Huw Evans has led security initiatives at IT Weapons for more than 15 years. He is an expert in the latest information security methods, which include penetration testing and vulnerability assessments. Besides creating the security consulting practice, Huw is responsible for internal security at ITW. This includes policies, procedures, technologies, and change management.
When he’s not busy protecting clients and eliminating security threats, Evans is an amateur actor. This artistic flair is an instrumental part of his skill set, especially when trying to anticipate human behaviour.
We recently sat down with Huw to find out how his decades of experience in information security services enable him to hack into client systems to find and fix vulnerabilities.
Q: What is ethical hacking, and how is it different from malicious hacking?
A: When people ask me this question, I always say, “That’s simple: The difference between a regular hacker and an ethical hacker is the ethical hacker asks permission first.” But in terms of toolset and capabilities, they are pretty much the same.
Q: Are there different types of ethical hacking?
A: I don’t know if there are different types of ethical hacking, but there are different hacking exercises.
For example, there is technology hacking where you’re trying to break the technology. Then there are things such as social engineering where you’re trying to fool someone into giving up information, such as pretending to be from IT and asking for a username and password to fix an issue.
Then there are red and blue security teams, which take very different approaches to safeguarding company data and systems.
The red team (attack): They start with an objective, which could be to get into a system and see if they can become an administrator. The red team will attack a specific company and do their best to avoid detection. They will keep going through the system until they reach that capture the flag scenario and meet their objective.
The blue team (protect): Essentially, the blue team is the security operations center. They look at ongoing attacks, making sure nothing is getting through. The blue team monitors security systems to make sure everything is functioning correctly, and in some cases, they do threat hunting and actively look for threats within the organization.
Q: What are the main benefits of employing an ethical hacker?
A: The key benefit to ethical hacking is identifying and remediating flaws in your network before a hacker can compromise your organization. This practice has the added benefit of helping you understand your attackers to better frame your defences.
Q: Are there any drawbacks to ethical hacking?
A: I would say one of the main drawbacks is the potential for a false sense of security. Once a company fixes all of the issues an ethical hacker finds during penetration testing or other security assessments, they may feel the company is completely protected. However, the whole landscape could change in an instant, so it’s important to stay vigilant.
Ethical hacking is much like running a background check. Just because the person doesn’t have a criminal record today doesn’t mean they won’t rob a bank tomorrow. Similarly, if an ethical hacker only finds four security issues, that doesn’t mean you only had four things wrong.
When you pay an ethical hacker to do something, they’re only going to spend a certain amount of time on it. If you have a set budget, you’re only going to pay the hacker to attack for so long.
A malicious hacker has no time frame, so they can keep pounding away. Getting in is how they make their money, so they’ll spend as much time as they need to if there’s enough in there of value to warrant the effort.
Q: Surely there are security risks when you hire an ethical hacker?
A: The biggest risk is always, how ethical is your ethical hacker? You have to know who you’re hiring. There is always a risk when you give access to your internal systems, so you really need to do your homework about the type of organization that you’re hiring.
Make sure they are properly vetted. Like the background check analogy, the vetting might not mean much. Still, you need to do something to make sure the people you hire are on the up and up.
Q: How about legal implications?
A: The actions we take as ethical hackers are technically illegal. However, because the company asked us to do them before a malicious hacker does, we are covered from a legal standpoint.
Although it may be legal, you still need to make sure the right people are informed of the project. I have heard of instances where a hacker was hired to do a job but then the parent company had them arrested.
In this case, an ethical hacker was hired by a local government to physically breach a municipal building. It turned out that an umbrella corporation hired them to break in, but the building owner took it personally and had the hackers arrested.
Although they were never convicted, those people will never work as ethical hackers again. Just the accusation is enough to keep them from getting hired.
Q: How has ethical hacking changed since you got started?
A: Since I started roughly 20 years ago, the whole landscape has changed. Today’s ethical hackers have to do so much more.
The first viruses I can remember were boot-level viruses, meaning they infected the computer but they didn’t take effect until you rebooted the machine. But these early viruses were easy to find and therefore easy to fix.
When I took my ethical hacking courses, we learned things such as how to embed malicious code into a delivery vehicle such as Elf Bowling (an early video game).
Today’s attacks are much more complex — for example, drive-by infections. Here, cybercriminals infect ads that display on websites. When you browse to that site, the ad infects your machine — no clicking required.
We’re also seeing fewer attempts to infect machines. Instead, hackers want access to business systems. Once they gain entry, the malicious code will sit there and wait, and wait, and wait. Meanwhile, the hackers are quietly discovering everything they can about the environment and coming up with a malicious attack plan that will do the most damage.
Q: Do you think data is more or less secure than it was five years ago?
A: Both. Today’s attackers are much more sophisticated, but I think people’s understanding of what it takes to secure data is better today than it ever has been.
There is one caveat: People don’t protect their personal data to the same extent as they protect business data. Many people are just willing to give away their privacy to big companies without considering what that means in terms of protecting their identity and personal data.
Q: Looking ahead five years, what do you predict will be the biggest data security threat to businesses?
A: Quantum computing is a real threat to a lot of the security algorithms we use today. For example, we currently use 256-bit AES encryption on SSL certificates to secure most of the traffic that goes across the internet. A quantum computer would completely nullify that encryption.
Let’s say someone encrypted and stored an entire conversation. Once quantum computing goes mainstream, someone could easily decrypt that conversation and any data paths in between. It really is incumbent on people to start looking at quantum-ready encrypting and find ways to implement it. It’s vitally important over the next few years to start using quantum-safe encryption algorithms.
Q: Switching gears to your personal experiences working as an ethical hacker, what skills do you need to be an ethical hacker?
A: The No. 1 skill is curiosity. When you look at something, it’s not enough to know how it works. Hackers need to go further and ask, “What happens to it if I do this?”
Ethical hackers also need a good understanding of how a lot of different technologies work. You can’t be just a Windows person or just a Linux person. You have to understand how file systems in general work, how computing in general works, and you have to have knowledge about why you’re doing the exercise.
For general red teaming and attacking, the more of this stuff you understand, the better, but at a minimum, you need a natural curiosity, scripting skills, and a working knowledge of a lot of different IT tools and technologies.
Q: What’s your favourite hacking technique?
A: The timing-based ones are usually the most interesting. For example, there was a case at the Woodbine Racetrack where someone found a problem with a timing system. He was then able to place bets after the races were over. He knew who won, and because of the timing issue, he was able to put in a winning ticket.
The only reason he got caught is that he got greedy.
Q: What’s the most common vulnerability you’ve come across?
A: Missing patches is the vulnerability we see most often. It encompasses a lot of different security weaknesses, but the fix is always the same: Patch your systems. The vendors often fix those vulnerabilities over time, but IT generally doesn’t do a good enough job keeping up.
Q: What is the most surprising vulnerability you’ve encountered?
A: I can’t believe that people are still running Windows NT and Windows 2000 servers. Windows 2000 has been out of support for close to 15 years, and it’s been 20 years since Windows NT was considered out of support. And yet, every now and then, we still see someone running those old Windows NT Service Pack 6 systems. They can be compromised in two seconds.
Q: What is the most severe vulnerability you’ve uncovered?
A: There are a lot of really serious vulnerabilities out there that will give you access to things. But something major I’ve seen — though technically not a vulnerability — is someone inadvertently published a list of usernames and passwords to the internet. To me, these types of events are the most severe because they are completely preventable.
Q: Based on your experience as an ethical hacker with IT Weapons, what advice would you like to pass along to IT security (blue) teams?
A: My best advice is to arm yourself with knowledge. That includes constant vulnerability scans and making sure that the users you support are aware of security. The more information you have, the better job you can do.
Security is not a function of IT and it’s not a function of the security team. Security is everybody’s responsibility. It only takes one person to make a mistake. It doesn’t matter how much work the security team has done, it’s all going to fall apart at that point.
At IT Weapons, we believe knowledge is power. Get more expert insight into securing your company’s data, applications, and systems when you download our e-book, Cyber Security 101: Keeping Hackers Out and Your Data In.