Security-Tester – Sherlock Holmes der IT-Branche

Tobias Ospelt checks IT solutions for security vulnerabilities and consults companies about the topic of IT security. In this interview, the security expert explains how he identifies system vulnerabilities, how hackers achieve their goals and how future challenges of IT security will look.

What is your main task as security tester?

I test software and hardware for companies: first I gather information about the product in question and immerse myself in the topic. Once I have completed my initial research, I start searching for weaknesses and risks, which were not accounted for when the product was designed. Furthermore, I conduct numerous tests and watch how the system reacts to my input and commands. In the steps that follow, I look into which reasons could explain any anomalies, which I have identified. My aim is to find out where the system vulnerabilities lie and how these could be exploited.

What happens after you test a program

Generally, the program is improved in order to fix any security vulnerabilities identified. IT systems are normally build up in a very modular way, which oftentimes allows for a replacement of any erroneous parts. However, if we discover larger design errors in the development of an app, the customer will sometimes decide to build up the program from scratch again.

How do hackers take advantage of security vulnerabilities of websites?

Hackers send numerous commands to a website and watch how it reacts. This process usually stretches over days rather than minutes. The commands of the attackers generate error messages and inform the hackers, where in the system the requests are being answered and which software is being used. The hackers use this information to analyse the behaviour of the website.

Sometimes, they may succeed in transmitting certain strings, which produce a databank error. In this scenario, the attackers know that the strings have been transmitted to the system’s databank unfiltered. They are consequently able to communicate with the heart of the system. If they are ultimately able to send adapted commands to the system, which are being carried out, the system has been hacked. In this case, data requested by the attackers will be displayed to them instead of an error message. In a worst-case scenario, the consequence of such an error can be that all the data of the system users can be read or manipulated.

Do hackers tend to target companies or individuals nowadays?

More often than not, financial motives are what drive hackers. They aim to blackmail someone for money – from whom and how is of secondary concern. For this reason, individuals and companies both are in danger. The malware Locky, which has been distributed for a couple of months now, is proof of this. The malware encrypts data on the victim’s computer such as text files. Only by paying a ransom to the blackmailer, will he/she provide you with the key to decrypt your data. This is why it is so important that IT security is taken serious in companies as well as in people’s private lives.

Which precautions must be taken specifically?

The Federal Office for Information Security provides a useful list (in German) on the topic. As a general rule of thumb, everyone should take the following precautions: aim to strengthen your awareness of legitimate and suspicious content, avoid running unknown programs, regularly update the software on your computer and use an ad blocker. For companies, a number of further aspects are to be considered – generally the IT department is responsible for these.

How do you see the security threats of the future?

The "Internet of Things" will definitely represent a great challenge. This refers to devices of any kind, which are connected to the internet, but often only have little capacity. One talks of so-called “embedded devices”. A lot of effort must be invested in order to make these devices secure. Furthermore, a lot of know how is necessary. Whether this is available with a provider that has been producing fridges for 20 years is questionable. Frequently, the time-to-market of these devices is typically calculated too sparsely causing them to be full of errors that leave them vulnerable to attacks. It is also not uncommon, that no update mechanism is available in a device making it impossible to install important software updates should an error be identified in the product.

How do you keep up to date with this rapid development?

To start with, I learned a lot from books. Today, information from the internet tends to help me onwards – from university whitepapers through to blog posts that describe current attacks. Furthermore, a lively exchange exists between security testers and special security conferences with lectures on up-to-date topics.