A Day in a Life: Ethical Hacker

  • Source: Article
  • Article Date: 5/12/2018

Moganathas Voodiyakumar or Mogan, as he is known around the office, is a hacker with Enterprise Information Security (EIS), PETRONAS Group ICT. He got into hacking 10 years ago after getting cheated on an online retailer by a user who was purportedly selling a 55-inch flat screen TV. “I paid the guy RM500 via a financial services company but never got the merchandise,” says Mogan, 28. That incident got him thinking about IT and security, and he soon learnt the finer points of bypassing computer security. ICT Bytes caught up with Mogan to find out what it is like to be entrusted with the cybersecurity of an organisation of some 40,000 people like PETRONAS.

Q: Describe what you do at EIS

A: I am a member of the ICT Security Assurance, one of the teams in EIS. Most days, I do trademark abuse monitoring. I monitor the web for fake websites masquerading as PETRONAS websites. 

I also perform vulnerability assessments. I identify weaknesses in systems that will allow attackers to come in, then alert the server custodian or owner of the system to take remedial action. 

I am also involved in security projects, most recently with Group Internal Audit for two months to audit the Governance and Management of Process Control System (PCS) cybersecurity. PETRONAS ICT’s information security processes are accredited with ISO 27001 – Information Security Management System. I have been the internal audit team lead for the past two years. 

By the way, any OPU can request for a PETRONAS ICT security assessment via ICT2U.

Q: What is hacking?

A: Hacking is a set of processes that identify weaknesses in systems and exploit them to get in. Why would you want to get into a system? That is entirely up to you. If you are ethical, you can inform the owner of the vulnerabilities and help fix the system. If you are a bad guy, you will use the data for your own gains. 

I have Certified Ethical Hacker (CEH) and Certified Hacking Forensic Investigator (CHFI) certifications from EC-Council, a cybersecurity technical certification body. These credentials identify me as an ethical hacker.

Q: What does it take to beef up IT security?

A: There are three key elements in security: people, process and technology. Only when all three are well-managed can we implement good IT security. 

Commonly, organisations spend millions on technology such as world-class IT service providers and next-generation firewalls. Then they implement well-defined end-to-end processes and call the Big Four to audit [the processes] to introduce improvements. However, they fail to address the 'people' aspect adequately. They neglect to educate their staff on the importance of cybersecurity to the company.

This is why, at many security conferences the common theme is people, the computer users, as the problem. At EIS, we see people as a solution. 

Q: What do you mean by “people as a solution”?

A: We organise security awareness programmes to educate our users. For example, at the recent Group ICT Forum 2018, we conducted a hacking and phishing demo to show the consequences of accessing certain websites using PETRONAS-issued devices. Through awareness, people will be cautiously aware of their actions and will not be easily tricked in the future.

Q: What is phishing?

A: Phishing is when an attacker impersonates someone, for example, a bank officer, to lead a computer user to reveal sensitive information such as their ATM PIN number. 

Attackers commonly phish in three ways – by asking you to reply to an email, by redirecting you to a compromised website or one that requires you to provide certain information on a form, and finally by sending you a virus as an attachment that infects the system the moment you click a button.

Phishing is the mode of choice for attackers to gain access to a company’s corporate network because everyone has an email account. We cannot work without email.

Q: Why do people still fall for phishing after all these years?

A: Lack of awareness. Perhaps they are unable to identify symptoms of a phishing email or site. If you are smart enough to not fall for phishing attempts, you can still play a role by alerting our team about these suspicious emails.

Q: What are some other common security threats that users need to be wary of?

A: Man-in-the-middle attack, which can occur at public Wi-Fi networks such as at McDonald’s and Starbucks. A hacker sitting inside the cafe can sniff the network for sensitive information such as your username, passwords and the websites you visit. 

Q: How can users stay safe?

A: Make sure you have the latest security patch, do not install unauthorised applications, always pay attention to popups or any unusual behaviour on your devices and never open email attachments from unknown senders without first scanning them with an anti-virus.