At Pentest-Tools.com, we use our managed pentesting services to learn from our customers and listen to them.
Every one of us works hard to understand what users need and why, feeding that knowledge into the platform while we continue to learn and grow as individuals and as a team.
That’s why we eat our own dog food and we always practice what we preach.
Compelled by our “show, don’t tell” approach, we’re starting a new series: Behind the Tools. By bringing into the spotlight the people who build tools that millions use, we aim to learn from their personal stories and career journeys, and share them with you so they may accelerate your own development.
Meet the humans of Pentest-Tools.com
For our first interview, we picked the brain of one of our senior ethical hackers, Răzvan Ionescu, whose infosec career of 10+ years packs a lot of wisdom.
As Head of Professional Pentesting Services, Razvan has mastered the art of balancing technical acumen with communication abilities whether he’s talking to customers about pentests or giving presentations for the infosec community. He is a man of focused action and determination, leading the team by the example he sets with his work and approach.
Find the “what”, teach the “how”
Like you, Razvan is deeply into ethical hacking and understanding how it fits in the cybersecurity ecosystem.
Ethical hacking adds value to the client because, along with the potential vulnerabilities found in the network/web application, it also teaches them how to solve security issues.
When you explain the pentesting report in plain terms, the client quickly understands the security risks and the business impact. At Pentest-Tools.com, we launched a new line of business a few years ago, the Managed Pentesting Services, which I lead.
We use the platform for our pentesting engagements, but we constantly develop it through the feedback we receive from our customers, which keeps us aligned with their business needs.
In penetration testing, the human expert’s work is invaluable, because they use their subjective judgment to deliver outstanding work. There’s no way to automate that.
What penetration testers really need is more time to focus on creative work and automate repetitive, manual work.
With our Pentest Robots, we help ethical hackers automate boring, but necessary tasks that are part of their work. Thus, they gain invaluable time to deal with more complex issues and simplify their workflow.
We always focus on keeping our customers safe and ensure they understand how to effectively increase their security.
Besides hard work and practice, stories and examples can always inspire or challenge the way we approach our work and personal development. We asked Razvan which examples helped him cultivate his hacking skills.
Here’s what he highlighted:
I listened to an episode of the Darknet Diaries podcast ( Ep 87- Guild of Grumpy Old Hackers), and I discovered the story of three Dutch ethical hackers who hacked Donald Trump’s Twitter account in 2016. I recommend listening to the entire episode to learn how they used emails and passwords stolen from the LinkedIn data breach from 2012.
You’ll also discover how Donald Trump used the password “yourfired” (favorite catchphrase from the Apprentice show) for his Twitter account. The 3 Grumpy Old Hackers notified both Homeland Security and the US Computer Emergency Readiness Team ( US-CERT), but no one answered. They also reached out to the National Cyber Security Center (NCSC) from the Netherlands who replied and they solved the problem.
Two other examples I really enjoy:
We can’t emphasize enough how much you can learn from these real-life stories and how they can shape your mindset.
Take it from an experienced ethical hacker who got into the field in 2010, when people still used the BackTrack4 OS (now known as Kali Linux), which includes a plethora of open-source tools for penetration testing.
If you want to dive deeper into this field, Razvan suggests the bare minimum of tools you need to have:
Basically, all you need is a laptop / PC, a browser, and an Internet connection. You can configure your pentesting lab in the cloud to reduce hardware costs and save time focusing on chaining vulnerabilities through manual scripts and files transfer.
While that will teach you the ins and outs of pentesting, it will take a large portion of your time and resources to put together. That’s why I’m happy to see that more and more pentesters choose to use our platform as their lab so they can focus on applying what they learn much faster and more effectively.
There’s also hardware hacking. To work in this field, besides basic knowledge of electronics, you need all kinds of tools to connect to the “target” hardware and analyze its firmware, modify it, or test it to discover vulnerabilities.
Discover what it’s like to be an ethical hacker
You’re probably eager to hear more about breaking into a company and getting access to valuable assets to demonstrate security risks (and your skills). So let’s see who might make good customers for you.
Razvan experienced this first-hand while working for several big organizations, in their cybersecurity teams, where they ran internal pentesting engagements.
In terms of market dynamics, more and more companies want to establish their internal cybersecurity department and run these security tests every day.
For companies with limited resources, it’s more convenient to work with independent specialists. This applies to organizations that deal with challenges in recruiting cybersecurity experts which, at this point, is most of them.
Does an ethical hacking career sound exciting for you? Are you looking to specialize in a specific area of penetration testing?
Find out from Razvan which specific skills each area requires:
Cybersecurity is a vast and complex field and each branch has its specifics.
Here are four large areas to consider:
1. Network Penetration Testing – where you need specific skills such as networking, protocols, services, how to build them and how they work, etc.
3. Mobile Penetration Testing – where you look at the application itself, searching for hard-coded secrets (keys, passwords, reading keychains), analyzing data sent over the Internet, and so on. To do this, you need to know technologies such as Java, ObjectiveC, including tools like proxy or different frameworks (MobSF, Drozer, etc.)
4. IoT / Hardware Hacking – for which you need networking skills and also more specific ones, depending on what you want to test: routers, IoT devices, cars (they communicate through special protocols and channels, like CAN Bus).
To advance your ethical hacking career, choose to focus on one of the above areas. Besides technical knowledge (programming languages, technologies), an ethical hacker also has pentesting frameworks ((e.g. OWASP, PTES), a growth mindset, and insatiable curiosity.
Lifelong learning is fundamental for ethical hackers
Razvan emphasizes how lifelong learning makes for a strong foundation for any pentester. Here’s his practical piece of advice:
You gain experience by working on as many and varied penetration tests as possible. As time goes by, you become a specialist in techniques and attack vectors, you learn creative ways to get through security measures you come across.
I heard about penetration testing during my Master’s degree in Security of Complex networks at the University Politehnica of Bucharest. I met Adrian Furtuna there (founder and CEO of Pentest-Tools.com) who became my mentor.
In terms of educational resources that can support you on your career path, he recommends:
If you want to learn penetration testing, there are plenty of online resources (courses, videos, articles, etc.) to get started.
At Pentest-Tools.com, we try to organize a hacking day every two weeks where every team member learns the basics of penetration testing. During our hacking session, we use the following resources:
- Web Security Academy from PortSwigger (the creators of Proxy Burp, widely used by infosec pros)
- TryHackMe, a platform where you can find lots of challenges designed for all skill levels and areas of interest.
- Hack The Box, which is similar to TryHackMe
- Pentester Academy, which includes different challenges and also provides Red Team certifications in Red (Active Directory – Attack and Defense)
- PentesterLab is a similar resource to the previous example.
When you feel ready, you can get a certification in the field, I would recommend the ones from Offensive Security (OSCP, OSWP, OSWP, OSEP, OSWE, etc.), and those from the SANS Institute (GPEN, GWAPT, GXPN, etc.).
If you don’t have skin in the game yet and you’re curious about how you can earn money as an ethical hacker, here’s a practical answer:
There are various areas in which you can work:
Penetration Testing / Consulting – You can get a job in companies or start your own company to sell such services for customers and their products. Some companies hire pentesters on a project-based basis (e.g. Cobalt.io).
Bug Bounty Hunting – There are many platforms where you can register and send vulnerabilities. Based on the vulnerability severity found, you can earn from a few dollars to thousands of dollars. Such platforms are HackerOne, BugCrowd, Synack, etc.
Pro pentesters learn to be comfortable with constant change
Besides doing what is under your control, there are the implications of technical advances in ethical hacking to consider, along with their deep impact on our work.
On that topic, Razvan thinks that:
Technological advances play an important role in both our lives and our careers as cybersecurity specialists. I agree that digital products are based on infrastructures developed in the last decades, but new technologies, such as blockchain, emerge faster than ever before.
In my opinion, it is a completely new and different “playground” for ethical hackers, because it challenges them to learn new phrasing, such as “smart contracts”, new programming languages (e.g. Solidity), or new protocols (e.g. VOBP – Voice Over Blockchain Protocol).
Being a penetration tester means being comfortable with change and fast-paced learning. You do it while learning new technologies in the testing process to improve your workflow and have time for both.
We loved this perspective on internalizing that change is inherent because it keeps it from becoming a drain of our mental, physical, and emotional resources. It also helps us focus on what we can control.
That’s why an ethical hacker can help companies prevent breaches or IT systems compromise.
According to Razvan:
Time showed that anything can be compromised if the attacker has the right tools and resources
There’s an episode in the Darknet Diaries podcast (ep. 82), which tells the story of the 2015 San Bernardino terrorist attack.
The FBI demanded Apple unlock an iPhone that belonged to one of the terrorists. Apple declined to assist, saying they created the product so that no one (not even employees) can do that.
According to the story, the FBI bought a Zero-Day bug, – which the product creator doesn’t know exists, and the bug is sold on the dark web – to unlock the phone.
So, with the right resources, you can “break” anything.
Razvan Ionescu at the DevTaks Bucharest conference
Even with the right tools and techniques, any experienced pentester understands you can’t easily find a Zero-Day vulnerability and Razvan knows it too:
You need solid skills, time, patience, passion, and determination :-). And a bit of luck (so no one has found them before).
There are several techniques, one of the most well-known and prolific is fuzzing.
Fuzzing means generating input (e.g. text files, audio files, text, etc.) that doesn’t necessarily follow a pattern or a format (as defined in RFC – Request for Comments). Then, the fuzzy input is sent to the client (software).
When the software starts to run or process the input, – if it’s not correctly written – it can run code controlled by the attacker (the ethical hacker, in this case). This way, Zero-Day vulnerabilities are found and reported to the manufacturer.
Then, the manufacturing company publishes a CVE (Common Vulnerabilities and Exposures database) for them, so the infosec community can easily identify and solve them.
Three ways to build stronger security awareness
Seeing how passionately he talks about what he does, we can’t help but feel inspired and curious to learn more from him. That’s why we asked Razvan about bypassing OSs and security systems.
Generally, you have to understand the operating system architecture and try to discover vulnerabilities. You have to ask yourself many questions (e.g. how they work, where data is stored, how you transfer files, how you keep files safe, etc.) and find answers by looking at the source code of the target operating system.
In terms of vulnerable components (hardware, software, processes) in the devices/products we use today, Razvan confirms it’s still human psychology.
“Adversaries need credentials more than malware”, as Microsoft veteran John Lambert said.
Building on this, Razvan highlights the intricate nature of penetration testing work:
The security of a system depends on its weakest component. It doesn’t matter if you have a strong password for the admin account of your web app if a vulnerable service is running on the same server, allowing me to read the file and see the password. Or if you share it on a social network.
Almost everything around us is internet-connected (i.e.IoT devices). From routers where you log in with the user “admin” and pass “admin”, to coffee makers and toasters that connect to the Internet without any security or encryption protocol.
Many times, cybercriminals exploit the technical part but also human behavior – through social engineering. Because humans are prone to errors, so are the systems we create and use every day. Therefore, a reliable security strategy doesn’t imply eliminating the risk – which is impossible to achieve – but significantly reducing it.
Case in point, here are 3 actionable recommendations Razvan suggests to help boost security awareness:
- Make sure our devices are up-to-date and that they only work when we need them to work (e.g. Do I need the internet ON when I sleep? If not, I can turn off the router), and be careful. Especially now, after one year and a half into the pandemic, working from home, with social distancing that makes us even more eager for connection.
- Watch out and avoid falling victim to phishing and vishing attacks (voice phishing – phone calls for fraud or trying to get confidential data from you such as your PIN.). If you receive an email saying you won an exclusive product or one million dollars from an African prince, know it’s not true. If it’s too good to be true, if you didn’t order it or sign up for it, it’s probably a scam or a cyber attack.
- Train yourself to detect manipulation and you’ll be able to make better use of any tech and information available.
The a-ha! moment that triggers a change in perspective and habits
This topic brings us to the current state of the workforce. We can all acknowledge that the pandemic situation forced a massive remote-work experiment, which made companies more vulnerable to cyberattacks.
That’s why we wanted to see Razvan’s perspective on how can ethical hacking help companies in this context:
Companies can ask ethical hackers to assess their remote work environment. A penetration test changes their perspective because it shows them what an organization looks like through the eyes of a malicious hacker – before they launch a cyberattack.
Ethical hackers help business owners make sure their employees use the company’s assets safely, by following basic security guidelines:
- Use a VPN to connect to the employer’s network
- Do not connect your company’s laptop to unsecured Wi-Fi networks at coffee shops or restaurants
- Install software programs such as antivirus or antimalware on your devices, which are up-to-date and don’t allow users without admin rights to deactivate them
- Find a safe backup solution to keep copies of your data in a different location (other than your device)
- Cover up your laptop web camera when you’re not in a video conference or online meeting.
Running a simulated phishing campaign (implemented by ethical hackers and requested by a company) is also a type of internal training that helps raise employees’ awareness about the emails they receive, how to spot spam messages, or tell the difference between an email sent by a legitimate person and a fake one, etc. We published a guide on how pentesters can roll out phishing campaigns using our platform.
If you want to start practicing what you’ve just learned from Razvan, we recommend joining the Pentest-Tools.com community on LinkedIn and learning from your peers, where over 32.000 security pros discuss career challenges and share valuable pentesting insights. You can also subscribe to our YouTube channel and get practical and helpful pentesting tutorials and demos.
Did you enjoy this insightful interview? Let us know if there’s anyone, in particular, you’d like us to talk to for this series.