Staying ahead of hackers requires knowing about the vulnerabilities that are available for them to exploit. And that’s why security professional Andrew McNicol spends part of each work day playing the bad guy.
“On any given day I'm trying to hack one or two websites, trying to brute force passwords, enumerate information disclosure via Open Source Intelligence (OSINT) gathering, and leverage both manual and automated testing techniques to enumerate exploitable vulnerabilities -- it's pretty fun,” says McNicol, who works for a contracting firm that provides information security support for the Department of Defense (DoD).
A self-described “security geek” who is “addicted to learning” and likes sharing his knowledge with others, McNicol also co-produces Primal Security, a blog and podcast that offers tutorials and news about the information security field. Web applications, security testing, exploit development and Python are among his core interests.
“I really like trying to figure out how vulnerabilities in technology work and write my own exploits,” McNicol says. “When I walk through those steps manually, I have a much better understanding of how the exploits work.”
“A lot of people that do this type of work only leverage automated tools that include package exploits for you – all you have to do is hit the enter button,” he says. “That's important from a business perspective, since it saves time. You can't have everyone go write their own exploit for every assessment; you'd be there for months. But I find it is very fulfilling to take a step back and understand how it works and recreate it myself with my own little tool; I come away with a much better understanding of how to break into stuff.”
Closing the awareness gap
Such hands-on familiarity has not only helped McNicol stay ahead of the latest hacks and exploits, but has also made him keenly alert to the relatively low level of public awareness concerning information security risks. Few users of mobile phone apps, he says, think about the potential vulnerabilities.
As a case in point, McNicol cites an Instagram app that was sending unencrypted user credentials and session information.
“These are the kinds of things you, the end user, don't think about when you grab your phone and upload photos to Instagram,” he says. “There is all this information flying about the phone right now, and you don’t think about it. But whatever application you’re using, it’s communicating with something, and it’s more than likely it could expose your phone or information to unnecessary risk. Mobile applications are booming, and they're driven more by the business demand than by the security demand, so we’re going to continue to see such issues.”
McNicol says he himself chose the information security field after a friend demonstrated how easily a computer could be hacked.
“He said ‘come here, I’m going to show you something real quick’. He had figured out a pretty cool hack, and he completely took over the machine. Watching him, I knew this was what I wanted to do – it made me see technology from a different angle.”
The Information Assurance program at Capitol College helped McNicol turn his newfound interest into solid expertise. He graduated in 2013 with a master’s degree, and says the college’s approach to education was a good fit.
“One thing I liked is that there were a lot of hands-on labs, as opposed to just writing papers. I found that, as a deliverable, to be much better given the technical nature of the subject matter.”
When not devising new exploits or “geeking out” with his co-producers at Primal Security, McNicol enjoys outdoor activities such as hiking, camping and mountain biking.
“Every once in awhile, I need to get away from all technology and do a kind of reset. Maybe one day I'll be out there on a mountain with a computer. But not yet,” he says.