Ireland's ethical hackers uncovering weak points in IT systems

Last month’s attack on Munster Technological University is typical of the trend, according to Andrew Cushen, penetration tester with Stryve, the Carlow-based specialist cloud and cyber security company. 

“The attack on MTU was much like the HSE attack we saw in 2022 in that it was a ransomware attack. These kinds of attacks are typically indiscriminate and rely on the target organisation needing their data as well as their ability to pay. 

Until we start taking cyber security more seriously, it's almost inevitable that these kinds of intrusions will continue to happen.” 

Having studied computer forensics and security at Waterford IT, Mr Cushen joined the Stryve penetration test team as an ethical hacker in 2021. On behalf of Stryve’s customers, he helps to uncover the weaknesses in technology systems which hackers might take advantage of — thus ensuring ‘the good guys’ find vulnerabilities first and help to bolster companies’ security posture. 

“The hackers who target these industries are most often doing it for financial gain,” he explains. 

“They are after money by direct pay-out, or after sensitive data which they can leverage for financial gain. I would say that because of this, the financial and healthcare industries are most prone to being targeted since they simply cannot afford to have their data compromised.” 

Small companies are also in danger having not considered their security posture due to budget constraints: “This is a false perception because the cost of a cyber attack is far greater — not just in terms of the financial cost but the reputation damage as well.”

Given the frequency of these attacks, Mr Cushen believes the message is getting through on the danger of cybercrime — albeit often after the damage has been done. 

I think now governments and industries are becoming more aware after seeing what can happen as a result of these cyber attacks. Unfortunately, it's only after a lot of damage has already been done. Hopefully, now they can work to help companies protect themselves. 

"A good example is the Australian government imposing a fine on companies who suffer data breaches, or the EU's GDPR for defining laws around data protection and privacy. These will hopefully create an incentive for companies to invest in their security posture and prioritise the safety of customer data.” 

Cyber Ireland, the national cyber security cluster organisation incorporating industry, academia and government, estimates Ireland’s cyber security sector generated about €1.1bn in 2021, employing 7,500 professionals across 490 firms. 

The sector continues to expand by a similar magnitude to international growth, at a rate of over 10% per annum. Based on current estimates, Ireland’s cyber security ecosystem could generate up to €2.5bn, with employment of over 17,000 professionals by 2030.

“Ireland is home to the EU headquarters of nine of the world's largest tech companies, so we are well-regarded when it comes to technology related to cyber security. With the launch of the second National Cyber Security Strategy for 2019-2024 by the Government, our ability to deal with these attacks will be much greater in the future. For now, I would say we're getting there, but we still have a long way to go.” 

Awareness of cyber security should be actively cultivated in schools, he believes, and is especially crucial for a a country that prides itself on being a digital economy.

Going back to his early college days, Mr Cushen’s interest in computers signposted a career somewhere in the varied world of technology. 

“I've always been into computers and how they worked. I knew I wanted to work with computers but I was never quite sure what exactly I wanted to do in tech. Once I found out that this kind of job even existed, I knew this is what I wanted to do. 

"Penetration testing is all about gaining a deep understanding of what a particular application is doing and how it functions to find vulnerabilities in the way it works. During college, I secured work experience with Stryve, and afterwards they offered me a full-time position.” 

Understanding your enemy and trying to think as they do is central to Mr Cushen’s job: “The approach we take in an engagement is to impersonate a hacker, and attack the target using all techniques available. An engagement usually consists of collaborating with the team to understand what areas are vulnerable,” he explains of the process. 

“We delegate different areas amongst each other and get to work testing different methods of exploitation against the application in an attempt to break it or elicit unusual behaviour that the developers haven't anticipated.” 

The process includes finding out how applications work, down to the smallest details, playing around with the functionality until something clicks and discovering a way to break or exploit it, just like a nefarious hacker would. 

“The teamwork involved is really enjoyable, and I have yet to be involved in a penetration test where we haven’t found anything. 

There is always something to find in an application, whether it be a pretty severe issue that needs to be addressed immediately or a small discrepancy that ought to be straightened out.” 

The future is bright for Ireland’s cyber security sector, he predicts, as the criminal threats become ever more frequent: “Innovations in technology and increased digitalisation in all sectors mean a greater attack surface for hackers. This needs to be addressed by an increase in cyber security professionals who can work to secure businesses.” 

To those of us who daily switch on our computers without too much thought of the danger lurking in the keyboard, Mr Cushen imparts this counsel: “My advice is to take cyber security into account at every stage of production and development and to educate staff in all departments on cyber security. A lot of issues with applications are more to do with implementation, which comes down to human error. 

As well, a huge majority of the big hacks we hear about in the news are mainly caused by someone giving up sensitive information like passwords to scammers impersonating another employee. These can largely be avoided with the proper awareness and care given to security.” 

Maintaining a ‘zero-trust mindset’ is key to preventing these cyber intrusions: “This means that you should always be wary of things like links from unknown sources, and always be sure of the legitimacy of sites that ask you for sensitive details. And most importantly, never share sensitive information over email, text or phone.”

www.stryvesecure.com