Today we have one of the experienced information security professional with us having rich experience in Penetration Testing and Entrepreneurship. She has Founded Shevirah Inc and Bulb Security LLC. She has also written some best selling books on Penetration Testing and holding awards for her excellence. So let’s have a look on the interview our team had with Ms. Georgia Weidman.
Hackers Interview: Hello Ms. Georgia, please introduce yourself to our readers.
Georgia Weidman: I am a serial entrepreneur, penetration tester, security researcher, speaker, trainer, and author. I hold a MS in computer science as well as holding CISSP, CEH, and OSCP certifications. My work in the field of smartphone exploitation has been featured internationally in print and on television. I have presented or conducted training around the world including venues such as NSA, West Point, and Black Hat. I founded Bulb Security LLC, a security consulting firm specializing in security assessments/penetration testing, security training, and research/development. I was awarded a DARPA Cyber Fast Track grant to continue my work in mobile device security culminating in the release of the open source project the Smartphone Pentest Framework (SPF). I founded Shevirah Inc. to create product solutions for assessing and managing the risk of mobile devices in the enterprise and testing the effectiveness of enterprise mobility management solutions, and I am a graduate of the Mach37 cybersecurity accelerator. I am the author of Penetration Testing: A Hands-On Introduction to Hacking from No Starch Press. She was the recipient of the 2015 Women’s Society of CyberJutsu Pentest Ninja award. I am on the board of advisors of the angel backed security training startup Cybrary, an Adjunct Professor at the University of Maryland University College, a member of the CyberWatch Center’s National Visiting Committee, and served as a judge for the FTC’s 2017 Home Inspector IoT security challenge. I am also a mentor and occasionally an angel investor in cybersecurity startups.
Hackers Interview: Why you’ve decided to pursue Ethical hacking or Penetration Testing as your career option?
Georgia Weidman: In graduate school I was a member of the Cyber Defense Club. We competed in the Mid-Atlantic Collegiate Cyber Defense Competition hosted by the CyberWatch Center. As part of the competition, we played the blue team, charged with keeping a mock business network up and running while under active attack from a red team. I found myself completely fascinated with how the red team members (who were professional penetration testers by day) were able to break into my systems and send me messages. By the end of the competition I knew I wanted to be like them.
Hackers Interview: How you had started your journey in cyber world?
Georgia Weidman: Out of graduate school I was recruited into one of the United States three letter agencies to do cybersecurity. After spending some time there I also tried out the private sector, before finally starting to work for myself when I received my DARPA Cyber Fast Track grant to continue my mobile research. More so than my day jobs, it was engagement with the security community, such as giving talks and training at conferences that propelled my early career forward.
Hackers Interview: Tell us about your experience as a Penetration Tester.
Georgia Weidman: Well most of that would be under non-disclosure agreements with my clients. But, generally speaking, I play the bad guy before the real bad guys show up, helping companies discover and fix weaknesses in everything from websites, their internal networks, mobile applications, and mobile devices, you name it. The goal is to fix the issues before bad guys exploit them.
Hackers Interview: What are the amazing things you did in Penetration Testing?
Georgia Weidman: Well, I’d actually like to focus on the things I did that are not penetration testing, and, in many cases, not even technical. Starting companies, pitching for venture capitalists, raising investment money, doing live television interviews where I must make my work understood to a mostly non-technical audience. Those are the sorts of things that have pushed my boundaries and caused me to grow as a person much more than the technical stuff.
Hackers Interview: What upcoming challenges you see for a Penetration Tester as per the current security postures of companies ?
Georgia Weidman: I firmly believe that all the “next-generation” ways we use technology pose a clear and present danger — be they cloud-based via outsourcing our email to Google Apps and our lead generation to Salesforce.com; increasingly coupling more of our business and personal lives to mobile devices that do not truly call us master; technologies that enter our homes and offices with everything from Smart TVs that listen to our every conversation, Smart Assistants that take it a step further and act upon our unwitting conversations, or lightbulbs with IP addresses and hardcoded root passwords; or our ever increasing reliance on industrial controls that are so fragile they often cannot be security tested in a traditional way and continually prove susceptible to malware little more sophisticated than that which plagues our unpatched Windows Desktops.
I build products that help enterprises and consumers understand and manage their risks around these next generation technologies with a deep focus on the under addressed risks associated with mobile security and IoT security.
In my consulting practice, I see customers everyday who bought the best preventative technologies, all of which make a lot of fancy claims on the back of the box, but, in a matter of minutes, my products prove that these preventative technologies fall far short of success. When pressed the client simply says that the vendor had a compelling sales team. I also get customers who are very firm on the fact that they will only do something about the state of security beyond Windows desktops and their public facing websites when HIPAA or PCI or the NIST standards force them to take their head out of the sand.
Hackers Interview: What is the scope of Penetration Testing ?
Georgia Weidman: If it involves software and it’s connected to something, it should be penetration tested as part of the software life cycle. Too often we think of Penetration Testing as simply testing the perimeter or things on the perimeter. But, in a modern network, the perimeter has been shattered, and the bad guys can enter from anywhere.
Hackers Interview: What will you suggest to our newbies who are interested to start their career in Penetration Testing?
Georgia Weidman: Read my book Penetration Testing: A Hands-On Introduction to Hacking. Set up your own lab to ethically gain skills in hacking. Check out Capture the Flag type games online or at security conferences if you are able to attend. Get involved in any local hacker groups or meetups and volunteer to present a topic you have learned about in your self study.
Hackers Interview: What are the various career opportunities in Penetration Testing?
Georgia Weidman: The career options in Penetration Testing mirror the scope of Penetration Testing. Any company or government entity that even uses connected products of any kind would be well-served by undergoing period Penetration Testing. For larger entities, this is done by in-house teams. For smaller entities, it’s often by out-sourced teams. As a junior tester, it’s easiest to start with an in-house team or as a member of an out-sourced team.
Hackers Interview: What are the useful online and offline sources to learn Penetration Testing?
Georgia Weidman: Since I’m an advisor to Cybrary and it’s my class, I’m biased, but https://www.cybrary.it/course/advanced-penetration-testing/ is a great online resource. For offline, I suggest the same resources as in question 8.
“Thanks Ms. Georgia Weidman for giving your precious time to our readers.”
Author: Yogesh Prasad
Ethical Hacker, Information Security Consultant, Entrepreneur, Founder – Hackers Interview