KPMG’s Kamil Fedorko explains why logic is so important in a security role and how those outside the industry can begin an infosec career.
Born in Poland and raised in Sligo, Kamil Fedorko has always had a deep interest in IT.
While completing his degree at Institute of Technology Sligo (now known as Atlantic Technological University), he worked on the development of a security information and event management (SIEM) solution for a local start-up company.
He then moved onto creating security testing pipelines within Azure and AWS ecosystems. Now, he works as a senior cybersecurity consultant for KPMG.
‘As a cybersecurity professional, we can’t become complacent’
– KAMIL FEDORKO
If there is such a thing, can you describe a typical day in the job?
I wake up at 7.30am. I make a mental list of all things that I have to do today and proceed to read global news followed by cybersecurity blogs and a lot of Twitter.
Around 8.40am I bring my coffee into the office and turn on both of my laptops. I have two laptops as one is for use within the KPMG ecosystem and the other for engagements. That way any malware I reverse-engineer, any forensic artefacts or exploits I’m currently working on won’t interfere with our internal policies.
9.00am is my focus time, I try not to hold any work meetings during this hour as I like to work through my e-mails and the previous tasks that I need to continue from the previous day. At the moment, I’m working on attack emulation paths, where we design the most likely attack path that a malicious actor might take.
At 10am I have my first team meeting, which lasts 25 minutes. We discuss the deliverables that are meant to be handed off by the end of the week. I dedicate the next two hours for non-technical work unless an engagement requires that.
At 12pm is when I start preparing all my environments for the after-lunch technical crunch. Today, for instance, I have been tasked with conducting a red teaming engagement. I start off by creating a fake identity online and proceed to start the reconnaissance.
After lunch, I add the members of the company on LinkedIn in order to have a deeper look into their organisational structure. I follow this with scraping all previous and current IT engineering or application development jobs that were advertised.
Having spent two hours enumerating all of the publicly available information on the company, I have identified the skillset of their cybersecurity team members based on their LinkedIn profiles and Twitter posts.
Now having a lot of the passive information, I’d like to see what endpoints are visible from the internet and what management portals are exposed.
At 5pm I save all my findings and proceed with documenting all of the findings into a draft skeleton report so I have less work the next morning. I clock off at half past the hour and continue onto my dinner.
What types of cybersecurity project do you work on?
While working for KPMG, one aspect is very evident and that is the lack of labelling and pigeon-holing. This possibility has allowed me to move from being a penetration tester and a DevSecOps engineer to becoming an incident responder and a forensic investigator.
I love doing threat emulation and red teaming engagements but most recently I have been really enjoying the investigative aspect of incidents involving a breached environment.
It’s extremely rewarding when you can figure out to the command level what an attacker had done and how they gained a foothold within a company’s systems.
What skills do you use on a daily basis that are specifically helpful in cybersecurity?
As someone who has been exposed to different layers of IT within an enterprise, I think one of the most used skills is logic. Having the ability to logically split a problem into smaller chunks and tackle them individually provides me with the ability to always see the bigger picture.
Understanding how programming logic works in the back-end without reading code is a huge asset when testing or defending enterprise applications and environments.
What are the biggest challenges when working in cybersecurity?
I think one of the biggest unspoken challenges is the constantly evolving threat landscape. As someone who has been passionate about security for more than a decade, I can safely say that comparing cybersecurity 10 years ago to today is like comparing the industrial ages to modern times.
10 years ago we were all working on a complete different technological stack whereas today this stack has been expanded like never before – from monolith self-hosted applications to agile microservices that are running serverless.
As a cybersecurity professional, we can’t become complacent and each of us always works two jobs. One is the primary job title and position we fill; the other is of a cybersecurity researcher.
Do you have any productivity tips that help you through the day?
While it may not work for everyone, I love to listen to music while I work. I know a lot of people love to work in silence, but there is nothing better than turning stress and panic into motivation with your favourite songs.
How has this role changed as the cybersecurity sector has grown and evolved?
Everyone knows how quickly the IT landscape changes; we can look no further than our pockets and reminisce of how a phone from 10 years ago differs from a phone of 2022. The same goes for cybersecurity. While the awareness is still sub-optimal, I think that we are on the right track.
The cybersecurity threat landscape has evolved from threat actors hosting their botnets on IRC servers to hosting command and control ecosystems within the deep web.
This constant change signifies the importance of adaptability of a cyber consultant or engineer. We have to not only understand concepts of newest attacks, we also have to be able to execute them in order to test the defence systems or to understand what fingerprints might be left behind.
Each new iteration of improved methodology or procedures aims to reduce the time of delivery. With that in mind, ease of use versus operational security is at the forefront of most IT firms.
What do you enjoy most about working in cybersecurity?
I think it’s the way each day that passes by differs from the last 365 days. No one project is the same, all incidents and penetration testing engagements are different. This means that no day of work feels like part of the routine. I’d find it impossible to be bored working in cybersecurity!
What advice would you give to someone who wants to work in cybersecurity?
If you are looking to move into cybersecurity from another field of work, see how you can implement cybersecurity into your current role.
Take that software engineer job and own it from the security point of view. Take that network engineering role and focus on developing your network security and network architecture skillset.
Keep up to date with the latest articles and interviews from cybersecurity professionals – including Silicon Republic! Hard work and a true passion for cybersecurity will get you there.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.