- Courtesy of Charles Henderson
Charles Henderson gets paid to think like a bad guy.
As an ethical hacker for IBM, Henderson’s job is to break into networks, applications, or physical locations to figure out how a real attacker would go about their work, exposing flaws and the impact those flaws might have on an organization’s security.
Given the increase in cyber attacks and the need to bolster cyber security, there’s been a steady shift in corporations hiring their own hackers to “pen-test” (penetration test) online systems, networks, and physical locations, IBM says.
In fact, Henderson is just one of the 1,000 security specialists the tech giant hired in 2015.
We recently spoke to Henderson, 40, about what it’s really like to be a hacker for IBM. Here’s what he had to say:
‘Let me start by saying, I was a curious kid.’
- Jenn Durfey/flickr
“I grew up and still live in Austin, Texas, which has become a haven for young technologists with its vibrant computer security scene. I attended the University of Texas and studied Computer Science.
“When I was 11, my father brought home our first computer. Within a week, I had become an active participant on the Bulletin Board Systems (BBS). Using these bulletin boards introduced me to other like-minded individuals and hackers across the world. All of a sudden the world became more accessible to me.
“I quickly decided that I was more interested in taking things apart than putting them together.
“By 12, I took an interest in networks, which at the time meant the phone system. I actually had a phone booth in my room, which I legally acquired, and took it apart. Today, there are websites and videos that tell you how things work and how to take them apart and put them back together. But when I was growing up, none of that existed, and that’s what excited me. My curiosity was fueled by the unknown, so I took things apart to learn how they actually operated. In fact, if there was a ‘how to’ book on how these things worked, I probably never would have done it.”
‘I’ve always been bound by ethics.’
- Nicko Gibson/flickr
“That is not to say that kids don’t do stupid things.
“For example, when I was in elementary school, I discovered that I could use my parent’s cordless phone as a scanner to listen in on our neighbor’s conversations. Did my parents love when I’d take apart their expensive electronics within just a few days of purchase? Probably not. But being a hacker, I had to know how everything worked.”
‘Over the last 20 years, I built my career by letting my curiosity drive me into security research and penetration testing.’
- Thomson Reuters
“When I was looking to switch jobs about seven months ago, IBM offered me a very interesting and challenging position that I couldn’t resist. I was attracted to the wealth of information and resources available here.
“I joined the company in October of 2015, and it’s been really exciting working for IBM. I get to work with some of the largest brands in the world.
“Coming from smaller security teams, we just didn’t have access to the kinds of tools we have at IBM. We often had to create adhoc tools, which took time. At IBM, we have more firepower, thanks to tools like BlueMix and Watson, among other resources. I have access to basically anything I could ever imagine – which is really exciting for a researcher. The sky is really the limit here.”
‘The first thing I do every morning is catch up on what happened when I was sleeping.’
- Charles Henderson
“The cool thing is, since I run a global team, when I’m sleeping there are teams conducting research and working engagements with customers.
“So in the morning I start by asking, ‘Did we find any critical flaws?’ ‘Do I need to tell a client we found a vulnerability and begin working to fix it?’ From there, I am working with my team to plan penetration tests and make sure we have the resources we need to address the issues we have found. There isn’t an hour that goes by that I don’t find a cool, new way of doing something, which means my days are both unpredictable and exciting.
“I also do a lot of research myself. I like to look at consumer electronic devices, anything from planes to trains to automobiles to mobile devices. I try to find ways to break into or break apart these devices, to find new flaws and vulnerabilities. And with the growth of the Internet of Things, I’m always interested in understanding how devices connect to one another and what vulnerabilities might surface as a result.
“When I’m not in Texas, I’m traveling the world to meet with clients, to help them better understand their security issues and the security landscape itself. I work with some of the world’s largest and most exciting companies and during these meetings I get to pull back the curtains and find out how their company addresses security. They share their wants, needs, and the challenges they face, and we work together to come up with solutions to fix them.”
‘Here are some examples of what we do … ‘
- Ben Cane/flickr
“One time, with the authorization of a previous client, I was hired to conduct a physical penetration test, which resulted in a stolen corporate vehicle filled with confidential information.
“The goal of the engagement was to have my team see how much damage we could do by using tools such as social engineering to infiltrate the client’s building and see how much confidential information we could get our hands on. Turns out, we could take it a few steps further, and stole the data and then drove away with it in a company car – but of course, we had permission.
“When it comes to hacking physical locations, we typically execute what I call ‘tiger teams’ (think ninja style/secret ops) to break into buildings on behalf of clients, to test their physical front-door security.
“We don’t use bars to get in the door – rather, we organize highly orchestrated attacks to get into client buildings by any means necessary, which often includes hacking into unsecured systems, copying employee badges, etc., with the client’s prior approval.”
‘The best part of my job is finding and fixing a major security vulnerability before criminals get a chance to exploit it.’
- Charles Henderson
“It’s about the thrill of the chase. Every time we help a client fix a major security vulnerability, it’s one less avenue for a criminal to exploit. And when I say client, I don’t just mean our customer, I mean our customers’ customers, the people they do business with. Every day I’m faced with a new brain teaser, a new challenge, and that’s really exciting.”
‘The worst part about my job is telling a client they have a major vulnerability.’
“Often, their initial reaction is fear, but the good news is, no matter how bad the vulnerability is, there is something we can do to fix it to protect the customer. But often, that initial delivery of bad news is difficult.”
‘The one question I always get when I tell people what I do for a living is, ‘Can you hack into my bank account?”
- Thomson Reuters
“My go-to answer is, ‘it depends on what bank you use.’ People also love to ask me if I have ever done any ‘spy stuff.'”
‘The biggest misconception about hackers is that we’re all criminals.’
- Flickr Creative Commons
“Unfortunately, the word ‘hacker’ has been pigeonholed to mean malicious computer hacking – and it’s important to understand that the word is not a synonym for criminal.
“To me, being a hacker means you have an unbridled curiosity about how things work. Whereas many people look at a new technology and think about the possibility for creation, hackers look at a new technology and want to understand how to deconstruct that technology. We have an insatiable appetite for understanding how the world works – and we take it as a personal challenge to find flaws in technology before criminals have a chance to.
“Television shows and movies depict hackers as simply knowing how to do something. In reality, hacking is about taking something apart physically or virtually and understanding the inner workings.”
‘Here’s the difference between good and bad hackers … ‘
- Thomson Reuters
“A criminal hacker is someone who exploits a vulnerability, for monetary gain or ulterior motives, and isn’t interested in helping to fix the flaw they used to gain access. Criminals take the path of least resistance, while non-criminal hackers choose their targets based on a challenge or the learning process.
“As an ethical hacker, we are driven to understand how things work. When we find a vulnerability, we share that information and we work to responsibly disclose it and help fix the problem we found. Ethical hackers have a moral compass guiding them to help protect people from the flaws they find.”
‘There is also a preconceived notion of hackers that we are people who choose to hack because we are maladjusted or full of angst and anger.’
- REUTERS/Bobby Yip
“Most people assume if you’re hacker, you had no friends growing up. But honestly, hacking has nothing to do with that. There are perfectly well-adjusted hackers in the world, we’re just curious people, looking for a deeper understanding of how the world works. I’m a father of two and I’m happily married.
“Also, my expertise in hacking has lead me to become a world-class practical joker within my team. I think that practical jokes foster critical thinking.”
‘My number one piece of advice for an aspiring hacker is to question everything.’
- Courtesy of Charles Henderson
“Always be curious. Never take anything at face value.
“And second, as ironic as it might sound, always keep sight of your ethical compass and practice responsible disclosure. It is easy to derail a promising career by doing something stupid. Make sure, as you research vulnerabilities, you are guided by your values. Remember that a company can’t protect their users from a flaw found by a hacker unless they responsibly disclose it to the company. A flaw can’t be fixed if the impacted company doesn’t know about it.”