a lot of internal testing at the time. Internal networks wasn't a thing. This was back in the day when everyone had their hard external perimeter. And everything that was inside the network, you thought that was trusted. So that was okay.

And then I felt like I'd learned everything I could from the people I was working with there, and I needed a bigger team. And that's when I decided to move on to my second job, where there was a team of sort of 15, 20 pen testers. And that's when I really started to learn things, because this was a team that was working with much bigger businesses than my first company. They had bigger problems. And you asked, what was one of the moments where I really started to learn how everything fit together? And it was I've been doing penetration testing for a couple of years already. But it was my first real big penetration test at my second job. And what we were doing was we were doing some due diligence for a business that was going through an acquisition. And it was a web application that we needed to test. And we found SQL injection. SQL injection, great fun under any circumstances. But we didn't stop there. In my first job, we just said, “You've got SQL injection. We might have poked into the database. We probably would have stopped there.” This time we didn't.

So you use the SQL injection. We compromised the server, the web server, and this was in a data center in London as part of a DMZ. And we started poking around users. We've started poking around file shares. We started poking around every other thing in the DMZ, and we found a username, which was raised to the AV software, which had a password that was the same as the username. And we tried it. We guessed it. We tried it. That was an admin user across the whole DMZ. And then we started poking around in permissions and egress rules. And we found we had a trusted route from the DMZ in London to the DMZ in Sydney. So we hop over to the service in Sydney. And we hop over to the service in Sydney. And lo and behold, that password we’ve wrapped still works in the service in Sydney.

[00:12:40] CW: Oh, no.

[00:12:42] GM: Wait, we started doing some port redirection to get ourselves an interactive graphical shell in Sydney through their firewall. Then we bounced back to the London internal network, where we find the corporate file share. Still, we still we have access to that corporate file share. And in there are all the documents around the due diligence for the acquisition and all the data. And that was the thing that these people wanted to protect most. And that was the first job that I can remember where the business impact was such that I really understood how what we were doing impacted on the board, because the result of what we had done with this penetration test where we've gone all the way around your network halfway around the world. We're back and we've got your crown jewels, and these are your board meeting minutes. They actually had to delay the acquisition to do a whole bunch of extra due diligence to make sure that it hadn't already been compromised, and that the integrity was right. And that was, I think, for me the really first understanding of how the business impact comes out of penetration testing and how it fits in as part of business risk management, because I don't think I've seen that before. And that was a really good big moment.

[00:13:57] CS: That's a great story. That wraps up several things that I was hoping to ask you, especially noteworthy pen tests, but also, like I say, the sort of like moment of insights and things like that. So I'm glad I got to hear that. Now, I want to jump back a little bit to – We talked about this before, and maybe you can sort of expand on it. But like you said in 2004 when you started, you didn't have all these sort of like pen test tools in a box waiting for you that had been vetted and – Yeah, if you use Metasploit now, you know it's going to work. It's going to do a certain thing. Can you sort of walk me through what a pen test was like circa 2004? What were yours like starting steps versus like how you would start a pen test now in 2021? And I know that everyone is completely different or whatever, but like for people who are doing it now and sort of are used to, well, you have this toolkit, and this toolkit, and this toolkit, like what were you working with at that time that was so completely different?

[00:14:54] GM: So we did have a nmap, and we did have Nessus. So we used nmap and Nessus. They’re pretty ubiquitous still. And you would do the port scanning that you do these days, and you do the vulnerability scanning that you do these days. Difference was very much in coverage and what you do after those phases. So things like nmap. Nmap will would tell you what ports were open, and it would do some service mapping, but it was much worse identifying services than it is now.

So you'd then pull out things like client applications to try and work out exactly what the service is. You'd pull out maybe hping and send some custom probes to work out. What a service was? And you'd have to do a bunch of research, because although you might work out vaguely what a version of a service was, the database in things like Nessus weren't as comprehensive as they are now. So you could identify version of a service, but you wouldn't know if it was vulnerable to anything. And you'd have to go and do a whole bunch of research manually about whether it was vulnerable to X, Y and Z. And you get to the point where something is vulnerable to an exploit or something like that. And again, that was a different world. You mentioned Metasploit. And you know it's going to work. The number of hours that you would spend with a piece of code you’d found for an exploit, fixing it up so it would run, testing it in a lab environment, because that was the other thing was fix it up. You're pulling out code from untrusted sources. You're trying to fix it out. Make sure it's not malicious. Get it to work.

And I remember, actually, back in the day, it must have been about 2005, there was a particular web shell that lots of people were using a PHP web shell, which was a really, really good web shell, except that it was released by a Russian hacking group, and did a whole bunch of phoning home. So in the lab was like, “Oh, this functionality is great.” So what we end up doing is taking this Russian hacking shell and like reverse engineering the whole thing, roofing-out the stuff that was malicious. Taking all the good functionality and kind of repurposing that for what we were doing so that we ended up with a really fully functional web shell that wasn't the Russian hacking shell and what have you.

[00:17:06] CS: You hack the hackers.

[00:17:08] GM: Well, there was a lot of that going on, because the tools were good. You just have to get rid of the malicious code. And no one would do that these days. There's no way that you would ever use that as a basis these days. But I say, this comes back to it being a less mature time back then. You had to use what there was.

[00:17:27] CS: Yeah, I want to sort of speak to that. Now, do you feel, and this is subjective based on your own personal experience, but that coming up from this era where you were building your tools, hacking your tools, sort of building them sort of in the moment like that, do you think that that sort of improved your penetration skills now that you have all these sorts of tools at your disposal? Do you think that those early years of struggle sort of allowed you or gave you the sort of insights to use the more easily available tools now in better ways?

[00:18:03] GM: Potentially. I think it's a matter of perspective, really. So I think I find that some – I'll call myself an old pen tester. Some older pen testers like me, we tend to look at vulnerabilities when we get into internal networks a little bit differently to some of the people that are new to the market. But that's because we have seen all the old legacy malarkey that used to go on. And a lot of us are quite cynical. So pen testers we're all pretty cynical, and a lot of the time is justified. But generally, if you've got an old network or old infrastructure, you will have old stuff that nobody's bothered to tidy up. And if you're an old pen tester, you'll know how to look at that old stuff, whereas a younger pen tester may never have seen it in production ever. That age and experience and sort of length of looking at things like this, it's advantageous, because the more experience you have, the more different things you've seen. And that gives you a deeper – I’d say it's not actually deeper. It’s a bigger breadth of knowledge, rather than a deeper knowledge. And that is beneficial. But that comes with time. I still, on pen test, find things I've never seen before. And other colleagues that have been doing the same, again, still find things I've never seen before. And so me as an old pen tester, someone who's younger pen tester, you're always going to find things you don't see before. What doesn't change is the way that you go about finding out about that thing you've not seen before.

[00:19:32] CS: Yeah. Now that transitions nicely into my next question for you. You mentioned that you were surprised that your excitement about pen testing because you consider yourself sort of a coloring inside the lines, keeping inside the medium sort of person, but what type of people are good at pen testing like apart from the raw skills that you learn in classes or whatever? What are some of the natural skills or proclivities in one's interest or cognition methods separate regular pen testers from top notch ones?

[00:19:59] GM: Curiosity is the main one. So the really good pen testers are nosy, curious. We want to know what's going on. The ones that are really good at sort of finding attack paths are the ones that really want to understand what's going on. How it's going on? And therefore can put that knowledge to use and abuse whatever the application is, or the process, or the infrastructure and how it's going to fit together. And that is – Yeah, that's I think the main one.

There are lots of different skills in pen testing though, and that's another thing to bear in mind is there isn’t one whole thing that's a good pen tester. There're lots of different bits that make up a good pen tester. And one that people underestimate a lot is communication. There is no point in finding a whole bunch of vulnerabilities if you can't then explain to the person that you found them for, why they're important, what they should do about it, and how they should go about fixing it? If you can't explain what you found, well, you're really doing it for yourself. And it doesn't help anyone. And it's not going to be a good career for you. Whereas if you're good at communicating with people, you can go from a good pen tester to a great pen tester by virtue of being able to chain things together in a way that people understand and get people who maybe aren't technical at all to understand the business impact of what you found. And therefore, how worried they should be about it?

Another feature of pen testers that also is underestimated, I think, is understanding people, and the behavior of people. So people are endlessly fascinating, but also endlessly predictable. And pen testers know this. And there are aspects of human behavior that you can guarantee will always happen, and we will know they happen. Things like we're running a red team, we compromised an administrator account, we grabbed the password from memory. So we've got the password of this administrator. It's a very long password. It's a football team, then a phrase, then a number at the end. That number at the moment is 47.

We’re using that accounts, because we grabbed that account, we've stolen that account, and sitting there with a couple of my colleagues, and suddenly this administrators changed their password. Okay. And again, what do we do now? We haven't got that server anymore. Try 48, because he put 47 on the end. He's changed his password. It’s probably the same thing with 48 on the end. Yes, it's same thing with 48 on the end. But that's the kind of predictability that I'm talking about. People will be people all the time. And if you've bothered to memorize a really long password or stuck a number on the end, and you're asked to change it, you're probably just going to change the number. And if you've stuck a punctuation character on the end, well, you're probably going to change it from an exclamation mark to a hash or something. That's how people are.

[00:23:00] CW: Yeah. Yeah. I mean, I cringe thinking about my 90 zero passwords. But fortunately, they're all gone. So I want to talk about this, because we had – Ning Wang from Offensive Security on last week, and we got into this a little bit, and I wanted to talk about it to you as well. With regards to pen testing, do you have any advice for people who are might be good at the nuts and bolts of pen testing in an abstract way but aren't sure if their skills are going to apply in the real world? So we were talking a few episodes back, and she pointed out that it's a far cry from being really, really good at capture the flags versus being an effective pen tester, because as she put it, there isn't always a flag at the end of the project. Can you give some advice for aspiring pen testers who are sort of learning their tools and learning their skills who want to know how to pass through from being good at pen testing and simulated environments into using those skills learned in real world real stakes pen tests?

[00:23:54] GM: Oh, definitely. And Ning is right. There isn't always a flag. In fact, there's almost never a flag unless you're doing red team or adversary simulation, which is a completely different discipline. And when you're talking about pen testing, so if you've got a CTF and you're pinging through it and you're grabbing the flag, you know you've finished. With a pen test, you only know you finished when you think you've exhausted all the possible things that you could have been testing within the scope. All, every system, every application, every input field, when you think you've exhausted all of those, you know that you've come to the end of a pen test. Or alternatively, which is more common. You've run out of time, because the customer paid you for enough time to do the pen test.

[00:24:35] CW: Pencils down. Yeah.

[00:24:36] GM: Yeah, exactly. It's like okay, “Well, these are the constraints and limitations. These are the bits that we didn't have time to look at. And here's your report.” But yeah, the methodology is very different. With a capture the flag, you're literally going through one particular thing. But with pen testing, you're trying to be very thorough and very methodical. And you also have to come to terms with the fact that a lot of pen testing is quite dialed in and of itself, because a lot of the time what you're doing is churning through fairly dull test cases where things aren't vulnerable. Just check the things aren't vulnerable. And then now and again, you'll find something where you do have vulnerability. And you can then have some fun. But there's a lot of boring that goes with the fun, whereas capture the flag, it's fun, fun, fun, fun, fun, because you’re grabbing flags the whole time.

[00:25:25] CS: And it's always puzzles too. It’s not yet tedium.

[00:25:27] GM: Exactly.

[00:25:28] CW: Yeah.

[00:25:28] GM: Yeah. But sometimes pen testing is tedious. And that's just the way it is. But the good thing about pen testing is that tedium doesn't last forever, because by the time you finish the pen test, you're then on to pen testing something else. So even if this particular pen test this week was really, really boring, the one you're looking at next week is going to be different. There might be a different kind of boring, and it will definitely be different.

[00:25:51] CS: Often, yeah. Yeah, we did a live episode with a couple of red teamers. And we had a question come in from an audience member. And it was a little heartbreaking because I think he just started being a red teamer. And he said something like, “Is this all there is?” Like he's like, “I'm mostly just reading scan logs.” I think he was really sold on the idea of James Bond theme playing in the background and Cloak and Dagger, and we all agreed, like that happens once in a while. And sometimes you're going to have like a story that you can talk about on a podcast or with your friends that at a party or something like that. But for the most part, yeah, there's a lot of drudge work involved in this, right?

[00:26:27] GM: Yeah, well, red team and adversary simulation. And that can be even worse. And I mean, that is like a CTF. You have a flag you want to catch. That's normally how it goes with red teaming. There're a couple of objectives you want to achieve. And you're looking for the attack path that leads you from A to Z and all the places in between. And that's all you're doing is looking for the easiest attack path that gets you the objective. And then, obviously, what you can teach the customer about their systems, their network, their weaknesses based on that. But you can't say that it's going to be great fun all the time when I spent a whole week trudging through more than 1500 file shares, literally reading files, before I found the one thing that's allowed me to move to the next stage of the attack pile. Now you need some patience for that. And you need some patience, and you need to be methodical. And it is not fun until you actually find the thing that lets you move on to the next bit.

But most fretting is so you tend to spend a lot of time digging around, getting background, reading files, doing some boring stuff. Suddenly, you'll find the one thing that lets you move to the next stage. And more often than not, it's like dominoes falling over from that point. So it’s really boring bit up front. And then suddenly the dominoes will fall. You'll get to the point where you've got domain admin. Then you'll get to whoever you're impersonating. Then you'll get whatever it is you wanted you as an objective. And yeah, it tends to work with that.

[00:27:50] CS: Is there an aspect with specifically with red teaming where – Because if you're doing a red team, it's understood that your company has figured out most of their low-level security problems theoretically, or whatever. So is some of the slowness of the red teaming, the fact that their perimeters are actually pretty secure and you're really having to sort of like dig deep to find that one thing that, as you said, knocks the dominoes over?

[00:28:15] GM: Yeah, there tends to be sort of two pinch points in a red team that are dull. If you like a war, it will take a long time. First one is getting your first foothold, because most of the time with the red team exercise your methodology is you get a foothold through a workstation normally via phishing. You know, you might you might be doing some physical intrusions, or you might be doing some direct attacks in perimeter. But these days, it's mostly phishing against users. So your first pinch point, where it's quite dull and a lot of research, is working out what controls you're going up against on a workstation. And that normally means sending a bunch of probes in from different domains, trying to work out what type of endpoint protection they've got, what firewalling they've got, and they’re doing domain inspection on the web controls. What mail filters are in there? And that's a bit of a methodical and dull process to get to the point where you know you can get an email with some malware into the user. Then you've got social engineering hook that the user is actually going to bite, get them to open it and run it. And that takes a long time, can take weeks. But once you've got your foothold, then you hit the next dull part, which is exploring everything that you've got access to and saying, “Is this useful? Is this not useful?” And that's when you spend a week reading file shares or churning through different databases, or enumerating all the hosts in active directory and working out what operating system they're running, and when they're turned on, and who's logged into them and all this sort of stuff. And so, yeah, there's sort of those two boring, if you like, bits of red teaming followed by the rest of the attack paths that’s normally great fun.

[00:29:56] CS: And I think that's worth noting in terms of just people choosing their career path that there's always – I think just about anything, I want to be a doctor, I want to be a film director, I want to be this or that or the other thing. I think everyone imagines like the fun part. I click the thing and say action. Or I save the person's life or whatever. But they all have the sort of long dredge portions that get you to that that moment there. And so I think it's worth noting if you're going to be a pen tester or a red teamer, you think you are like – Just know what you're getting into, right?

[00:30:31] GM: Exactly. And there are some moments of real great fun. I have so many stories that are great fun. We hacked a door control system in an internal network. That was great fun. Working out how the underlying database worked. We worked out how the underlying database worked. Worked out how the client application worked. And then reprogrammed our visitor’s card to allow us into the secure vault. And it was one of the most fun pieces of sort of action on objectives I think we've ever done. Getting into the vault, taking a picture, running out again, and then giving back the visitor’s card. That was fun, but it’s not all like that.

[00:31:09] CS: Yeah. Well, how do you keep your pen testing skills at the front of the pack? Are you always learning new techniques, new developments in pen testing people are using to get an edge? Do you just get better by doing it a lot? Or is this a thing like continuing education credits and certifications where you're doing lots of reading on new pen testing developments or trying out new tools that people are developing? Do you practice your skills like a musician would like practicing scales?

[00:31:35] GM: So that is a really interesting question, because it's kind of all of the above and none of the above. The reason I said that is there’re always new techniques, and there's always new tools. And you're always going to be a bit behind if you don't know about the new tools and the new techniques. You said, do you practice your skills like a musician? When it comes to tools, you have to keep using them or you forget how to use them. You have to keep applying them, or you forget how they're applied. But in terms of pen testing itself, it's kind of more like riding a bike. You don't really forget the approach and the methodology. And a lot of that being a pen tester is that application of this is a thing that has a certain number of inputs and expects us to behave in a particular way. How am I going to subvert how I'm behaving towards this thing that I found so that I'm behaving in an unexpected way? And what is going to happen then?

And that kind of curious approach to doing things that are unexpected or undocumented, that approach to something unknown that you've not seen before, that is something that you never really forget. So even if you haven't been using a particular tool, the application of finding out about the tool, doing some research, all that sort of stuff, that never really leaves you once it's baked in. Yeah, there's no denying, it's a really fast paced field. And yeah, things develop constantly. So you have to keep on top of things.

[00:33:03] CS: So can you tell me about the CREST Penetration Test Steering Committee? What does this organization provide or do?

[00:33:09] GM: Yep. So we obviously a part of CREST. Effectively, it's a committee of expert penetration testers that have been elected by CRES membership to represent them in penetration testing. What we do is we work with CREST to kind of steer CREST activities in penetration testing, and that's things like feeding back around the exam qualification syllabuses. So CREST runs qualifications in infrastructure, application and simulation attack in penetration testing. And so we give them feedback on what's in the syllabus. What the exams are like? Are they giving us the right quality of candidates? That sort of stuff. But we also do research in the community from buyers of penetration testers, for example. We do release papers for people who work in the industry. So one thing that we're working on at the moment is around sort of report phraseology, and the type of phrasing that you should look to put in your penetration testing report. What's good practice? What's bad practice? What's in between.

So generally, our mission is test for CREST and improving penetration testing for the whole market for buyers for people coming in. Another big thing that we're trying to do, of course, is try and get more people to come into penetration testing. So working with academic institutions and educational bodies, and try and get more pen testers coming in at the bottom, because we do have a skill shortage.

[00:34:34] CS: Yeah. What are some of your recruitment methods, I suppose? Or how are you getting people excited about pen testing?

[00:34:43] GM: Everyone's doing things slightly differently. So lots of places are running sort of graduate intake schemes on cyber. We're running one. I know many of our other competitors in the UK, we’re on graduate intake schemes where we bring people in and train them up and try and get them excited about penetration testing. A lot of that advertising is happening on social media. A lot of people are interacting with universities, because there’re quite a few universities in the UK who are doing cybersecurity and hacking courses. I'm sure it's the same in the US. And trying to get involved with those lectures and get in front of those students early. So they start coming into the pipe, and is definitely a good thing to do.

Other things that we're trying to do is get people better at writing CVs for example. When you advertise for sort of junior penetration tester, you tend to get an awful lot of CVs, and some of them are really good. And a lot of them are pretty bad. And you tend to find – But we find certainly more than 10, sometimes a lot more than 10 applications for every vacancy. And a lot of them are just not targeting the covering letters right or they're not saying the right things on their CVs. Even if they might be employable, they just get rejected because they're not saying the right thing on the CV. So helping tailor that so that recruiters are not just discarding you at the first hurdle is something that we trust as well.

[00:36:13] CS: What are some things that you want to see on a CV? And what are – Especially if someone's trying to get their foot in the door, and you always hear the thing, I can't get experienced until I have a job, but the job needs experience and so forth. Like what is your advice in terms of showing yourself, especially if you don't have a lot of real world experience? What do you need to see on a CV from someone you say, “I'll take a chance on that person.”

[00:36:39] GM: So covering this is actually more important than CV to me. If somebody is applying to work at Cyberis with me, I want to know that they know about Cyberis specifically. I don't want to know. I want to be a pen tester. I want your covering let's say, “I research Cyberis. I want to work with you because I've seen this. I like that. I want to work with you because of actual reasons that apply to Cyberis and not just generically.” Because the people that I want to work with me are the people that want to work with. That's the biggest thing. If you've got a really good tailor covering letter, that will get you through the door a lot. And it will overlook a lot in the CV if you spent a lot of effort on the cover letter. And when it comes to the CV, I like to see people that both have done some stuff on their own and are proud of it. So I've done all these exercises on TryHackMe. I’ve learned about this, that and the other. But I also want to see some sort of personality as well. I don't want it to be just, “I'm desperate to be a pen tester.” I want to know what else they do. But I think you'll find, if you ask four different penetration testers what they look for on a CV, you'll probably find 10 different answers to that question.

[00:37:46] CS: Sure. Yeah, yeah, yeah. Yeah, we hear that a lot with people that I don't need you to necessarily give me the right answer, but I want to see that the thought you put into the question I asked is real thought and not just sort of stock answers and so forth.

[00:38:04] GM: Make an effort is probably the summary.

[00:38:06] CW: Yeah. So tell me about Cyberis Ltd. and your role there as director. What does your company provide? And what's your role in the process? Oh, also, since you're the director there, do you find is a C-suite director role that you're limited in your ability to do the nitty-gritty work that you really like doing with pen test and red teams? Or are you able to find a balance between the directorial managerial tasks and the rolling up your sleeves work?

[00:38:31] GM: So Cyberis, we're a company that we started back in 2012 when we're an information security consultancy. That's what we specialize in. So most of our work is in sort of technical assurance penetration testing, red teaming, but we also help our customers with a whole bunch of other security challenges. But that's where our focus is. And we are very focused on that. And we're also quite a small business. So there're 26 of us at the moment. So we're not huge by any stretch of the imagination. So we're small enough to be agile. And because we're small enough to be agile, we tend to form very close relationships with our customers, which is what we always wanted to do, because we do fine with penetration testing. The more you know about the business you're testing, the better tailored your advice tends to be. And that's just a factor of knowing the customer and their threats.

It is definitely a challenge keeping up to date with pen testing whilst also doing everything that I need to do as a director of the business. But what I tend to find is these days, I don't do as much at the sort of standard penetration testing. What I tend to get involved in is the red team engagements and the adversary simulation. So that's where I spend most of my time working for Cyberis is on sort of those longer term projects where it's arguably more technically challenging. We've got the boring bits, of course. But it’s those longer term projects, those bigger projects, that's where I tend to spend my time. I think with the sort of managerial tasks I have on that struggle with standard penetration testing, but the nature of red teaming means that you can dip in and out of it. You're not doing it full time. And therefore, it fits quite nicely with all the other things that you end up juggling when you're at director level or, indeed, a senior level in any other company, the bigger companies.

[00:40:17] CS: That's great, yeah. I'm glad you have the sort of fun or stimulating aspects of it, because we do occasionally hear from C-suite people who are like, “I just spent all my time managing people now. I wish I could still do the thing that I liked doing when I got into this industry.” So I think there needs to be a balance. But in our conversation before the taping, you noted that you work with a diversity and inclusion working group working towards bringing more women into the cybersecurity field. So I like to ask this, for companies who are trying to hire more equitably and more diversity, what are some actionable things that hiring managers and departments looking for new employees need to do to make sure that their talent pool is as wide and multifaceted as possible?

[00:40:59] GM: Yeah, it’s a difficult one to answer. And it's difficult because we actually don't have any real good hard data about lots of these things. So a lot of the things that you can do are kind of – We think this will help, but we're not entirely sure. We don't have the data. And we don't even have the data that says you know how many women there are in cybersecurity. So even the data there is wooly. But there're some really concrete things that people can do. One thing that's quite important for job adverts is making sure that you're not tailoring your language unconsciously towards men. There's a tool called Agenda Decoder, which you can run any kind of job advert through, and it will tell you whether your language is more masculine or more feminine. And you can then choose words slightly differently so that your job advert comes out as neutral. If you tend to put too much masculine-directed language into a job advert, it tends to put women off, because they think it's an environment that I'm going to work into.

Another thing that women tend to do that men tend not to do, and again, we don't really know why, is if you have a job advert where you have a whole bunch of skills listed as compulsory or required, women will tend to apply only if they meet all the criteria in that advert. Men will have a go even if it's only 50% or 60%. And if you put too much in the required when it's not actually required, you're going to put off women that could have done the job brilliantly when you didn't need to. And so thinking about what actually is required and what might not be required is a really interesting thing that you can do that’s sort of concrete.

Genuinely flexible working, that's a big plus. Now, the pandemic’s kind of help them kind of hasn't helped. In a lot of cases, flexible working, working remotely has been great for a lot of businesses, because women have been able to work from home where they never were allowed to before. And on the flip side, you've had homeschooling or kids at home, where women have been working from home alongside men who’ve been working from home. And in those situations, statistics are showing that women actually have been doing all the childcare. Even though men and women have been at home together, all of the responsibility of looking after children, even when both working full time, has fallen on women and not on men. So the pandemic’s been good and bad. But genuinely, flexible working. That's really good for women at keeping women. Yeah, there're lots of other things you can do. That's probably enough. I could waffle on for hours.

[00:43:45] CS: Might just get you back and we can we can talk about that in more detail. But yeah, we are getting close to the hour. But there was another topic that we mentioned. We sort of flew past it a little bit earlier on and I want to drill a little deeper. You wrote a piece recently called The Human Cost of Social Engineering. Your piece lines up nicely with Infosec’s thinking in this area, a lot of security awareness training groups and security professionals will use language like the human is the weakest link in the chain. But as you put it, we have a moral and ethical obligation to look after those targeted and avoid causing undue distress. Can you talk a little bit about changing the mindset of every tech user feeling perpetually like one step away from a catastrophic mistake? So one that feels more maybe taken care of by security practices and safety measures?

[00:44:33] GM: Yeah, culture is so important. So we've always liked to say, “Well, click on a phishing email. It's stupid to open the document. Why did you click on that link? Why did you do this? Why did you do that?” The reality is that if phishing attack is good enough, you can fool me, you can follow you. Anyone can and will be fooled at a particular time. And we just have to accept that people are human. And you can't expect people to be on their guard all the time. That would be an inhuman way to behave. Things like tailgating. When we're doing sort of physical social engineering exercises, a lot of the time we're talking about walking in a door that's been held open for us.

Now I would challenge anyone to create a happy culture in an office where someone is happy to be rude enough to slam a door in your face as you walk through behind. That's not something that happens in a place where people are happy and comfortable. One of the most dangerous things that you can have in security is a blame culture, anywhere. Because if you have a blame culture, when something goes wrong, when people think something has happened, that they've done something they shouldn't, they will not put their hands up to it. And the companies that are under the biggest threat, really, are the companies that are being targeted by advanced adversaries who are going to put the effort into properly socially engineering, having malware that evades the technical controls, having intrusions that are going to fall under the radar, even advanced EDR products. And if you're in that situation, the only flag that you might have to work on would be a user putting their hand up and saying, “Something's not quite right here.” And if they're reluctant to do that, then you've lost the battle already. Because it might be – Even if it's a week after, they've opened something that they feel a bit funny about afterwards. That might be the only warning you get that are breaches in progress, right? So you've got to try and have a culture where people aren't afraid to talk about things that might be a bit hard and they don't feel they're going to be shouted out for doing something they shouldn't.

And not just that, if you want to avoid risks from insiders – And when I say risks, I'm not talking about necessarily malicious insiders. I'm even talking about things like mistakes. Most breaches don't happen as a result of an attacker. They happened because somebody has made a mistake. And people who are stressed, people who are anxious, they make mistakes more often than people who are happy.

[00:47:10] CW: Working long hours.

[00:47:11] GM: Yeah. So if you want cybersecurity, if you want resilience, a happy looks after workforce is what you want. And you need to make sure that what you're doing isn't counterproductive. There was a new story a couple of months ago about a transport company in the UK, West Midlands Trains I think it was, who ran a phishing exercise against their staff who had been having a very difficult time through the pandemic, as you can imagine with the public transport. It was a sector that was very heavily hit. And I think their phishing exercise was along the lines of – The hook they used was along the lines of, “Here's a bonus post-COVID,” and then people click on the link, and there was no bonus. And their staff were upset by that.

In fact it is a valid hook. An attacker would use that kind of people. It's valid to do. But for them, counterproductive, because what you end up with then, yes, you might approve the point that people can click on a link if it's got the right hook. But we all know that anyway. What you've done there is alienate your workforce and upset people. And alienating upset people, that's not the happy company that you want. And it's not the happy environment that leads you to better cybersecurity outcomes. So it's understanding how important people are.

We're never going to get rid of the human element in cybersecurity. As technology gets better, humans are going to become even more targeted, because they are going to be the only way we can get – The only way an adversary can get what they want done is by targeting humans, and they are going to become the weaker and weaker link as we go. But what we need to do is build up layers of defense that keep people safe, not blame the people that couldn't possibly be safe anyway. And even deep fake. Look how good that's getting, and now we're in a situation where everyone is on video calls. Can you imagine having a video call from your CEO telling you to do something immediately? And it is your CEO. And it's their voice, and it's their face, and they're talking to you like we are now. And they tell you to do something. Are you going to say no? Should you say no? You might lose your job.

[00:49:30] CS: You’re going to feel really weird calling them back three seconds later, and like, “Did you just actually talk to me on a video call?” And they're going to be like, “Yes,” or “No, or whatever. Yeah. That’s going to be an uncomfortable moment, yeah.

[00:49:41] CS: Exactly. And so the technology that’s targeting people is getting better and better. And we have to make sure that the laser defense we put around people are better. And stop telling people they're stupid. I mean, I'm smart in cybersecurity. I'm not a vet. I can't fix my dog when he's ill. I don’t try and do it myself. And the vet doesn't tell me I'm stupid when I bring in the dog and say, “My dog’s ill,” right?

[00:50:07] CS: Yeah. Now, can you sort of speak at all to like – Maybe this is another way of putting this, but like how do we sort of like get a staff to understand that people will click on anything, i.e., a bonus link or whatever without doing it in this really sort of ugly and invasive way? How do you sort of make that lesson stick without doing it in a way that kind of like erodes the trust of the company?

[00:50:38] GM: So when we're doing these types of exercises, we tend to do things slightly differently. We don't do blanket phishing in quite the same way. If we do, if we do blanket phishing, we make sure that the hooks that we choose are very bland and generic and actually not personal in any way. So the problem with that example I gave you earlier, there's a bonus for you, that's a really personal thing. These people have been struggling through the pandemic. Suddenly there’s a promise of a bonus. The hope, and then the drop at the end, the disappointment that this was something that was horrible. So if you want to assess whether someone's going to click on a link, I’ll tell you, they will. You've got to choose a hook that isn't emotive to the people that you're targeting. And so we normally choose something really generic, like a hotel booking that's for somebody for a work thing that's gone to the wrong address. And if someone replies and queries, it will go, “Oh, sorry, that's the wrong address,” and we respond, and then they don't think anything of it, because they've responded, and it's just been taken off their stack. Or it'll be an invoice for something they didn't order, and they'll go, “I didn't order this.” And again, we'll respond and say, “Oh, sorry, that's a mistake. An accounting error. Don't worry about it.” So they're not worrying about it.

But after that, it's a story you tell after that exercise that’s really important. And often what we'll do is tailor some training around what we sent in and why people clicked on it. And we'll tell it's about educating the users in a way that's not patronizing. So explaining, “Look, we sent you this email. And it had note saying you're going to be billed today if you don't cancel, or there's some urgency involved. We made you make a decision. We drew your attention to this bit at the bottom of the page, and you clicked on that. We made you think you were logging in, because it looked like you were looking in, but you weren't logging in.” And it's explaining how we've manipulated them and what they can take from that. And then people are like, “Oh, okay, you're not patronizing me. You're not having a go at me. You're teaching me how other people are going to attack me. So, actually, I'm going to take this on board and use it going forward.” Doing the whole click on link, “Oh, you clicked on a phishing link.” You shouldn't have clicked on a phishing link type thing. It's not enough education of people. It just makes them feel bad.

[00:52:52] CS: Yeah. So as we wrap up today, can you tell us about some of the projects you're working on either through Cyberis or your own personal endeavors? What's on the horizon for you? And what are you excited about at the moment?

[00:53:03] GM: I'm excited about all sorts of integration and continuous cybersecurity with our customers. So the world has been changing so rapidly, not least in the last 18 months with COVID, but with everything else that's been going on. And cybersecurity is changing with it. And the way that we use penetration testing, technical assurance, vulnerability assessment, we're getting much more to a sort of real time interaction with our customers, real time reporting vulnerabilities, and a real understanding of closing off attack paths rather than just fixing vulnerabilities. How different layers of defenses can help you close attack paths, rather than just focusing on patching, for example? And that shift away from vulnerabilities is a big list of things that you've got to tick off or fix. To looking at the end-to-end attack path from your point of compromise, or sorry, your point of infiltrations, your point of compromise at the end, and where the best places, the most efficient places are to cut off that chain of attack. That change in approach is really exciting, because it will make us all more secure.

[00:54:18] CW: All right, one last question for all the marbles. If our listeners want to learn more about Gemma Moore or Cyberis, where can they go online?

[00:54:24] GM: So www.cyberis.co.uk is our website. We have a whole bunch of blog articles on there that I've written. So if you want to get to know what I think about things, that's a good place to go. I'm also on LinkedIn. People can connect with me on LinkedIn, Gemma Moore Cyberis. Yeah.

[00:54:45] CS: Terrific. Gemma, thank you so much for joining us today. And thanks for all your great insights on pen testing.

[00:54:51] GM: Thanks, Chris. It's been a pleasure.

[00:54:52] CW: And as always, thank you to everyone listening at home, listening at work, or listening at work from home. New episodes of the Cyber Work podcast are available every Monday at 1pm Central both on video at our YouTube page and on audio wherever find podcasts are downloaded. To read Infosec’s latest free ebook, Developing Cybersecurity Talent and Teams, which collects practical team development ideas compiled from industry leaders, including professionals from Raytheon, KPMG Cyber, Booz Allen, NICE, JPMorgan Chase and more, just go to infosecinstitute.com/ebook and start learning today. Thank you once again to Gemma Moore, and thank you all for listening and watching. We'll speak to you next week.