Adam Myers

Hello and welcome to our podcast Tales from the CyberLab. My name’s Adam, I’m the Sales Director here at CyberLab and I’ll be your host for today. Joining me today is Tom Unsworth, who’s an ethical hacker here at CyberLab. Tom, can you just explain a little bit about your role and what you do on a day-to-day basis?

Tom Unsworth

Yeah, so I’m a Security Consultant at CyberLab and my job is to perform penetration testing against a range of different technologies.

Adam Myers

Pretty cool. And he’s even brought his own laptop here just to sort of make sure he is putting us under pressure, spooking us a little bit. Other guests don’t bring laptops, so let’s see what we get into. But hopefully some good ideas that you’ve got around some of the questions we’re going to pose to you. So the first question, Tom, can you walk us through what your day-to-day looks like as a Security Consultant here at blub?

Tom Unsworth

Yeah, so I think the best way to explain what we do is to give you a little run through of what a typical project would look like because the days vary slightly. So when we start an engagement, we get given a scope that we need to read, understand, and essentially that’s for people who don’t know the rules of what we’re allowed to do, what we’re allowed to access, and essentially allows us to hack applications without deviating from that and breaking the computer misuse act.

So it’s what we’ve got permission to do. So once we’ve read and understood that, we then would check our access to the environment and then let the client know we’re starting. Then the fun part starts where we start hacking. We will look for vulnerabilities and then we will risk rate them.

This sort of goes from informational, which is something that we want the client to know about but doesn’t pose any threat all the way up from low, medium high and then critical. And your high’s and critical’s are really important to get fixed in a timely manner. You’d want them fixed ASAP.

Adam Myers

Do you do them straight away? So you spotted a big red flag and it says, right, this is a serious potential risk or vulnerability. Are you communicating to the client there and then say, look, jump on this now mid-pen test to maybe stop this from getting worse?

Tom Unsworth

Yeah, typically if we find a high rated vulnerability or a critical, we will let the client know immediately and then we normally like to hear confirmation back that they’ve received it. If we send an email, we don’t want that to get lost.

So if we don’t hear back saying, yep, we’ve got that, thanks for letting us know, we’ll go further and call up if we’ve got that sort of information to go inside them.

Adam Myers

And that’s quite unique I think, in what we offer as a pen testing service. Because we, you’re remediating whilst on the job as such, so it’s stopping it at source, but also you’re not then having to go and do that as an action afterwards, which might cost you more time or out your budget. So I think that’s quite good that you offer that there and then don’t you and the communication between the test team yourself and the customers quite good at that stage to get things actioned.

Tom Unsworth

Typically we try and keep the environment as unchanged as possible. So when we find information up to medium, we try to keep those from being remediated while we’re testing because we don’t want new vulnerabilities to be introduced when we’ve tested a part of an application for example, we won’t go back and test it necessarily unless it’s high or critical and then it’s really important to do that then so once we’ve done our, found our vulnerabilities, we then write up a report, which is arguably the most important part of the job because that’s the deliverable that the client gets. Then once we’ve sent that over, we’ll have a washup call with the client if there’s any questions we can provide clarity essentially.

Adam Myers

And they might do that after major project change or they’ve introduced new technology. How often would you recommend to maybe do a pen test? I think that probably where you would consider it, but is it you do regular testing windows maybe as well for customers?

Tom Unsworth

Yeah, so I guess it sort of depends, but we would typically do a pen test if there’s been some changes to an application or if it’s a complete new product is another big one. And sometimes we can do sort of, oh gee, I don’t want to say that. Well I was about to say, sorry, I’ll cut that back. Sorry, lost my train of thought there. Can we start again with that

Adam Myers

Question? I can ask that question again. Yeah, so what did I ask? Let me remember. I went with, so typically would you maybe do a pen test after major project change or maybe you’ve introduced a new technology into the business. Is that when you would maybe recommend that customers should take out a pen test for you guys?

Tom Unsworth

Yeah, typically if they’ve made a new application or they’ve made some changes to an already existing application, they want reassurance that they’ve followed the best practises and not got vulnerabilities that could be exploited.

Adam Myers

It’s a second set of eyes, isn’t it on? You might deliver a project yourself internally. And then it’s kind of getting people like yourself to come in and I guess say yes, rubber stamp it, everything’s good from a compliance perspective, but also there’s no backdoors into maybe creative vulnerability yourself by delivering that project.

Tom Unsworth

Yeah, I agree. It’s definitely a big part of compliance and also I think just peace of mind that you believe your app is in the best security posture is very important.

Adam Myers

And then just as well as part of your role. So what I see from working on the board here and all the exams you have to do and everything, and I guess you governed heavily by CREST & Check as well, there’s a lot that you need to undertake to become an ethical hacker or a pen tester, isn’t there?

So you’ll be constantly doing exams to show that you are demonstrating a credible person that has access to what it can be quite sensitive information.

Tom Unsworth

Yeah, there’s a lot of certifications in the cyber industry. I think it’s easy to get caught in the footprints of ‘which ones do I need’. The ones that we really like at CyberLab, is the team leader and team member for the member – it’s a mixture of web and infrastructure testing and then for the team leader it’s more specialised into either web or infrastructure.

But we also have a really talented pen test team here. A lot of the guys go above and beyond that into red teaming certifications.

Adam Myers

We’ll cover that in a second cause that’s quite an interesting part. But I think just for our audience, if anyone is looking to become a pen tester, I do really, when I go and do maybe some talks, see a lot of people get quite excited about that as a career path.

So feel free to reach out to myself and Tom and we can help you on that journey if you’re looking to see how you can get into ethical hacking and penetration testing. Brilliant. So topic number two. So what are some of the most common vulnerabilities you’re seeing in web applications today?

Tom Unsworth

So for this question, I want to talk about the OWASP Top 10. So this is essentially a project that aims to categorise the top 10 most common vulnerabilities in different types of applications. So we have separate lists for API, web applications, mobile applications, and they’ve recently brought out a LLM.

Yeah, category. So the very common ones that we see in pretty much every engagement we do is of vulnerable third party components because these are really hard to keep up to date with if you’ve got a wide range of technologies on your apps.

Adam Myers

So is that something that AI is kind of introduced to us? I guess as we, obviously, AI is a hot topic at the moment, but is that something that you are now seeing is evolving I guess?

Tom Unsworth

Yeah, so for me personally, I would say I’ve seen the biggest shift so far has been towards the cloud and the technologies that you can use there in terms of AI, the new OWASP Top 10 for LLMs, sort of listing the different vulnerabilities.

So I think the number one is prompt injection. I’ve not seen too much of that yet, but I really enjoy AI, I think we all do. And so I think that would be really interesting to get some more applications that are implementing it as that becomes more widely available, which we know is happening.

Adam Myers

I guess the shift to the cloud probably what five or 10 years ago, everyone kind of made that kind of created a new ecosystem within itself, didn’t it? And we were kind of having to test things in a slightly different method.

I can kind of foresee in the next five years, especially the adoption of AI and the vulnerabilities that will pose and things even from a data privacy perspective and what that Copilot might have access to now and sensitive company information. There’s a lot of maybe testing that could maybe go down that rabbit hole a little bit.

Tom Unsworth

Yeah, I think you’re absolutely right. So the shift we saw with cloud, we’re going to have a similar adaption with LLMs probably.

Adam Myers

Amazing. Yeah, brilliant. Some hot topics there for us to review. I think getting good insider information here, which is great. So third question, can you share a real life example of vulnerabilities that you’ve discovered and how it was resolved?

Tom Unsworth

So this is a vulnerability that I really sort of jumped out my seat when I found it.

Adam Myers

This is why the laptops here I feel like, isn’t it?

Tom Unsworth

So this is vulnerability. It’s called request smuggling…

Adam Myers

…nice. Catchy name!

Tom Unsworth

Yeah! Essentially what you are trying to do when you perform a request smuggling attack is confuse either a frontend server or backend server about how long the body of a request is. So if I can confuse the server to think that my request has ended, but I’ve actually got a little bit extra on the end because of the way that the servers interact with each other, I can trick potentially the backend server into thinking the bottom of my request is the top of the next person’s request.

And that essentially allows you to perform actions on behalf of another user. And the thing I really found amazing about the vulnerability that when I found it was completely unauthenticated. So anyone going to that website was a publicly facing website could access it and then affect other users.

What I did think was really good about the way that we communicated this issue with a client was initially on the application I was testing, there was no severe impact from this vulnerability. And so it was coming out probably a medium and I still decided to contact the client about it because even though it’s not a higher or critical, I thought that it had the potential to be high or a critical if we chained it with another vulnerability.

So what we ended up doing was I asked them if I could test it in the authentication part of the application, but this was out of scope, that’s why I asked. And they said, well, this is our production authentication application, so we don’t want you to mess with that, but we’ll spin up a staging environment for you to test it in.

So about 45 minutes later they said, please, can you go test it on this application? And I guess similar developers are going to use the same technologies, because what they’re good at using, and it was also vulnerable. And in that, so the way that this worked was you would authenticate on one application, then you’d be redirected to the other application that I was tested. So what I could do was redirect to a different website that wasn’t their application.

So essentially now chaining these two vulnerabilities together as an unauthenticated user, I could send to the server like a normal request, but add this part to the other request, which then redirected them to a malicious site. And so that bumped the severity up massively. We let them know about it and they’re really grateful that we’ve been able to demonstrate it in a visual way.

I’ve recorded a video of myself attacking myself and then that led to quite a good change on their end. So they were in the process of migrating away from that authentication endpoint and they bumped that to the top of their queue. So they remediated the issue essentially by just not using it and moving into a different authentication.

Adam Myers

What an answer for the techies out there and for the techies out there, I’m sure you will love that. So yeah, thank you Tom. That’s a brilliant, yeah, good. I think you’ve shone a light a little bit on the potential path that you go down on a day-to-day. So brilliant there. Thank you. Brilliant. So I guess Tom, how can a company get the most out of their pen test?

Tom Unsworth

Yeah, so the first thing that I would say that you want to nail when getting a pen test is having the access set up and ready to go for the start, even a couple of days prior, doesn’t hurt in case you’ve run into issues just means you don’t eat into any of your testing time.

And then another recommendation would be ideally don’t test in prod – use some kind of pre-production environment. It gives the tester the freedom to test without the potential to damage real customer data, which when it comes to our job, that’s the worst thing that you can do. So yeah, pre-production environment that isn’t connected to production.

Adam Myers

And I guess at the start with pen tests, what I see often is some customers are kind of on the Monday when it starts, it seems like they’re then kind of actioning that and getting ahead with their admin and getting things sorted.

But I really like what you’re saying there, if they would just maybe do that the back end of the week before, it just means in that testing window you’re getting the full week of people like yourself, hands on keyboard type thing as opposed to trying to prepare then in that time that’s been ate up by you know.

Tom Unsworth

Yeah, exactly. And if you’ve run into an issue halfway through the week, it’s not quite as bad because we can catch up on our reporting, whereas if it’s on the Monday, we’ve got nothing to write up at that point. So you’re just eating into your testing time. So yeah, it’s definitely

Adam Myers

And just something on that because what I see is that often it’s quite a difficult window to always get the test window when you want it as a customer as well. So we see from a sales perspective and an account management perspective is maybe purchasing in bulk days that works really well.

So we can maybe set testing windows for you as a client to say the third week of the month will be a five day testing window for this customer and for them, they just then know that it’s in and we can kind just schedule that throughout the year, which is keeping you in sort of a rhythm and a sequence and then you guys are kind of prepared for that environment as well.

So just something to factor in as opposed to trying to rush late on to get something through. I think just prepare with those bulk days does really help customers.

Tom Unsworth

Yeah, definitely helps us schedule it in early and the exact date that you’ve got, it’s good. So another point that I think is worth mentioning is if your application’s quite complicated, I think it’s really good to demonstrate how to use it to the tester because essentially if we’re only looking at it sometimes even just for a few days, if it’s complicated, we are trying to understand how it works then and how it interacts with other parts of the application.

And it’s difficult to do that while also trying to essentially break it. So if we understand how it works from a short demo, it can save us a lot of time in the scheme of things.

Adam Myers

So we do that as sort of with a pre-scoping call, don’t we here at CyberLab so that we’ll kind of get a walkthrough of the application, because a lot of these are bespoke applications as well that you probably at times maybe never seen before.

Tom Unsworth

Yeah.

Adam Myers

But that also brings a whole world of vulnerabilities as well potentially because it might have been built in-house, for example, and you are getting used to it, but also it might have a lot of exposure that they’re not aware of.

Tom Unsworth

As well. Yeah, I would say the majority of the applications we test are built in-house, yeah.

Adam Myers

If we were to ask that question, maybe from a red team engagement, maybe goal-orientated, and you’re probably trying to do a bit of social engineering as well, so is there anything you can recommend in terms of red team engagement and how we can maybe set that up?

Tom Unsworth

That’s actually a tough question. So from my perspective, I’ve not done the… red teaming is not my specialty. I think it’s an interesting conversation to have, but I don’t know how it would sort of work from a red team perspective.

Perhaps it could be sort of after a certain period of time you give them some assets or something. This is what we manage, I dunno. Yeah,

Adam Myers

We could also do things like tabletop exercise as well, which is quite good where we can maybe do some of those social engineering campaigns through phishing simulation and trials. I think that always goes down pretty well with some of our key customers.

Just trying to stay ahead of the threat curve, I guess. It’s evolving, it’s constantly changing. So with threats I guess evolving so quickly, how do you and your team stay ahead? So how do you know what’s coming and how do you prepare for the latest threats?

Tom Unsworth

Yeah, so as I was mentioned earlier, we’re encouraged to take those professional titles, ‘team leader’, ‘team member’. A lot of the team are really interested in red teaming. So they’ve gone and got red team qualifications and then essentially pen testing.

It involves being quite good at a large range of technologies and understanding how they work, how to exploit them. And I think initially when you get into pen testing, there’s a massive time investment that you need to put in to understand how to attack these applications. So what we are quite lucky to have at CyberLab is quite a big team.

And so what that allows us to do is have, so web specialists that they go down the rabbit hole on web app testing, same for mobile, same for thick client, active directory, etc. And so it means that I don’t have to stay up to date on, for example, active directory because that job’s going to be given to one of my colleagues and I’ll focus in on the mobile applications.

Adam Myers

So it’s specialisms kind of within the team as well that you’ll work together as sort of a part of a wider team to keep ahead of the curve in terms of what could become down the line.

Tom Unsworth

Yeah.

Adam Myers

I’d love to know. It can be good. Everything, the teams chat must be really interesting when it’s like I found something new, this is happening. It must be quite an interesting way of research and discovery.

Tom Unsworth

Something that’s just came out last night is James Kettle’s call for the end of HTTP one. So he’s just shared his latest research on the request smuggling.

As you can tell, I’m quite interested in that type of vulnerability and why he thinks that we need to get rid of HTTP one. So that’s something I just shared with the guys earlier.

Adam Myers

Yeah, brilliant. Nice. Very, very interesting. And equally, some of our audience may have been to SecureTour, they might seen in the live hack, for example. People like Tom and Alex, you join us at SecureTour, you were in Manchester, weren’t you?

So if anybody does want to come to any of our events, I think it’s brilliant to meet you in person, get a grasp of what you are seeing. And equally, if any customers would like to join a call, we can pull in Tom, Alex, other people to support you with any questions that you might have as well. So feel free to use this knowledge, but been really interesting.

Brilliant. I guess if I was to wrap things up and say, what is one takeaway you could say for our audience from this podcast that they should be looking at in terms of pen testing and maybe down the line?

Tom Unsworth

Yeah, so the cliche answer here is to say invest in training your people. Because whenever we look at the news, it’s always ‘they got in through attacking your people’, but I don’t want to give you that answer. So what I was going to say is potentially with using third party services, you open yourself up to vulnerabilities that you might not even be aware of.

I think it’s becoming quite well known that your third parties are really important, that they’re secure. If I just was to mention the research that I was talking about earlier from James Kettle, they found a vulnerability in a content delivery network that affected 25 million websites.

And essentially all those customers are, well for a long time, were unaware that they were vulnerable until the security researchers found this vulnerability. So I think, if you can avoid third parties and overcomplicating your applications, I think that’s a great place to be.

Adam Myers

Keep things simple, if you can.

And train your people. So we offer a phishing simulation through our CyberLab Control platform, which I think is brilliant. Again, the live hack that we perform, if anyone wants us to come in and do that with their people, that’d be great. But probably sometimes it’s like training fatigue, isn’t it?

We all maybe have introduced cyber security training, but it’s kind of this thing we have to do once a month and it can become a little bit of, I’ve just got to tick this box, where really the human element is huge, isn’t it, in terms of stopping potentially these attacks unfolding. So really good.

So that concludes this episode of Tales from the CyberLab.

Join us next time. Until then, Stay Secure.