Vector
Vector

Choose your topics

Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Blogs
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Vector-1
Cyber Security

Women in Information Security: Sarka

Women in Information Security: Sarka
Written by

Isadora Gregori

Published on

20 Sep 2018

Women in Information Security: Sarka

 
 
 

Due to popular demand, my women in information security interview series is back for autumn! This marks the second anniversary since I started. Some of my subjects in this round have been waiting since last spring, so getting to chat with them has been long overdue.

Let’s start with Sharka, a penetration tester who is full of enthusiasm. She wants to get some shout-outs to some of her favourite Twitter accounts: SureCloudOWASP ManchesterDEF CON ParisBSides AthensMazuTech and Chrissy “5w0rdfish” Morgan.

Kim Crawley: So Sharka, please tell me a bit about what you do.

Sharka: I am a cybersecurity consultant and pentester at SureCloud by day. They are awesome because I get to hack all infrastructure, web apps and payment systems. Also, I get to follow my passion: social engineering and testing physical security. By night or my free time, I am a bug bounty hunter. I am very involved in the hacker community. I am one of the Manchester OWASP Chapter organizers and co-founder of the one and only DEF CON group in Paris. I’m also an ambassador for BSides Athens. Additionally, I  research with my friend Chrissy under the Mazu project. It’s meant to be a unique project that looks at the world and its vulnerabilities from both the offensive (me) and defensive (Chrissy) side. I am coming up with exploits that she is trying to defend against. Recently, our research has been heavily focused around RFID and specifically around the new Proxmark3 RDV4.0.

KC: Your work sounds varied and exciting. How did you get started in cybersecurity in the first place?

S: My first hack was when I was around 8 years old. The first hack was to manipulate my blood glucose meter. I figured out how to manipulate the results to show better results than I actually had. But I didn’t touch a computer until 14, maybe. That’s when my dad brought his work laptop home. He always tells me that I was stuck to that thing all the time. At school, everyone would always find me in the room with PCs. But I was told IT is not for girls. So I didn’t study it, but I eventually found my way back. Security was that mind-blowing part that attracted me since day one. Without studies, it was little harder. But after hard work, one day I got an offer to be the first SOC engineer guarding British national infrastructure! That is where I truly started in cybersecurity professionally.

KC: You have some parallels with my background then. Dad’s computer gave us the opportunity to explore computing, and our cybersecurity careers may have been a bit delayed due to sexism. How do you juggle pentesting with OWASP, DEFCON and BSides organising and vulnerability research? Do you still get time off to rest and pursue your hobbies, or are those extracurriculars indeed your hobbies?

S: Well, I am glad you are pointing that out, because I feel like hacker mental health and well-being is often ignored and often by ourselves. We all know how it feels when we disappear down the rabbit hole to chase that one bug. Time doesn’t exist. Even food is not important! I think we should start talking about it more. In my case, I’m going to Kendo practice to our local dojo. But I also meditate and float. (I recommend to anyone who has the possibility to try it.) I believe you can experience it in sensory deprivation tanks.

KC: I keep wanting to write a book while I blog for several different websites and vendors. But then I change my mind. I’d rather hang out with my friends and play video games when I’m not doing paid work. Oh well.

S: Why not do both? Little by little? Start writing chapter by chapter. Go play, relax, then go back to it! I’d read it!

KC: I guess a chapter is about the length of one of my typical articles, so I’d consider your advice. Have you ever done a third party pentest and, without naming names, been really shocked by how insecure your client’s network was?

S: I must say I only do third party, and we have some pretty awesome customers that mostly do follow our advice. So hacking their network is harder and harder. I’d say I see more shocking insecure behaviours around me in everyday life unfortunately. That’s why I love to do talks and spread awareness.

KC: Do you think the general public, laypeople, are getting savvier about social engineering?

S: I don’t think they are there yet because there is this whole barrier about us hackers portrayed in black hoodies with balaclavas being malicious. So people are wary of anything hacker-related. But it’s changing slowly. When I talk about breaking into buildings, people are interested more and more, and they want to know what they can do to protect them.

KC: Do you think people overlook or underestimate the importance of physical security?

S: I think they try to give it some thought and put controls in place. But same as using tools to protect your network, you have to configure them right and test them regularly. Patch them. Once you’re feeling like it’s well-done, invite people like me to test them.

KC: I’m under the impression that to a lot of people, network penetration is all speed-typing on a PC. Crawling through the duct work to enter the server room wouldn’t occur to them. What are some of the most common physical security vulnerabilities that you see?

S: People placed to operate those physical controls, mostly. I study the psychology behind manipulation and persuasion. I learn how to read body language, facial expressions and physical traits to tell me who they are.

KC: What advice would you have for kids who are curious about pursuing cybersecurity one day?

S: Start building their knowledge and feed their curiosity! There are so many great online resources that are free where they can learn and practice. And then I’d say go for bug bounty hunting. Or do some research, but make sure to involve adults and understand everything about responsible disclosure. Go to conferences, connect with people ask people to mentor them. Ask questions no matter what!

Thank you for the job you are doing. You are building something fantastic and very important! And let’s not forget, hack the planet!

About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Article originally posted on Tripwire.

Learn more about Pentest-as-a-Service© here.