Secure IT: Profile of a White Hat hacker

Lawrence Munro of Trustwave

Ever wondered who these ‘hush-hush’ people are that help to keep our networks safe? Here we talk to Lawrence Munro, director of SpiderLabs EMEA for Trustwave, about the role of the ‘White Hat hacker’.

IoT Now: What are you looking for, in technical expertise and temperament, when hiring a white hat hacker?

Lawrence Munro, Trustwave: We see all types of temperament among our penetration testers, but a combination of fastidious and creative is usually a recipe for success.

Technical expertise is absolutely a priority, but it needs to be coupled with self-motivation and a genuine passion. I particularly look for someone who is self-taught and has an underlying intrigue into how things are made.

I find that people who learn through doing rather than being taught tend to have a more in-depth knowledge and understanding. If someone likes taking things apart and putting them back together again to understand them in their spare time, that’s usually a good sign of having the right mindset.

IoT Now: How often do you hire white hat hackers and for how long?

Lawrence Munro: I hire them all the time and if they’re good then we’ll keep them indefinitely. When you find a talented individual you try to hang on to them, so it’s important to develop the right culture and appropriate incentives. We don’t use contractors and all our pen testers are full-time employees.

IoT Now: What types of work do they do for Trustwave? Do you do research in the Internet of Things and communications?

Lawrence Munro: Our pen testers work mostly on testing the security of web applications and network infrastructure, however, IoT and embedded systems have become a bigger focus in more recent years.

Many connected devices are known to have poor security, so my team spends a good portion of their time working on anything IoT and doing research into this area. As we’ve seen from attacks like the Mirai botnet, these vulnerabilities can have big consequences.

IoT Now: What changes have there been in recent years to the skills that you require from them?

Lawrence Munro: It is well publicised that there is a skills gap in the cyber security industry, particularly in recent years. Driving this is the fact that both the volume and sophistication of cyber attacks has increased steadily.

At the same time, businesses are simultaneously investing in technology that can lead to increased risk, such as IoT, while also facing greater scrutiny in how they protect data. As a result, security services are in high demand, but there are not enough sufficiently experienced personnel to go around.

Trustwave has seen a change in the type of client we have approaching us. It used to be mostly large enterprises with big budgets for IT. These days we are definitely seeing businesses of all sizes, including SMEs (small to medium-sized enterprises), wanting to enhance their cyber security.

IoT Now: Is it true that hackers fall into two main groups? I’ve heard it said that some are meticulous in what they do, very detailed and methodical, while others are anti-authoritarian, can’t tie their own laces but could hack the Pentagon if they wanted. Any truth in this?

Lawrence Munro: I would say the cyber security industry is as diverse as any other. We do tend to attract people with a slightly anti-authoritarian attitude (mixed with a healthy dose of paranoia), but that’s just because of the nature of the job – it’s a legal way to do what they love. Even with that kind of attitude, a meticulous approach is still vital to success.

IoT Now: What motivates these groups? Money? Peer respect? Recognition? Learning and
self-development?  Something else?

Lawrence Munro: Money is often not a motivating factor, as most pen testers are paid competitively and are passionate about what they do. A big draw for these people is the culture of the organisation and buy-in to what the company’s vision is.

Respect of peers is extremely important and working with others who they also respect and can learn from will rate highly with them. If you have spoken at a well-known conference such as Defcon or 44Con in London, this will definitely earn you kudos among your peers and the hacking community.

IoT Now: What skills do you need to manage white hat hackers? How do you recruit your
management team?

Lawrence Munro: To gain your team’s respect it’s important that you have a thorough understanding of the industry and the technical nuances of hacking. The best managers have often come through the ranks of an organisation and will understand all aspects of the work.

It is important that a manager can relate to all members of his team. Often the most qualified or most technical person is brought in as a manager, but these qualities don’t always equal a good leader, it must be said!

IoT Now: How do Black Hat Hackers react to the White Hats?

Lawrence Munro: Honestly, I don’t even think they’re on their radar! The two groups will rarely come into contact with each other (except to steal tools and tactics).

However, there are far more “grey hats” around than you would perhaps expect – hackers that aren’t malicious and are not interested in money, but still tend to go places where they shouldn’t – just because they can. This group is treading a very fine line however, and there have been occasional examples of grey hats falling foul of the law.

Lawrence Munro was interviewed by Jeremy Cowan, editorial director of VanillaPlus, IoT Now & IoT Global Network

Comment on this article below or via Twitter: @IoTNow OR @jcIoTnow


9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

Fibocom: 5G AIoT Commercialized Products Handbook

Posted on: October 20, 2021

On September 6, 2021, Fibocom, together with China Mobile, China Telecom, China Unicom, Qualcomm, UNISOC, MediaTek and many IoT industry partners, officially launched the “5G AIoT Commercialized Products Handbook”, breaking the industry boundary with collective power and exploring new business value with technology integration. Now the English is available for the global readers.

Read more

The ultimate guide to IoT in Logistics

Posted on: October 20, 2021

Welcome to The World of Logistics! By 2030, IoT in Logistics is predicted to be worth more than $100 million. To help our logistics customers get an understanding of what they need to know to succeed with IoT, we’ve created a unique Nomadic Device guide that outlines how to achieve quick time to value. We’ll

Read more