ethicalhack3r

[Interview] Chris John Riley – ‘The Änal Security Guy’

For our second ever interviewee we have Chris John Riley the ‘Änal Security Guy’. Chris was born in the UK and is now living in Austria. He has been in the IT industry for over 13 years, he now works as a IT Security Analyst doing penetration testing internally and for external clients.

Questions:

How did you get started in information security?

Well I’ve always been interested in security I guess. Although I always used to think of it as an unhealthy interest in how things really worked under the hood. I’ve broken my fair share of systems be being too curious what would happen if I just changed or deleted this or that file. Then again, who hasn’t done that once in a while.

I guess the real turning point was while I was working in Munich, Germany. An interesting project came across my desk that really seemed interesting to me. The project was a simple one, install and configure an Intrusion Detection System to protect an external server farm, and schedule regular vulnerability scans. But to tell you the truth, the project wasn’t really what made me want to do security, it was the response from the management after the project was finished. I sat down with one of the bosses and started to go through one of the vulnerability reports I’d run. Lots of red and yellow alerts, and things to change. His response, was that the IDS and scans where simply a contract requirement to win a customer bid, and nobody had the time or interest in changing things. We’d ticked the box that said we have IDS and run regular scans, project done, please move on.

As you can imagine this didn’t sit too well, but there wasn’t much I could do at the time. I was still learning German and could rock the boat. So, moving on I tried to work security into the next couple of projects and found it increasingly hard to get the point across that security should be built in at the ground level and not just ignored. Well to cut a long story short, I asked for 4 weeks leave to attend some training (self funded naturally) and it was turned down. At that point I decided I’d be better off moving on and finding a position that supported security and didn’t punish it. So I handed in my notice, did my training and made the move to Austria to be with my girlfriend.

After a few months of sitting in-front of a computer screen, self training and reading books, I was lucky enough to interview for a IT Security Analyst position at a large financial institution here in Austria. They took me on as part of their CERT team and ever since then I’ve been working as a penetration tester and Security Analyst. It’s been a little under 18 months since then, and I feel I’ve learnt a lot. Then again, I’ve still got a lot to learn as well, which is good. Learning something new is always a good thing.

You have attended most security conferences in existence this year, which for you was the best? And why?

Well I wouldn’t say I’ve been at every conference, but this year has been a lot about travelling and attending conferences. I managed to get out to Blackhat and Defcon in the US this year, which really gave me a new perspective on the large US conferences and how they differ from the European events. Each event brings something special and different, but most of all they gave me the chance to put faces to the people I talk with online all the time through my blog and twitter. Despite how good all the other conferences have been this year, I’d have to say that the FIRST conference in Kyoto, Japan was the best conference this year. As a big Otaku (Anime fan) just getting to visit Japan was a great experience. I also got to talk and hang out with lots of bright people, like Andreas Schuster, Martin McKeay, Jonathon Ham, and Sherri Davidoff.

I’d say Defcon comes a close second. Despite the fact there were far too many people, and I didn’t get to see more than a handful of talks, I got to meet and hangout with some really interesting people. There are lots of stories, but you’ll have to get me drunk at a conference to get me to talk about them.

Will you be attending FIRST or Defcon next year?

Currently things are up on the air about FIRST 2010. I attended last year through my company, and next year it’s somebody else’s turn to attend. Saying that, I’m hoping the people behind FIRST will let me attend as press, as I’d love the chance to blog and podcast from the Miami event next year. As for Defcon, I’ll be there for sure. I met lots of great people last time, and next year will be just as good I’m sure. I’ll know what to expect next time as well.

Whats the hacking scene like in Austria?

Austria isn’t really known as the number one hacking location in the world, and especially around where I live (middle of the middle of nowhere) you’ll be more likely to meet a farmer than a computer specialist. In Vienna there is a relatively good scene, with the guys behind the Metalab hackerspace putting on some small events. There are also a couple of small conferences that take place in Austria (PlumberCON, Deepsec, and IT-SecX are the ones that I know of). The scene is still growing here though as universities are now offering specialised IT Security degrees. So who knows what will happen in a few years. I’m still hoping to bring back the OWASP Vienna chapter, but getting the time to get things off paper and into a real life meeting is tricky.

What are your opinions on Ethical Hacking degrees in the UK?

I’ve spoken to a few people who’ve attended some of the Ethical Hacking style degrees from UK and Scottish universities. To be honest, although I see the benefit behind them, I can also see a number of drawbacks. Personally I spent almost 10 years working in desktop, server and comms support before moving into security. I use those skills everyday in my job and couldn’t imagine being able to do my job without that knowledge to back things up. Learning about ethical hacking is a good thing, but the people taking these courses need to know that it’s not the final destination when it comes to being a penetration tester, or security analyst. I think that some universities are taking advantage of the hype surrounding hacking and security, and what comes out the other end might not be what the industry really needs right now. You can know every tool in Backtrack back to front, but without knowing how an Active Directory domain works, I wouldn’t want that person testing a network. I’m sure that over the next few years we’ll have a better overview of what these courses are really teaching people. I know SANS have teamed with a couple of universities to offer training as part of degrees, and I really hope that takes off as the SANS training is usually very well designed and taught.

Do you have any advice for some one that wants to get started in information security?

Like I said before, it’s not all about learning to hack. I’d rather work with somebody who knows how SSL works than somebody who has a CEH certificate. Then again, that could just be my poor opinion of the CEH qualification. Spend some time learning Windows, Linux, OSX and play with them in a lab. Don’t just limit yourself to learning how to hack things. Learn how to configure a web server, a domain, or a MySQL database. Learn how to script and work with Linux commands to achieve your goals. Without knowing how to configure a server correctly, you won’t know how to take advantage of misconfiguration. Also, when it comes to reporting, you won’t know why you could gain access or how you can describe a solution to your client. The report is the most important part of the test. If you can’t articulate the how and the why, then there isn’t any point in doing the test. You can’t just put up a picture of you as Domain Admin and call it a day anymore. Customers are demanding real information and real solutions. It’s easy for people to think it’s all about exploitation, but that’s really only a small part of the job. You have to be well rounded, otherwise it’s going to be a steep learning curve once you finally land that dream job.

Are you currently working on any projects?

I’ve been working on a few projects on and off in the last year, but time is a real issue for me right now. I’m currently studying for a couple of SANS exams, as well as blogging and working on some Metasploit stuff when I get the chance. I’m always learning something new, so I guess right now I’m the project. I’ve always been a firm believer that you should learn something new everyday. Once you stop learning, it’s time to move on to something else.

Thank you Chris!

Thanks for asking me, it’s been a pleasure.

______________________________________

Chris’s blog: http://www.c22.cc/

Follow Chris on Twitter: http://www.twitter.com/ChrisJohnRiley

Posted on 20 October, 2009 by admin