Last week, I had the pleasure of talking to Tripwire’s own marketing specialist, Cindy Valladares. Marketing fits a valuable and overlooked need in the cybersecurity field. Cindy’s creative talent for bringing out the best in people helps Tripwire shine in this industry.
This time, I got to chat with pen testing whiz Leanne Williams. Enjoy!
Kim Crawley: What is your role in cybersecurity and how did you get into it?
Leanne Williams: I guess I'm just your average delivery penetration tester! I do the bread-and-butter stuff that most client-facing pen testers do, from web apps, to Windows networks, to the boring audit stuff. I guess the thing I wake up in the morning for, though, is to do the creative side of offensive security. I love red teaming, social engineering, and malware (like really putting yourself in the character of a villain, I guess I have a nasty streak deep down inside somewhere.) I love to learn new things, too, so I think the work suits me pretty well!
As for how I got into the business, I think I'm fairly atypical in that I wasn't really a teenage hacker like you hear in the stories. I only really learned how to program in university during a summer, and I found the penetration testing team through work in UK national security. My journey up to that point was far from straightforward, though. I've had a pretty heavy academic background, and I've always loved to throw myself into things that seem like a huge challenge at the time. I started off with a financial math degree, believe it or not, then scientific computing on GPU, then computational neuroscience research, (I LOVE brains!) and finally to consulting for a well-known defense contractor. A pretty messy and chaotic path, but looking back, I've enjoyed it immensely.
KC: What are some misconceptions people have about penetration testing? People who have never done it often assume that all you do is configure and run network vulnerability scanner applications, but I know there's a lot more to it than that.
LW: Ah yes, just pointing and running a scanner is known as a Vulnerability Assessment.
Really interesting engagements that offer really valuable lessons for clients (and their blue teams) are the ones where you allow a penetration testing team to bring their passion and technical skills out. These are open-scoped engagements where thought is put into how an organization is going to be attacked, and you give your tester an engagement or a mission based on that. For example, this could involve a spear phishing engagement with real malware, getting domain admin (and control of the entire global infrastructure) from an employee desk, or a social engineering engagement to steal some customer data. Notice that all of these scenarios actually happen to companies when they are targeted by the bad guys every day. Wouldn't you rather learn where your company fails under attack by a trusted professional? Penetration tests can also be collaborative with the blue team of the client organization. In these instances, I really love the opportunity to geek out and teach, and in my experience, the blue team likes to learn about the offensive mindset. Value all around!
I think the type of engagement all depends on the penetration testing team, the global location and culture, and what the manager of the pen test team sells to clients. I hear that the UK is particularly bad for vulnerability assessments, partly because of attempts to implement a policy to standardize cybersecurity across government departments, leading to things like the infamous IT Health Check. (Which is essentially just a vulnerability assessment with a different name.) Ultimately, what the client wants is what you deliver, but I personally believe that telling a client what they need to test their security is part of the service. As penetration testers, we should be experts and professionals, and we know that an enterprise scanner is cheaper than our time, so it's up to the management to sell what the client really needs. Creativity and expertise, not checked boxes.
KC: Has anything you've learned in computational neuroscience ever helped you in cybersecurity?
LW: Haha! Well not really, other than the fact that I now dream in Python! But I guess that my life in university made me who I am today.
I think all computing can learn a lot from brains. Don’t be fooled by current machine learning/deep learning. Human brains are impossibly fault tolerant, efficient, and flexible, and one of the most complex structures in the known universe. Your brain contains approx 100 billion neurons, which are basically tiny complex computing devices. We can barely simulate an entire human brain on the most powerful super computer in the world, and yet your brain runs on the energy contained within just one banana per day. Brains are fault tolerant; you can get drunk, bump your head, or even have a stroke, and they still don’t stop working. They even have the capacity to reorganize and heal themselves over time. Perhaps one of the most interesting aspects for infosec is that a brain is a natural correlation and anomaly detector. It builds an internal representation of the world it observes over time, and the activity lights up like a Christmas tree when it observes something out of the ordinary. It learns almost immediately from this error signal. Forget millions of examples in modern machine learning. The brain has plenty to give if we can figure out how it does what it does!
KC: Excellent. Do you have anything else to add before we go?
LW: Lots of exciting things are happening at the moment. I’ve just come back from Blackhoodie in Heidelberg. It’s a beginner reverse engineering and infosec course for women by women, and it was genuinely really inspiring, I cannot recommend it enough! Look it up and attend. Also, I’m sure they would appreciate me saying that they are also calling for papers for November in Berlin! Everyone was really passionate and eager to learn, and the atmosphere was such that no one was scared to ask questions and get involved. I’ll definitely be getting into the grubby machine code more in the future.
In the next few months, I’m off to Singapore to penetration test across the Asia-Pacific region. I’m really excited; it'll definitely be a new chapter in my career. One thing I would say to people starting out in infosec is that the global mobility opportunities are incredible. If you like to see the world and travel, there’s no better field right now for you.
KC: Excellent! Thanks for chatting with me, Leanne.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
