Last time, I had the opportunity to talk with software tester Claire Reckless. Testing an application’s security and functionality is a vital cybersecurity role that people often don’t think about.
This time, I had the honor of speaking with Chrissy Morgan. Chrissy is a protector of the protectors by day and a crazy scientist by night!
Kim Crawley: Hi, Chrissy. Please tell me about what you do.
Chrissy Morgan: I work within internal and operational security for a close protection firm. In my spare time, like tonight, I am working towards being a security researcher.
KC: How did you get into cybersecurity in the first place?
CM: I’ve always enjoyed fixing things and figuring stuff out since I was a kid. I’ve been playing around with tech since the early 90s. I taught myself to code and was a bit of a gamer. Then when I left school, I undertook a modern apprenticeship with a large pharmaceutical firm. This then led to learning different skill sets, such as help desk duties, database administration, website development and networking.
KC: What were some of your first programming languages?
CM: I worked in and around many security-driven environments after that, so I guess it left its mark. Whilst undertaking my training as a close protection officer, I realized there was a niche for technical operations, so whilst working as CP, in my downtime whilst off ops I would be undertaking short taskings for companies within the security sector within a technical remit, such as OSINT. As I could see a need for further development within the industry I decided to go and get qualified in information security. This was a need for security both on and offline within the sector. I now have a masters in advanced security and digital forensics after going back to university.
My first-ever programming language was BASIC. Then they taught us PASCAL for some reason at college, and I haven’t used that since. I moved to web-based technologies pretty quickly and enjoyed that element mostly during my younger years.
KC: As a security researcher, do you ever investigate some of the more widely reported cyber attacks?
CM: Yes. However, my interest is mainly within high tech crimes and crimes committed through the use of hardware exploitation in some way.
KC: Are untouched default settings still a vulnerability you frequently see?
CM: Possibly. Yes, dependent on the product, but a lot of the systems I see are running outdated firmware also.
KC: Is legacy hardware and software more commonly deployed than one might assume, and is that a significant security risk?
CM: Yes. So, for example, in some of my investigations, I have found access control systems with firmware dating back to 2011. This is control systems that operate door and alarm controllers… for schools. You would think that the physical security in such an area would be kept updated, but unfortunately, this isn’t always the case. If one was to use Shodan, it wouldn’t take very long to find legacy systems out there.
KC: Is Shodan an important resource in your line of work?
CM: I prefer to just get hands-on with products and take a look for myself.
I’m currently setting up a test environment starting out with the access control software. This can be done quite easily with a virtual machine set up. That way, you can legally investigate and get more hands-on. Anything hardware-based I will try to buy myself and figure out what it is doing by the use of the manuals. The FCC website is quite handy for radio frequency-based devices; it provides pictures and model numbers produced by the manufacturer.
From that, you can figure out a fair bit to find out what would be the best thing to look at. Another thing I will do is actually get out of the house and look at the world around me and go for a drive and see what devices are being used and where. I have an insight to the physical security realm having undertaken protection duties, so looking into alarm systems and the like is an interest of mine alongside SDR, etc.
KC: Has sexism been a hurdle in your industry?
CM: No, I have always worked in and around male-dominated environments. If someone has an issue with my gender, that’s on them. I just crack on and let my work do the talking.
KC: What are some misconceptions about what you do?
CM: There isn’t really. I don’t talk about my work much in terms of what I do for a living, and people respect that. When it comes to my research, the community and the people I speak to are pretty switched on about it. I guess my friends out of the industry do wonder and have their own version. As soon as you mention the word ‘hacking,’ they expect it to be something nefarious. Parents’ evening is always a joy when you speak with the teachers and they want to know what you do for a living. My kids are pretty involved within the scene and have undertaken their own exploration within research, so I sometimes have some explaining to do when speaking to teachers
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.