We’re back with another interview from across the pond. Chris John Riley is a fairly well known name in security circles – mainly due to his long battles with a certain ‘hacker’ who shall remain nameless. I first met Chris at Shmoocon 2010 where I explained the finer points of the Superbowl and drank many a beer while we both waited for our rescheduled flights back home to our respective countries – in fact, I think he skipped out on the bill and left me paying for his drinks. On with the interview:

Q: Tell us a little about yourself.

Wow, starting off with the tough questions are we… Well, what is there to say? I work as a penetration tester for a large Austrian financial provider. On the side I do some research, blogging, podcasting and like to break things. All of which I do badly might I add 😉

Q: How did you get interested in information security?

I’ve always been interested in security I guess. Although I always used to think of it as an unhealthy interest in how things really worked under the hood. I’ve broken my fair share of systems by being a little too curious what would happen if I just changed or deleted this or that file. Then again, who hasn’t done that once in a while?

I guess if I had to give an exact time where I knew absolutely that I wanted to work in security; I’d have to say it was a Thursday morning, shortly before lunch. I remember distinctly because I was really hungry, and as I was working in Munich at the time, it was pizza day (as every good Thursday in Germany should be). Anyway, I digress. An interesting project had come across my desk (and by that I mean, my boss emailed me and said “get this done ASAP”). The project was a simple one. Install and configure an Intrusion Detection System to protect an external server farm, and schedule regular vulnerability scans. Finally an interesting project and the chance to play with some IDS stuff. Still, to tell you the truth, the project wasn’t really what made me want to do security, it was the response from management after the project was finished. I sat down with one of the managers after the project and started to go through one of the vulnerability reports I’d run. Lots of red and yellow alerts, lots things to change to make the environment more secure. His response was that the IDS and scans where simply a contractual requirement to win a customer bid. Nobody had the time or interest in changing things. We’d ticked that requirement box that said “IDS and run regular scans”, project done, move on, nothing to see here!

As you can imagine, this didn’t sit too well with me, but there wasn’t much I could do about it at the time. I was still learning German and couldn’t rock the boat much. So, moving on I tried to work security into the next couple of projects and found it increasingly hard to get the real issues across. I tried to convey the idea that security should be built in at the ground floor and not just ignored completely. Well to cut a long story short (yeah, I know, too late), I asked for 4 weeks leave to attend some training (self funded naturally) and was turned down flat. I had the holiday days saved up (yes, we actually get holiday days in Europe), but still I couldn’t get the time. At that point I had a real choice to make. Dive into security full time (as my heart said), or bite my tongue and keep my job (as my head said). So like any hot-headed idiot would do, I handed in my notice, did my training and made the move from Germany to Austria to be closer to my girlfriend.

After a few months of sitting in-front of a computer screen, self training, reading books and generally making a pain of myself, I was lucky enough to interview for an IT Security Analyst position at a large financial institution in Austria. Despite my n00b status in security, they took me on as part of their CERT team and ever since then I’ve been working as a full-time penetration tester. That was 3 years ago now… and I still feel like a n00b every day. There’s always something new to learn.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

I never really did the whole university thing that most people say is a requirement. I came out of college in the UK and stepped right into a job. That led to another job, and another. Leaving and going to university just didn’t seem like it was worthwhile at the time. Alongside a lot of self-learning I also concentrated a lot on industry certs on and off. I did the whole MCSE thing (as I was working a lot with MS technology), but that was all before I moved into security.

Once I’d made the choice to move into security, I felt the need to get some basic certs to show I knew what end of the firewall was what. As such I finished up my MCSE: Security and tagged on a compTIA Security+ and some very poorly taught EC-Council certs (C|EH and ECSA) to the mix. Although I didn’t put much stock in the C|EH (still don’t) it did open a few doors for me, and prompted some interesting conversations with companies when interviewing for positions. After I started working as a penetration tester I began attending regular SANS courses (more for the knowledge than the piece of paper afterwards).

Certification for me was never really an end goal. Anybody can pass a cert by remembering the answers to the questions… just take a look at the millions of MCSE certified people out there if you need proof. At least a section of those are paper MCSE. I’d rather have the knowledge and no cert, than have the cert and no knowledge!

“The wisest man is he who knows that he knows nothing”

Q: What did you want to be when you grew up? Would you rather be doing that?

When I grow up I want to be just like you Andrew… except I don’t want to drink Bass beer! Oh, and with spiky hair… red maybe! Red is cool right?

[Andrew’s Note: Chris likes to fault me for drinking Bass…but he loves Corona. He may quite possibly be the worst European ever.]

Q: What projects (if any) are you working on right now?

Wow, that’s a long list. Like most people in security (I’d guess), I’ve got a long list of active, semi-active, inactive, yet to be active, style projects. Most exist solely in my head, but might one day see the light of day!

I’ve been working a lot on the UATester tool I release last year at BruCON. It’s not really about the tool, but I’m trying to get the message across the HTTP headers are cool… Yeah, I’ve got a long way to go on that one I guess. Still, I’m getting there! I’ve recently been working with the man behind Shodan to analyze HTTP headers of the top 10,000 websites. That’s bringing up some interesting edge cases that really show why people should be paying more attention to the little things. You never know what you might be missing!

I’m also working on some SAP stuff on the side. I’ve written a few Metasploit modules for an SAP Information Disclosure issue I found last year. They recently went into the Metasploit main SVN and seem to be getting good reviews. At least, I’ve had some good feedback. There are still a few SAP modules I’m working on, but people will have to wait on those.

The project that’s really taking up most of my time and energy right now though is BSides Vienna. I’m arranging a 1-day BSides on June 18th, straight after the 23rd annual FIRST conference takes place in Vienna. I never knew it was this hard to setup a conference… so many small things that you never consider. Still, things are rolling. So get over to http://bsidesvienna.eventbrite.com and sign-up for a ticket and http://cfp.bsidesvienna.com to send in you entry for the Call For Participation (presentations, workshops, lightning talks….). The more the merrier!

Q: What is your favourite security conference (and why)?

I get to a lot of conferences, and most have their own special charm. DefCon is cool because of the people you get to meet (if you can find them in the crowd). BlackHat Europe is a good one as it’s got all the great content without the 19 tracks associated with BlackHat Vegas ;). I guess I’d have to go with BruCON as my number one conference. It’s small enough to be personal, but big enough to get the great speakers from all over to come. Brilliant location, great company, and the beer helps too!

Q: What do you like to do when you’re not “doing security”?

Sleep mostly! I’d like to say I’m joking, but don’t we all live this stuff???

Q: What area of information security would you say is your strongest?

I hate when people call themselves experts. I guess it’s a pet peeve of mine, and maybe others wee it differently. I like to keep my options open when it comes to thing and as such I spread myself about a lot. Jack of all trades, master of none is one way to describe it. A bit shit at everything, is probably more accurate though 😉

Q: What about your weakest?

Time management… there’s never enough time to do everything I need to do and still manage to eat/sleep as well! I’d get so much more research done if I didn’t have to go to work!

Q: What advice can you give to people who want to get into the information security field?

Just do it… but don’t think it’s the easy life. Working in infosec is hard! If you’re in it for the money then don’t bother applying… Oh and if you think gather CPE credits to maintain your certs might be an issue, then just stay in bed.

Too harsh? Sorry, life in infosec isn’t easy. There are a lot of easier to handle jobs than this and it’s best people go into this with their eyes wide open.

Q: What suggestions would you give to someone interested in becoming a penetration tester?

I may be ruffling some feathers here, but I’d say my first piece of advice would be, don’t do an ethical hacking degree! I’ve spoken to enough people who’ve been through the courses to know that you’re not going to come out the end as a penetration tester. Being a penetration tester is more about drawing on your years of experience as a network admin, developer, telecom expert, . If all you’ve got is a few years learning how to use nmap and Metasploit, then it’s going to be a tough road ahead. Take your time and work as a network admin for a few years. The experience you get will help you more than you’ll ever know!

Q: You’re involved in the PTES right? Can you tell us a little about that?

Yep, I’ve been involved with PTES since the start, although looking at the other names on the list I’m still not sure why. PTES for those that don’t know yet, is the “Penetration Testing Execution Standard”. Although it’s only in it’s early stages, it’s already gaining a lot of momentum in certain parts of the industry. Talking about PTES is a whole interview in itself as it’s such a broad topic. So To keep it brief, our goal with PTES is to design a common language for businesses and security service providers. This includes some pretty detailed information on what a penetration test really is, and what constitutes a penetration test. A lot of people throw the phrase around, but there’s a lot of confusion from both business and the security industry on what it really is. Quite a lot of the time you’re comparing apples to oranges when looking at penetration testing quotes. The hope is, that we can form a standard set of activities so testers and businesses can speak the same language. If you want more information, head over to http://www.pentest-standard.org for a full breakdown of the goals and some alpha release information.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

I’d like to say just whisper my name and I’ll find you, mostly because it sounds really mysterious… but I can’t. So I guess my blog (http://blog.c22.cc) and twitter (@ChrisJohnRiley) would be best. If you’ve got time on your hands and maybe insomnia, you can also listen to the Eurotrash Security podcast (http://www.eurotrashsecurity.eu / @eurotrashsec).

Other than that, I’ll probably be at every single security conference… because I need more free t-shirts!