IBM says that there has been a
continuous change in corporations
appointing their own hackers to
"pen-test" (penetration test) online
systems, networks, and physical
locations, considering the increase in cyber-attacks and the need to
strengthen cyber security.
In fact, Henderson is just one of the
1,000 security specialists the tech
giant hired in 2015.
In a candid conversation with
Business Insider, Henderson, 40,
described what is like to be a hacker for IBM.
He said he has always been curious as a kid. He grew up in Austin, Texas where he still resides has now become a haven for young
technologists with its lively computer security scene.
Henderson attended the University of Texas and studied Computer Science.
"When I was 11, my father brought
home our first computer. Within a
week, I had become an active
participant on the Bulletin Board
Systems (BBS). Using these bulletin
boards introduced me to other like-
minded individuals and hackers
across the world. All of a sudden the world became more accessible to me."
"I quickly decided that I was more
interested in taking things apart than putting them together."
By the age of 12, Henderson started
taking interest in networks, which at that saw the emergence of phone
system. After legally getting a phone booth in his room, he took it apart.
Today, we have websites and videos that tell us how things work and how to take them apart and put them back together. However, while Henderson was growing up, none of it existed,which is what thrilled him. With inquisitiveness triggered by the unknown, he decided to take things apart so that he could learn how they operated. He says that he would have
probably never done it, had there
been a book on how these things
worked.
"I've always been bound by ethics,"
he says. "That is not to say that kids don't do stupid things."
"For example, when I was in
elementary school, I discovered that I could use my parent's cordless phone as a scanner to listen in on our neighbor's conversations. Did my
parents love when I'd take apart their expensive electronics within just a few days of purchase? Probably not.
But being a hacker, I had to know
how everything worked."
Henderson says that his curiosity led him into security research and
penetration testing over the last 20
years, which has helped him make his career.
About seven months ago, when he
was looking to switch jobs, IBM
offered him a very interesting and
challenging position that he couldn't resist. He was fascinated to the wealth of information and resources available here.
For him, it has been really exciting
working for IBM from the time he
joined the company in October of
2015, as he gets to work with some of the largest brands in the world.
"Coming from smaller security
teams, we just didn't have access to
the kinds of tools we have at IBM. We often had to create adhoc tools, which took time. At IBM, we have more firepower, thanks to tools like
BlueMix and Watson, among other
resources. I have access to basically anything I could ever imagine —which is really exciting for a researcher. The sky is really the limit here."
"The first thing I do every morning is catch up on what happened when I was sleeping"
"The cool thing is, since I run a global team, when I'm sleeping there are teams conducting research and working engagements with customers.
"So in the morning I start by asking,'Did we find any critical flaws?' 'Do I need to tell a client we found a vulnerability and begin working to fix it?' From there, I am working with my team to plan penetration tests and make sure we have the resources we need to address the issues we have found. There isn't an hour that goes by that I don't find a cool, new way of doing something, which means
my days are both unpredictable and exciting.
While Henderson does a lot of
research himself, he does like to look at consumer electronic devices that range from planes to trains to
automobiles to mobile devices. He
always find methods to break into or break apart these devices, to find new errors and susceptibilities. Also, he is
always interested in knowing how
devices connect to one another and
what vulnerabilities might surface as a result. Thanks, to the growth of the Internet of Things (IoT).
Henderson travels the world to meet with clients when not in Texas, in order to help him better understand their security issues and the security landscape. During these meetings, he gets to work with some of the world's biggest and most exciting companies
that help him find out how their
company handles security concerns.
While the companies share their
needs, requirements, and the trials
they face, they work together to come up with solutions to fix them.
Sharing some examples of what
Henderson and his team does, he
says:
"One time, with the authorization of a previous client, I was hired to
conduct a physical penetration test,which resulted in a stolen corporate vehicle filled with confidential information.
"The goal of the engagement was to
have my team see how much damage we could do by using tools such as social engineering to infiltrate the client's building and see how much confidential information we could get
our hands on. Turns out, we could
take it a few steps further, and stole
the data and then drove away with it in a company car — but of course, we had permission.
"When it comes to hacking physical
locations, we typically execute what I call 'tiger teams' (think ninja style/secret ops) to break into buildings on behalf of clients, to test their physical front-door security.
"We don't use bars to get in the door— rather, we organise highly
orchestrated attacks to get into client buildings by any means necessary,which often includes hacking into unsecured systems, copying employee badges, etc., with the client's prior approval."
Henderson says that the best part of his job is to find and fix key security susceptibility before attackers get a chance to abuse it.
Explaining the excitement of the
chase, it is one less possibility for a
criminal to abuse every time they
help a client fix major security
vulnerability, which also extends to
the customers' customers, the people they do business with.
He says, "Every day I'm faced with a new brain teaser, a new challenge,and that's really exciting. The worst part about my job is telling a client they have a major vulnerability.
"Often, their initial reaction is fear,
but the good news is, no matter how
bad the vulnerability is, there is
something we can do to fix it to
protect the customer. But often, that initial delivery of bad news is
difficult."
Whenever Henderson tells people
what he does for a living, he is often
faced with one question which is "Can you hack into my bank account?"
To which his reply to the question
would be, "It depends on what bank
you use."
He is also asked by people if he has
ever done any 'spy stuff".
Henderson says that the biggest
misconception that people have
about hackers is that they are all
criminals. Ironically, the word
'hacker' has been regarded as
malicious computer hacking, which is why it very necessary to understand that the word is not a synonym for criminal.
"To me, being a hacker means you
have an unbridled curiosity about
how things work. Whereas many
people look at a new technology and think about the possibility for
creation, hackers look at a new
technology and want to understand how to deconstruct that technology.
We have an insatiable appetite for
understanding how the world works— and we take it as a personal challenge to find flaws in technology before criminals have a chance to.
"Television shows and movies depict hackers as simply knowing how to do something. In reality, hacking is about taking something apart physically or virtually and
understanding the inner workings."
Explaining the difference between
good hackers and bad hackers, he
says that a criminal hacker is
someone who abuses susceptibility
for monetary gain or hidden motives, and is not interested in helping to fix the flaw they used to gain access.
Criminals take the path of least
resistance, while non-criminal
hackers choose their targets based on a challenge or the learning process.
"As an ethical hacker, we are driven to understand how things work.
When we find a vulnerability, we
share that information and we work to responsibly disclose it and help fix the problem we found. Ethical hackers have a moral compass guiding them to help protect people from the flaws they find."
"There is also a preconceived notion of hackers that we are people who choose to hack because we are maladjusted or full of angst and anger.
"Most people assume if you're
hacker, you had no friends growing
up. But honestly, hacking has nothing to do with that. There are perfectly well-adjusted hackers in the world,we're just curious people, looking for a deeper understanding of how the world works. I'm a father of two and I'm happily married.
"Also, my expertise in hacking has
lead me to become a world-class
practical joker within my team. I
think that practical jokes foster
critical thinking."
Giving his piece of advice for aspiring hackers, Henderson says that the one thing they should always do is to question everything, be curious and
never take anything at face value.
He further adds on to say that you
should always keep sight of your
ethical compass and practice
responsible disclosure. It is easy to
upset a promising career by doing
something stupid. Ensure that you
are guided by your values while you research vulnerabilities.
Always keep in mind that a company cannot protect their users from a flaw found by a hacker unless they responsibly
reveal it to the company, as a flaw
cannot be fixed if the affected
company has no knowledge about it.
www.josiahdele.blogspot.com
Comments