Ever wondered who these ‘hush-hush’ people are that help to keep our networks safe? Here we talk to Lawrence Munro, director of SpiderLabs EMEA for Trustwave, about the role of the ‘White Hat hacker’.
IoT Now: What are you looking for, in technical expertise and temperament, when hiring a white hat hacker?
Lawrence Munro, Trustwave: We see all types of temperament among our penetration testers, but a combination of fastidious and creative is usually a recipe for success.
Technical expertise is absolutely a priority, but it needs to be coupled with self-motivation and a genuine passion. I particularly look for someone who is self-taught and has an underlying intrigue into how things are made.
I find that people who learn through doing rather than being taught tend to have a more in-depth knowledge and understanding. If someone likes taking things apart and putting them back together again to understand them in their spare time, that’s usually a good sign of having the right mindset.
IoT Now: How often do you hire white hat hackers and for how long?
Lawrence Munro: I hire them all the time and if they’re good then we’ll keep them indefinitely. When you find a talented individual you try to hang on to them, so it’s important to develop the right culture and appropriate incentives. We don’t use contractors and all our pen testers are full-time employees.
IoT Now: What types of work do they do for Trustwave? Do you do research in the Internet of Things and communications?
Lawrence Munro: Our pen testers work mostly on testing the security of web applications and network infrastructure, however, IoT and embedded systems have become a bigger focus in more recent years.
Many connected devices are known to have poor security, so my team spends a good portion of their time working on anything IoT and doing research into this area. As we’ve seen from attacks like the Mirai botnet, these vulnerabilities can have big consequences.
IoT Now: What changes have there been in recent years to the skills that you require from them?
Lawrence Munro: It is well publicised that there is a skills gap in the cyber security industry, particularly in recent years. Driving this is the fact that both the volume and sophistication of cyber attacks has increased steadily.
At the same time, businesses are simultaneously investing in technology that can lead to increased risk, such as IoT, while also facing greater scrutiny in how they protect data. As a result, security services are in high demand, but there are not enough sufficiently experienced personnel to go around.
Trustwave has seen a change in the type of client we have approaching us. It used to be mostly large enterprises with big budgets for IT. These days we are definitely seeing businesses of all sizes, including SMEs (small to medium-sized enterprises), wanting to enhance their cyber security.
IoT Now: Is it true that hackers fall into two main groups? I’ve heard it said that some are meticulous in what they do, very detailed and methodical, while others are anti-authoritarian, can’t tie their own laces but could hack the Pentagon if they wanted. Any truth in this?
Lawrence Munro: I would say the cyber security industry is as diverse as any other. We do tend to attract people with a slightly anti-authoritarian attitude (mixed with a healthy dose of paranoia), but that’s just because of the nature of the job – it’s a legal way to do what they love. Even with that kind of attitude, a meticulous approach is still vital to success.
IoT Now: What motivates these groups? Money? Peer respect? Recognition? Learning and
self-development? Something else?
Lawrence Munro: Money is often not a motivating factor, as most pen testers are paid competitively and are passionate about what they do. A big draw for these people is the culture of the organisation and buy-in to what the company’s vision is.
Respect of peers is extremely important and working with others who they also respect and can learn from will rate highly with them. If you have spoken at a well-known conference such as Defcon or 44Con in London, this will definitely earn you kudos among your peers and the hacking community.
IoT Now: What skills do you need to manage white hat hackers? How do you recruit your
Lawrence Munro: To gain your team’s respect it’s important that you have a thorough understanding of the industry and the technical nuances of hacking. The best managers have often come through the ranks of an organisation and will understand all aspects of the work.
It is important that a manager can relate to all members of his team. Often the most qualified or most technical person is brought in as a manager, but these qualities don’t always equal a good leader, it must be said!
IoT Now: How do Black Hat Hackers react to the White Hats?
Lawrence Munro: Honestly, I don’t even think they’re on their radar! The two groups will rarely come into contact with each other (except to steal tools and tactics).
However, there are far more “grey hats” around than you would perhaps expect – hackers that aren’t malicious and are not interested in money, but still tend to go places where they shouldn’t – just because they can. This group is treading a very fine line however, and there have been occasional examples of grey hats falling foul of the law.
Lawrence Munro was interviewed by Jeremy Cowan, editorial director of VanillaPlus, IoT Now & IoT Global Network