Interview with Cyber Security Expert and Penetration Tester Lisa Forte
Lisa Forte is a cyber security expert and keynote speaker from the UK. In our interview she offered us exciting insights into her work at her company Red Goat which is specialized in social engineering and offers penetration testing. She also shares some thoughts on the consequences of Brexit on the IT sector, and a positive view on what it is like to be a women in the male dominated tech industry.
Boxcryptor: Hi Lisa! We are very excited to talk to you today.
At first, we would like to know how you decided to go into the IT Security industry in the first place?
Lisa Forte: I worked in the intelligence services in the UK and I got into cyber security whilst working for them. After that, I moved into UK police cyber-crime unit where we were investigating big cyberattacks in the UK. Then, I decided that I wanted to leave the police and set up my own company to provide more services to organizations, to help them defend against hackers.
What is the main purpose of your company Red Goat?
Lisa Forte: We are social engineering experts and we’ve specialised in social engineering, so, hacking humans, essentially. When I worked for the police, almost all cases that we dealt with involved social engineering. I thought that as I am an expert in social engineering my area focus should be solely that.
In the UK one of the intelligence organisations you might have heard of is GCHQ. They actually certified our social engineering training course so that people who do it can be guaranteed that it is of the highest quality. Most of our clients are FTSE 100 companies, law firms, banks, universities so they are very big organizations, but it does apply to small companies, too.
On your website you offer a multi-stage evaluation of a company’s human resilience to a cyberattack. What does that mean?
Lisa Forte: Our social engineering testing is focused on really targeted attacks which are really hard to spot with technical defences. We start off with open source intelligence, so gathering information online about the company about their staff. We then send very specific phishing emails, text messages or phone calls to the staff. Sometimes we show up in person to see if we can get into the office, too. We test across all those four social engineering vectors. At the end, we catalogue our report to give to the client, to recommend things that could be done to improve security. These could be simple things like training and more awareness to using better encryption, so that if I do get in, the data is encrypted.
So basically, your employees have to be good actors to target those people? Is that part of social engineering as well?
Lisa Forte: Definitely. It’s about confidence and knowing that human behaviour unfortunately is very predictable. Once you know how someone is likely to respond to you, you can exploit that to gain access to things you should not be able to gain access to.
And how do you evaluate the result of such a multi-stage evaluation? What is your advice for the companies you test, if you experience a weakness?
Lisa Forte: I think one of the main things that comes up with social engineering is training of staff. Because the problem is, often you’ll find that the staff that are most likely to compromise security, tend to just click through the computer training really fast and don’t engage with it. So they don’t learn and they tend to be the weakest link. Often, my recommendations include awareness training but there are also a lot of technical things that the company can do to try and reduce the risks. Encrypting your sensitive data and making sure not all employees have access to everything, also helps. Most hackers want money so they are going to look at you and think “if I put time and effort into attacking you, is my return on investment going to be high or is it going to be low”. If it looks difficult, they’ll just think “okay, I’ll go on to the next company”. Security for most companies is just about making yourself look like a little bit less attractive.
Besides social engineering you also do war gaming. Can you tell us what a war gaming scenario would look like at Red Goat?
Lisa Forte: War gaming is basically planning to survive a cyberattack. If you imagine, in your company, you have a fire plan. It probably plans out the evacuation routes, the meeting points and who is responsible for checking, the staff have all escaped. That plan may be great but you need to test if it works. So you run fire drills to test if the plan works. War gaming is essentially the same thing but for cyberattacks. We simulate an attack and the managers of the company then have to think about what they are going to do, say, and decide. They have to ask “How are we going to handle this? What are we going to say to the media? Okay, some of our unencrypted data have been stolen, how are we going to deal with that?”
It’s about making sure that they have a plan, and they know how to use that plan. So that they don’t get into a situation, where they make bad decisions if they’re attacked. Practice makes perfect!
Is there a most common reason for a penetration test to be successful? Is the problem more often negligence by employees or missing pieces in the IT system?
Lisa Forte: It’s a bit of both, really. Plus, sometimes when there is an attack, the managers don’t know what to do. They can end up making very bad decisions, or they stop making decisions altogether. As a result, the damage from the attack gets much worse, because they are not making good decisions to ensure the company is moving forward and getting its operations back online. The problem is if you don’t do that, you are unlikely to survive a cyberattack. It’s good to test these things to make sure you know what you would do and how you would respond.
So basically, you are professionally hacking companies. Are there any prejudices you receive because you are working as a hacker to test companies?
Lisa Forte: I don’t like to say “hacker” because I think a lot of people assume if you are a hacker you are a criminal, you are one of the bad guys. Typically, I would refer to myself as a penetration tester. I’ve never been a criminal. I worked for the police. I’m just attacking them from a perspective that has been agreed contractually. I think there’s a really big difference between hackers who are criminals and the highly skilled professionals who test security systems. That’s the first thing I would clarify.
I do think that the language in cybersecurity is a bit confusing to non-cyber people. We use terms such as hacker, data, cyber, information security and I think it complicates the situation for people who are not in this sector. It isn’t helpful. Perhaps information crime or data crime would be better than cybercrime.
What is the target group of Red Goat and what kind of companies are approaching you?
Lisa Forte: At the moment most of our clients are large companies. Their biggest concern is really targeted social engineering attacks on their staff. They have a lot of staff spread over many offices. Obviously for very small companies they have maybe 10-20 staff all in one small office so it’s much harder to do a social engineering attack on those companies in some ways. A lot of our big companies are very concerned about social engineering, so they hire us to train their staff, do lots of testing, and run war games to prepare them for an attack.
When would you recommend a company to conduct a penetration test? And how should such a test be imbedded in the security strategy of a company?
Lisa Forte: It really depends on the size of a company and their security posture. If you are a very small company and you have never tested your security system before I think perhaps you need something that’s more minimal. In the UK we have a Government backed scheme called Cyber Essentials. It helps you attain the very minimum-security standards that companies should have. I think starting with something like that is a really good idea. The problem is, if you go and spent a lot of money on a full penetration test, you will receive a very large report with lots of recommendations at the end. When you haven’t done any testing before that might be a bit overwhelming and very costly to fix. So, I think it’s better to start small and just start to climb that ladder to security by making small changes.
How is the personal data of a company protected during your penetration tests? Are some clients worried about being hacked professionally, because of GDPR compliance, for example?
Lisa Forte: We don’t ever access any personal data when we test any companies. So for my company it’s not an issue. For other companies that do more technical penetration tests, more technical hacking, I suppose there is a chance that some of the data could be accessed. I suppose you could argue that as long as you are not accessing any personal data, you won’t breach GDPR anyway. It may be that they look to access other data in the company, as a sort of proof of concept, instead of the personal data.
How are the reactions of your clients to the results you are delivering? Is there a difference depending on whether they approached you voluntarily, or whether they were forced by law to use your services?
Lisa Forte: I think it really depends on what you find, more than how they approach you. In our reports I always make a point that I will never name the employee that opened the door for me, for example. I think that if one employee has opened the door for me, then it is likely, most of the other employees will also do it. So it’s not fair to name that one person who might then get fired because they haven’t received enough training or awareness.
We always make sure that doesn’t happen because it’s not right and it doesn’t help build a good company culture. I think most of the time the companies are shocked at how much we have got or how quickly we have got in. They accept that this was worthwhile and now they know where their weaknesses are.
Is there anything you see happening in the IT security industry that is somewhat related to Brexit?
Lisa Forte: I think it’s going to be challenging because we don’t know yet what Brexit will actually look like. For example if there is a no-deal Brexit we are not sure whether the UK will even be considered a trusted country for EU data. That would be a big problem for a lot of companies. Also, at the moment UK police work very closely with police in Germany, France and so on. That is because of cooperation agreements within the EU. I don’t know what will happen when we leave the EU and whether those police forces will still be able to work together as closely as they do now. I suspect it will not look the same which will be a shame for fighting cybercrime.
Brexit is obviously a huge change for the UK. Undoubtedly companies may have a lower budget to spend on security because they have to make changes to allow for Brexit. So I think, undoubtedly it will have an impact. Whether that will be positive or negative we’ll have to wait and see.
Change of topic: As a woman in IT security, did you ever face any problems or advantages, being in such a male dominated space?
Lisa Forte: The intelligence sector and the police in the UK are also very male dominated. So, my whole career I have worked in male dominated industries. It wasn’t surprising to me.
But I think there are advantages because there are so few women who are in tech, especially in Europe, that there are a lot of opportunities for you to make a really big name for yourself. I think it’s a great time to be a woman in tech.
But still, there are not that many women in this industry. What could help to bring women into the tech scene and in particular into IT security?
Lisa Forte: In Asia, some countries, such as Japan, have made cyber security a compulsory literacy in schools. I think the advantage of doing that is that young girls will get an opportunity to try it out and see if they are any good at it or if they are interested in it. The real problem, especially in the UK, is that lots of boys decide they want to go into IT classes and the girls don’t want to be in a class that has no other girls in it. So, as a result we don’t get many women wanting to study IT which creates this massive gap. I think it’s really important to work on that, because women and men are very different in the way they think and approach problems. It is important to have lots of different people working in security to view risks differently.
Are you engaged in any gender specific networks to get more women in the industry?
Lisa Forte: I actually won an award in December for being one of the Top 100 Women in Tech, which was great. I live in Bristol in the UK, and I work very closely with a group that’s called the “Women’s Tech Hub”. They encourage women to change careers and get more involved in the tech sector. We work very closely with them to try and help them provide the skills the women need to start or grow their careers.
Do you have a quota at your company?
Lisa Forte: We are a very small company at the moment, but we have a very high percentage of women because of how small we are. In the UK, larger companies have to report on how many women they employ, and at senior levels, the salary differences. So, I think, in the UK, the culture is changing and people are starting to see it as more of a priority.
To come to our last question: Is there any historical data breach or data loss instance that comes to your mind that you find particularly interesting?
Lisa Forte: One of the cases I worked on was a case of a plastic surgery clinic. They had lots of patients who wanted cosmetic surgery to look more beautiful or enhance their bodies. The attacker actually called up the clinic and spoke to the receptionist. He said he had been a recent patient and he was having some problems after the operation. He said “Look, can I send some photographs of the issues I am having, so you can see if my reaction to the operation is normal”. The receptionist agrees, so he emails her and attaches the images. She receives the email and just forwards it straight away to one of the top surgeons. The surgeon opens the file, installs the recommended image viewer which wasn’t an image viewer at all! It puts malware onto the system. To make matters worse the company had not encrypted any of the other patient data. As a private clinic in the UK they weren’t actually required to do it so they hadn’t bothered. All of the patient data got taken by the attacker and posted online.
So, this is an example of both social engineering (phone call and the email) but also the need for encryption. If that data had been encrypted then it may not have been as much use to the attacker. Those patient’s may have been protected. It shows that social engineering and encryption go hand in hand. Security involves lots of layers and never just one solution!
Thank you very much for your time, Lisa!