Hackers as Teachers

One of my favorite SNL sketches involved Jimmy Fallon as Your Company’s Computer Guy. The character, written in 2001, was that annoying IT guy who asks you a tech question and then rolls his eyes at your stupid answer. Fallon: “Click on your toolbar.” Worker: “Where is that?” Fallon: “On your control strip.” Worker: “Where is that?” Fallon: “Move!!” (By the way, the real stars of that sketch - other than Billy Bob Thornton - were the roundish iMac G3s shown in classic fruity colors.).

We laugh at this SNL sketch because the IT-guy stereotype, sadly, is all too true. The personal skills required to understand computing technology are three galaxies removed from the empathy and patience required to assist beginners and students. And this is nowhere more evident than in cyber security. I mean, let’s face it: Expert hackers can be real jerks. (Just try checking into DEFCON in business casual slacks with a nice blazer, and you’ll see what I mean.)

So, it was so refreshing to spend time last week learning more about UK-based NotSoSecure, a unique cyber security penetration testing and training organization, and subsidiary of the Claranet Group. NotSoSecure appears to break all rules regarding the techie stereotypes just described. Todd Salmon, Executive Vice President of the Company, was my tour guide to the company, and he introduced me to their penetration testing and security training offerings.

“Our penetration testers include some of the most capable and experienced experts in the world,” Salmon explained. “They spend their time working with our enterprise clients to identify critical cyber security vulnerabilities. But they also spend a great portion of their time working with and educating students on the skills of penetration testing. The goal is to help them either break into the field or hone their existing test methods.”

As you might expect, like any penetration testing house, NotSoSecure will only be as good as their team, methodology, and tools, and in each case, the company has a great story. “We have about seventy experienced, world-class experts who support our penetration testing engagements,” Salmon said. I spent some time reviewing the names and backgrounds of the team – and his assessment is correct: This is a heck of a capable test team.

Specific offerings include web application testing using a combination of manual and automated methods; mobile application testing to validate proper coding and protection of data; infrastructure testing with emphasis on identifying vulnerabilities as entry points; and social engineering assessments including phishing, baiting and impersonation. NotSoSecure also supports Red Team exercises to ensure optimal focus on risk reductions.

What’s truly unique about the company, however, is their commitment to education. Most team members spend a meaningful portion of their time teaching classes that are hands-on and super technical. A recent four-day offering, for example, covered Windows enumeration and persistence, NFS attacks, Docker exploitation, Applocker bypass, Active Directory delegation, lateral movement, and so on. This is highly technical course material. Detailed. Interesting.

Now, anyone who reads this column understands my own commitment to education, so I can’t help but gush about experts spending time in front of a classroom. Founded by recognized industry veterans, Dan Haagman and Sid Siddharth, the NotSoSecure team is connected by a heartfelt love for technology, hacking, and teaching. Combine this with the advanced skills, experience, and insights of the White Hat – and you have a winning combination.

So, if you need penetration testing – or if you want to hone your skills as a penetration tester, then this is the company for you. I can’t promise that they won’t make fun of a dumb question (as Jimmy Fallon might in a spin-off sketch called Your Company’s Penetration Testing Guy). But I can assure you with 100% certainty that if you spend time with the NotSoSecure team, you will learn something useful. And technical. And interesting.

As always, share with all of us what you do learn.