Security tester - Sherlock Holmes of the IT industry

2019-05-23
-
Author:
DSwiss

Tobias Ospelt (29) works at the modzero AG as a security consultant and security tester.

What is your main task as a security tester?

I test software and hardware for companies: First, I gather information about the product and read up on the subject. After the research, I look for vulnerabilities and risks that were not considered when designing the product. I also run countless tests and observe how the system responds to my inputs and commands. In the next step, I then want to find out what reasons there might be for anomalies, where the weak points are and how they can be exploited.

What happens after testing?

As a rule, improvements are made to close the security gaps in the program. IT systems are usually very modular, which means that faulty parts can usually be replaced. If we discover gross design errors during the development of an application, customers sometimes decide to rebuild the program again.

How do hackers exploit security vulnerabilities on websites?

The attackers send commands to the website and watch how it responds. This process usually takes not minutes, but rather days. The attackers' commands can generate error messages and provide information about where the requests are answered and what software is used, among other things. Thus, the hackers analyze the behavior of the website. In certain cases, for example, the hackers manage to send specific strings, which gives them a database error as a response. In these cases, the attackers know that the input has made it to the system's database unfiltered, communicating with the heart of the system, so to speak. When the hackers finally send commands customized to the database and they are executed, the system is cracked. In these cases, the attackers receive the desired data in response to their requests - and no error message. The consequence of this error can be, in the worst case, that the data of all users can be read or manipulated.

Are companies or private individuals more likely to be the focus of hackers today?

Financial interests are often at the forefront of attacks. The attackers want to obtain money - from whom or how is secondary. Both private individuals and companies are therefore at risk. Proof of this is the "Locky" malware, which has been in circulation for several months. The malware encrypts data - such as text files - on the victim's computer. Only when you pay the blackmailer a ransom do you get the key to release the data again. It is therefore very important to take the issue of security seriously, both in the company and privately.

What specific precautions need to be taken?

A good list can be found, for example, at the Federal Office for Information Security BSI. In general, one should increase awareness of legitimate and non-legitimate content, not run unknown programs, perform regular software updates and use adblockers. For companies in particular, there are numerous other aspects to consider. Here, the IT department takes care of the technical issues.

How do you assess the threat situation in the future?

The "Internet of Things" will certainly pose a major challenge. This refers to devices that are connected to the Internet but often have little power. These devices are referred to as "embedded devices". A lot of work has to be done to develop these devices safely. In addition, specific know-how is required. Whether this is available at a manufacturer who, for example, has been building refrigerators for 20 years is questionable. Often, the time until market launch is calculated too short, which is why the devices are full of bugs and offer countless attack surfaces. Often, there is not even an update mechanism available, which means that no important software updates can be made if a bug has been identified in the product.

How do you manage to stay up to date with this rapid development?

In the beginning, you learn a lot from books. Today, however, information from the Internet usually helps me - from white papers from universities to blog posts that address current attacks. There is also a lively exchange between security testers and special security conferences with presentations on current topics.