Get to know the life of an ethical hacker at IBM
As an ethical hacker for IBM, Charles Henderson gets paid to think like a bad guy. His job is to break into networks, applications, or physical locations to find out how a real attacker would carry out their work, uncovering errors and the effect those errors might have on an organization’s security.
IBM says that there has been a continuous change in corporations appointing their own hackers to “pen-test” (penetration test) online systems, networks, and physical locations, considering the increase in cyber-attacks and the need to strengthen cybersecurity.
In fact, Henderson is just one of the 1,000 security specialists the tech giant hired in 2015.
In a candid conversation with Business Insider, Henderson, 40, described what is like to be a hacker for IBM.
He said he has always been curious as a kid. He grew up in Austin, Texas where he still resides has now become a haven for young technologists with its lively computer security scene. Henderson attended the University of Texas and studied Computer Science.
“When I was 11, my father brought home our first computer. Within a week, I had become an active participant on the Bulletin Board Systems (BBS). Using these bulletin boards introduced me to other like-minded individuals and hackers across the world. All of a sudden the world became more accessible to me.”
“I quickly decided that I was more interested in taking things apart than putting them together.”
By the age of 12, Henderson started taking interest in networks, which at that saw the emergence of phone system. After legally getting a phone booth in his room, he took it apart. Today, we have websites and videos that tell us how things work and how to take them apart and put them back together. However, while Henderson was growing up, none of it existed, which is what thrilled him. With inquisitiveness triggered by the unknown, he decided to take things apart so that he could learn how they operated. He says that he would have probably never done it, had there been a book on how these things worked.
“I’ve always been bound by ethics,” he says. “That is not to say that kids don’t do stupid things.”
“For example, when I was in elementary school, I discovered that I could use my parent’s cordless phone as a scanner to listen in on our neighbor’s conversations. Did my parents love when I’d take apart their expensive electronics within just a few days of purchase? Probably not. But being a hacker, I had to know how everything worked.”
Henderson says that his curiosity led him into security research and penetration testing over the last 20 years, which has helped him make his career.
About seven months ago, when he was looking to switch jobs, IBM offered him a very interesting and challenging position that he couldn’t resist. He was fascinated to the wealth of information and resources available here.
For him, it has been really exciting working for IBM from the time he joined the company in October of 2015, as he gets to work with some of the largest brands in the world.
“Coming from smaller security teams, we just didn’t have access to the kinds of tools we have at IBM. We often had to create adhoc tools, which took time. At IBM, we have more firepower, thanks to tools like BlueMix and Watson, among other resources. I have access to basically anything I could ever imagine — which is really exciting for a researcher. The sky is really the limit here.”
“The first thing I do every morning is catch up on what happened when I was sleeping”
“The cool thing is, since I run a global team, when I’m sleeping there are teams conducting research and working engagements with customers.
“So in the morning I start by asking, ‘Did we find any critical flaws?’ ‘Do I need to tell a client we found a vulnerability and begin working to fix it?’ From there, I am working with my team to plan penetration tests and make sure we have the resources we need to address the issues we have found. There isn’t an hour that goes by that I don’t find a cool, new way of doing something, which means my days are both unpredictable and exciting.
While Henderson does a lot of research himself, he does like to look at consumer electronic devices that range from planes to trains to automobiles to mobile devices. He always find methods to break into or break apart these devices, to find new errors and susceptibilities. Also, he is always interested in knowing how devices connect to one another and what vulnerabilities might surface as a result. Thanks, to the growth of the Internet of Things (IoT).
Henderson travels the world to meet with clients when not in Texas, in order to help him better understand their security issues and the security landscape. During these meetings, he gets to work with some of the world’s biggest and most exciting companies that help him find out how their company handles security concerns. While the companies share their needs, requirements, and the trials they face, they work together to come up with solutions to fix them.
Sharing some examples of what Henderson and his team does, he says:
“One time, with the authorization of a previous client, I was hired to conduct a physical penetration test, which resulted in a stolen corporate vehicle filled with confidential information.
“The goal of the engagement was to have my team see how much damage we could do by using tools such as social engineering to infiltrate the client’s building and see how much confidential information we could get our hands on. Turns out, we could take it a few steps further, and stole the data and then drove away with it in a company car — but of course, we had permission.
“When it comes to hacking physical locations, we typically execute what I call ‘tiger teams’ (think ninja style/secret ops) to break into buildings on behalf of clients, to test their physical front-door security.
“We don’t use bars to get in the door — rather, we organise highly orchestrated attacks to get into client buildings by any means necessary, which often includes hacking into unsecured systems, copying employee badges, etc., with the client’s prior approval.”
Henderson says that the best part of his job is to find and fix key security susceptibility before attackers get a chance to abuse it.
Explaining the excitement of the chase, it is one less possibility for a criminal to abuse every time they help a client fix major security vulnerability, which also extends to the customers’ customers, the people they do business with.
He says, “Every day I’m faced with a new brain teaser, a new challenge, and that’s really exciting. The worst part about my job is telling a client they have a major vulnerability.
“Often, their initial reaction is fear, but the good news is, no matter how bad the vulnerability is, there is something we can do to fix it to protect the customer. But often, that initial delivery of bad news is difficult.”
Whenever Henderson tells people what he does for a living, he is often faced with one question which is “Can you hack into my bank account?”
To which his reply to the question would be, “It depends on what bank you use.”
He is also asked by people if he has ever done any ‘spy stuff”.
Henderson says that the biggest misconception that people have about hackers is that they are all criminals. Ironically, the word ‘hacker’ has been regarded as malicious computer hacking, which is why it very necessary to understand that the word is not a synonym for criminal.
“To me, being a hacker means you have an unbridled curiosity about how things work. Whereas many people look at a new technology and think about the possibility for creation, hackers look at a new technology and want to understand how to deconstruct that technology. We have an insatiable appetite for understanding how the world works — and we take it as a personal challenge to find flaws in technology before criminals have a chance to.
“Television shows and movies depict hackers as simply knowing how to do something. In reality, hacking is about taking something apart physically or virtually and understanding the inner workings.”
Explaining the difference between good hackers and bad hackers, he says that a criminal hacker is someone who abuses susceptibility for monetary gain or hidden motives, and is not interested in helping to fix the flaw they used to gain access. Criminals take the path of least resistance, while non-criminal hackers choose their targets based on a challenge or the learning process.
“As an ethical hacker, we are driven to understand how things work. When we find a vulnerability, we share that information and we work to responsibly disclose it and help fix the problem we found. Ethical hackers have a moral compass guiding them to help protect people from the flaws they find.”
“There is also a preconceived notion of hackers that we are people who choose to hack because we are maladjusted or full of angst and anger.
“Most people assume if you’re hacker, you had no friends growing up. But honestly, hacking has nothing to do with that. There are perfectly well-adjusted hackers in the world, we’re just curious people, looking for a deeper understanding of how the world works. I’m a father of two and I’m happily married.
“Also, my expertise in hacking has lead me to become a world-class practical joker within my team. I think that practical jokes foster critical thinking.”
Giving his piece of advice for aspiring hackers, Henderson says that the one thing they should always do is to question everything, be curious and never take anything at face value.
He further adds on to say that you should always keep sight of your ethical compass and practice responsible disclosure. It is easy to upset a promising career by doing something stupid. Ensure that you are guided by your values while you research vulnerabilities. Always keep in mind that a company cannot protect their users from a flaw found by a hacker unless they responsibly reveal it to the company, as a flaw cannot be fixed if the affected company has no knowledge about it.