Andrew Cushen tells SiliconRepublic.com about the communication and tech skills he uses every day as an ‘ethical hacker’ with Stryve.
Put simply, Andrew Cushen hacks companies’ networks all day long. The 22-year-old from Wexford works as a penetration tester – also known as a white-hat hacker – for Carlow-based company Stryve. Unlike cybercriminals – black-hat hackers – Cushen’s hacking has a positive purpose; he does it to find and flag security vulnerabilities for Stryve’s clients so that they can protect their systems from cyberattacks.
“My job is to ensure that the ‘good guys’ uncover any cybersecurity vulnerabilities in their clients’ systems first. This allows companies to stay one step ahead of cybercriminals and protect the sensitive and valuable data of their customers,” says Cushen.
As most people know from news stories like the HSE cyberattack and even the Moveit attack in recent weeks, cybercriminals are prolific and they can strike anyone at any time – and SMEs are not immune. (Stryve’s CEO Andrew Tobin told SiliconRepublic.com in 2021 that he was “inundated with business enquiries” after the HSE attack.)
Unfortunately for Stryve’s clients, Cushen says he is yet to be involved in a pen-testing case where he hasn’t found anything. “In fact, the return rate on an issue is 100pc. There is always something to find in an application, whether it be a pretty severe problem that needs to be addressed immediately or a small discrepancy that needs to be straightened out.”
‘Hacking is a very slow process and it requires a lot of patience and attention to detail’
He adds that the issues he and his colleagues find “really depend on the nature of the application, but they’re mainly issues with the application flow, improper or dangerous use of user input and authentication or authorisation bypasses”.
Curiosity for cybersecurity
Cushen finds his job very rewarding, and it sates his natural curiosity. His interest in tech stems from his Dad, who worked as a pen tester when Cushen was a child. Inspired to follow in his Dad’s footsteps, he studied computer forensics and security at Waterford IT before going on to do an internship and accepting his current job.
“Pen testing is all about gaining a deep understanding of what a particular application is doing and how it functions in order to find weaknesses in the way it works,” he explains. “I love finding out how applications work down to the smallest details. Playing around with the functionality until something clicks and I’ve found a way to break or exploit it.”
That said, sometimes his curiosity can be a hindrance. Cushen admits one of his biggest challenges in the job is avoiding the temptation to go down rabbit holes. “You need to be very curious to do this job and always question everything you find. ‘Why does this happen when I do this?’, ‘What happens if I give the application something it doesn’t expect?’, ‘Why does this payload cause an error, but that one doesn’t?’”
He says that curiosity is “crucial to testing, but a consequence is the possibility of digging deeper and deeper into a particular area of the application only to find nothing wrong.” But on the majority of occasions when there is something wrong, the pen testers are there to take note of it.
‘You need to be very curious to do this job and always question everything you find’
“We once found a very clever way to accept requests for a fund transfer on behalf of an arbitrary user, effectively making it possible to steal from anyone’s account,” Cushen recalls. “That was a really cool one to see in the wild with a very interesting way of exploiting it.”
His curiosity is an asset to him when it comes to learning the technical skills he requires for the role. He has to analyse web requests and responses via a proxy to see how web apps function in the background. That involves a bit of playing around and experimentation. He also has to be proficient in terminal environments, which involves manipulating different tools and scripts to carry out scans and refine the output from them.
“Knowing how to find these tools and scripts is also a vital but often overlooked skill, especially in this profession,” Cushen says. “Nobody on the planet knows every single tool, payload and method to find or exploit a vulnerability, but knowing how and where to find them is just as important.”
‘It’s nothing like the movies…’
When SiliconRepublic.com asks him if there are any misconceptions about his job he’d like to clear up, he says, “It’s nothing like the movies. It’s never flashing 1s and 0s on a screen and someone typing a million things at once. It’s a very slow process and it requires a lot of patience and attention to detail. We might stare at the same piece of information and try the same thing a little bit differently each time to see what happens.
“There can be a lot of possible options for exploiting just one page on a website, and it’s our job to analyse each function to figure out how it works and if it’s vulnerable.”
There is also quite a lot of planning and deliberation involved in the pen-testing process. It’s a professional service performed for clients, so it cannot be like the dramatised version we see on screens. A typical day during an engagement usually consists of collaborating with his colleagues to decide on vulnerabilities. “We delegate different areas amongst each other and get to work testing different methods of exploitation against the application in an attempt to break it or elicit unusual behaviour that the developers haven’t anticipated,” Cushen says.
‘I feel like people don’t quite understand the fact that there’s an entire industry dedicated to hacking businesses to make money’
“Communication, both written and verbal, is essential to doing this job. Before beginning a pen test, we need to understand the client’s needs and define what exactly they want to test and why,” he explains, adding that the consultation at the start ultimately decides the scope for testing.
Towards the end of an engagement, the team needs to deliver a report that is “digestible by everyone from the tech-savvy to the C-suite executives who will be receiving it.”
“This means we need to describe our findings in terms of the impact to the business and its customers, and in technical terms which describes the exact function or misconfiguration within the web app that allowed for the particular vulnerability to be exploited.”
Trust nobody to avoid being the next news story
Already in his short career, Cushen has become wise to many of the nefarious tactics employed by cybercriminals, but he knows that he and his fellow cybersecurity professionals always have more to learn. The most important thing to do, he recommends, is to adopt “a zero-trust mindset”.
“I feel like people don’t quite understand the fact that there’s an entire industry dedicated to hacking businesses to make money. The hackers working in these industries spend all day every day looking for their next target, and there’s nothing to say there’s not someone or even a whole team looking at your website right now trying to hack it. Maybe they already have,” he warns.
“Don’t be the next news story. As soon as your website goes online, you instantly become a target. As soon as you’re exposed to the internet, a hacker can and will find you.”
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.