Hackers are conventionally divided into “white” and “black”: the first legally check IT systems, the second break into them to steal information. Forbes spoke to Paula Januszkiewicz, one of the “white” hackers who created her own cybersecurity company — CQURE.
Aleksandr Baulin, Forbes: What’s your day like? Do you come to the office every day and work until the evening? Or can you choose the time and place to work?
Paula Januszkiewicz, CQURE: I would like to choose a place to work, but I can’t. Technically it’s possible, but my role in the company requires my physical presence by the customer. Therefore, I am always on the road, I visit different countries. To conduct an internal pentest, you have to come to the customers. The external pentest can be carried even from a beach.
How do you conduct a pentest (test of IT system’s security against unauthorized intrusions)? Do you choose the time for cyberattacks? Or can you test the company anytime and anywhere? Is testing an exceptionally technical issue?
In the end, it all comes down to technology, but there are nuances. For example, if a client does not work at night, it will be the best time to conduct a test. When we do remote pentests for companies from the US, we can work throughout their night, because it’s daytime in Europe, and that’s fine. As a rule, we prefer a normal working day — it’s easier and everyone is happy. We do not like to work all night, but it happens.
Often we test a copy of a site or service. For example, recently we did a pentest of customers applications for one bank. We had to work with a copy of the system, because the site had a huge traffic. And if there are problems with the test, this will negatively affect the bank’s image.
Do you have customers who ask you to make real pentests in real time?
Yes of course. Sometimes we do it on a normal working day. The client is warned about it, and is “on standby”. If something happens, we immediately get in touch, they are waiting for us to call and sort out the situation. Once, when testing in real time, we “dropped” the site, because the server could not cope with so many requests at once. By the way, it was one of the companies cooperating with the Russian enterprises in the oil industry. The customer was shocked, they didn’t understand how this could happen. Anything can happen. Our goal is not to “break” the site, but to show its weak points, vulnerable for an attack.
Do you always need to carry out both tests, the internal and the external one?
Depends on the circumstances. Some customers do not want to do a penetration test from within the company: “No, no, because you can hack us.” And we think: “My God, what’s the point of doing a pentest?” In such cases, we do only an external test. Personally, I don’t think it’s the right approach: why not make an internal test, if doing an external test? We try to explain it, but…
How to become a hacker
When did you become interested in this profession?
I have always worked in the field of security, but I became who I am today gradually. I was responsible for the safety of the school network when I was 17. I did not really understood what I was doing, but I really wanted to do Information Security Engineering. I was trying to find my own way. You see, when you’re 17 years old, it is difficult to understand what is worth doing and what is not. There is only what you want to do. But whether the choice was good for my future… I didn’t know it back then.
And we don’t know what will happen to us tomorrow.
What is the first operating system you hacked into? Ok, tested for vulnerability.
There were two of them — Windows and Linux.
“Windows was the first system I hacked.” This would be a good headline…
At that time, Windows and Linux used different security systems. It was the time of “NT4.0” [Windows operating system, published in 1996 — Forbes]. Back then everyone knew that if you do not change a certain parameter, the computer will be hacked. Finding vulnerabilities was easier. Now hacker attacks have taught us to defend ourselves, so we are in a somewhat better position.
Which OS is better and safer: Windows, MacOS, Linux?
In the end, the most important is what the system means to the business. The most used operating system is Windows, we all know it. For Mac and Linux, there are extortion programs, too. They just get into the system differently. The difference is in the availability of solutions. The question is whether there are companies that can protect your system. It is not necessary to create a real threat to information security, but checking the security infrastructure will improve this security and minimize the risk of penetration into your systems.
What can you say about the level of security B2B-systems in the world? Are they ready for cyberattacks?
Absolutely every time we make a pentest, we get into the system, we crack it. You can hack anyone.
And this is not surprising. There’s not enough education in that matter. Adequate training for security professionals simply does not exist. Of course, there are some courses, trainings and so on, but even if you pay for a university, there is no direct road to cybersecurity. Besides, not everyone can afford to study, and how can you become a good specialist without the right education?
But no one will give you education for free, because this is very specific knowledge. It’s a niche. The Financial Times predicts that by 2019 the world will need 6 million information security specialists, but with modern growth rates, the market will only have approximately 4 to 5 million of experts available. So for the guys who will be on the market, the situation is wonderful. Everybody needs them. And they will need them even more, but this, of course, is an unhealthy situation. The world needs more experts.
The cybersecurity engineer is the profession of the future?
Then what is the best way to learn it if the universities do not prepare you properly? Online courses?
There are many free resources, but of course systematized knowledge is preferable. There are many different online courses. They are not expensive. But the problem is that they teach you more about hacking techniques. And these are the so-called “cheap tricks”. And besides, they train you in not very realistic environments. In my opinion, the best way is to independently train specialists. And this, for example, is what our team is doing.
We do this because we have a shortage of employees. There are more and more projects, and we postpone them, postpone, because there is no time. We hire people with a good approach to work. This is enough to get amazing results. Everything else will follow. We test them in different directions, we send them to our engineers, we often take them to our master classes, and then we perform tests again — they should develop. These students have the opportunity to travel. Or, for example, when we hold a five-day master class, a new employee can become an additional participant.
A good option for young people is to get into a company like ours. But in the security sector, you need to make serious investments in order to later provide a fantastic service. Therefore, payment may look different, but it’s normal. We train on a contract-basis, with a guarantee fee. Later, you will return the money for training, but you will have the opportunity for 2-3 years to work in a good team, to take trainings, to receive useful tools, knowledge, to see real environments, to help the team whenever possible. At the same time, we take a deposit for tuition. And this is the only possible option, in my opinion.
We cannot invest in an employee, and risk that they will later say: “Okay, thank you, goodbye.” To keep a person in the company, you need to educate them, help them form the most valuable skills and have them stay. But this is only my opinion.
How many people are working in your company today?
It depends on how to count. We have 20 people in the house and 36 contractors. But the contractors work for us a few weeks every month. So almost like a full-time job.
And how many young employees?
About 30, so about a half. We train these people, because some of them have absolutely no experience.
Do you hire them right after the university?
Yes. And it’s terrible. Because up to a certain point it is not clear who you are dealing with. It looks alright, and then… The younger generation has a terrible reputation, and we are not very happy about it. Therefore, we choose only those who fit into the team. We made a mistake twice.
Do you have employees from Russia?
Not yet. But we are now opening up to new markets, because we see the potential there. So, who knows, maybe we will have someone from Russia on our team.
We hear almost every day about cyberattacks involving Russian hackers. Russians allegedly attacked Trump, Yahoo… Are Russian hackers really so clever and in demand as outsourcers? Or is it just labels and media misconceptions?
No, this is true. You have a high level of knowledge in this field. Many hackers are indeed from Russia. I think — but it’s only my opinion — that difficulties in finding employment for people living in remote cities contributes to this. They find it easier to find a remote job than an office one: you can be a developer, or you can be a pentester. This position allows you to work remotely from anywhere, because security is important to so many. If you want to work as a consultant, you will have to travel or relocate to Moscow, Krasnodar, St. Petersburg and other cities where customers’ companies are located.
We see this situation in many countries. For example, in Romania there is a fairly remote city of Cluj — this is the place of developers and security experts. In our country there is something like that. Oh my God! It is fantastic. You can work from anywhere in the world. In general, according to statistics, people from Russia have a high level of intelligence and analytical thinking. Russians are great fellows.
The “dark side” hackers — are they good?
Both “dark side” and “bright side”. The thing is that if you have high qualifications, you can earn more money. And then the ethical issues are of great importance. These two factors determine the choice: if a person sees a potential income and does not have problems with ethical principles, then he has two ways.
You are a founder and owner of a company. Why did you become a member of the Microsoft MVP program? Does this not impose any obligations on you? What kind of benefits do you have from it?
I participated in various public projects — from sending out presentations and research on the results of conferences to various master classes and organizing events. For example, I organized Woman in Technology Park, now I do not have time for that. Then it went into speaking at conferences and preparing articles for blogs — it can be done remotely.
Thanks to the status of MVP [assigned to outstanding IT professionals who make an intellectual contribution to the development of technical communities — Forbes] and participation in security programs, I have access to the source code of Windows. It’s not 100% of the code, of course. I received it during the release of Windows XP, that is, about 8 or 9 years ago. Perhaps this gives my company more advantages, because we can always test our hypotheses, while other experts have it more difficult. This is the most pleasant thing.
Imagine that all cybersecurity problems get magically solved. What would you do?
I’d chill on a beach. But seriously — an interesting question. What would be my second profession? Most likely, I would continue to work in IT. But, if absolutely all the problems in IT were solved, I would probably turn to mathematics, because it is an analytical and strict science. Most likely, I would be selling something somewhere, doing transactions, because I like mathematics. Somewhere on Wall Street.