Robert Willis is an infosec professional cybersecurity hacker currently associated with Sakura Samurai, a security research group. Robert has been an ethical hacker for several years and previously worked at Threatcare, a pioneer in the cyberattack simulation industry.
Robert has been featured in numerous books in the Tribe of Hackers series and has actively attended several Hackercons in the United States. He has also presented as a speaker at multiple cons and creates comic books and music as a hobby.
Robert currently works at a large undisclosed organization based in the Washington, DC area. You can reach out to him on Twitter at @rej_ex.
Question 1: The term “hacking” is often associated with negative criticism partly because of its evil depiction in movies. How do you shun hacking requests from illegitimate persons?
Robert: It’s usually very easy after being approached for a hacking job to realize if it’s legal/legitimate or not. Organizations want to test their own assets, so if the person who approached you cannot be verified as an active employee in a role that would seek out testing, then that’s an immediate red flag. Prior to starting an engagement, the scope of it is always put together; you can easily see if targets are added from outside of the organization. As a security professional you know that there are legal rules you have to abide by and you can identify issues with the scope prior to the engagement if it doesn’t look legitimate.
Most of the time when there is an illegitimate person approaching you for testing/hacking purposes it doesn’t go as far as them attempting to socially engineer you; they are usually up front about wanting to break into something they shouldn’t and split the money with you. I get random requests like this and I just ignore them.
Question 2: Penetration testing and bug bounty hunting is part of hacking. Should companies outsource their digital security or employ in-house personnel for patching vulnerabilities?
Robert: It is common practice to have testers identify the vulnerabilities and provide information on what needs to be done for remediations. When it comes to actually fixing the issues it’s done by the organization’s internal employees (their developers, system admins)—not the testers. One thing worth mentioning though is that malicious attackers can break into a system and create a backdoor, then patch the system afterwards to make sure no other hackers get in—although this isn’t done on professional engagements with an organization.
There are some organizations that use managed service providers who handle their security, so this is an option as well, it just depends on what the organization currently has in place for fixing vulnerabilities.
Question 3: Ethical hackers are hard to come by. How can an organization ensure its security discoveries will remain confidential and not land in the wrong hands?
Robert: If someone outside of the security field is worried that vulnerabilities found won’t remain confidential then they are not realizing that if it’s a public facing asset that any malicious actor could find the same vulnerabilities, especially if they fall under the category of “low hanging fruit.” Organizations shouldn’t be worried about their vulnerabilities after a test if they fix them, because then there wouldn’t be any.
As far as security vulnerabilities remaining confidential after the testing and patching—it is put in a contract with the testing company through non-disclosure agreements. When a large organization sees their previous vulnerabilities in the news, I never see the source being from a penetration testing company they hired. Public disclosures are done when the issues were found through bug bounties, vulnerability disclosure programs, or just random researchers that may have stumbled upon them if the organization had poor security practices.
Question 4: Data breaches cost billions in damages and require painstaking effort to recover. What advice would you give to companies to not fall victim to a hack?
Robert: Nothing is totally secure; everyone in security is working to increase an organization’s maturity to stop potential attacks proactively. This is through having a security program and setting up, monitoring, and testing various controls while having good defense-in-depth (among other things). When there are data breaches I think it’s important to look at how it happened, and if the organization can show proof that they were abiding by best practices and took their security seriously, they shouldn’t be shunned. Many times breaches are done through third parties, and although the organization was affected, the issue may have been part of accepted risk with the partner. This is why it is common practice now for organizations to verify that all third parties and partners have a security program in place. If companies cannot provide information on their current security controls and maturity, then they may not be able to seal business deals. This is the number one reason why I see companies being very engaged in growing their security maturity—for business enablement purposes.
Question 5: Hacking can be cool at first, but as you dive deeper, it reveals gruesome details. How do you cope with uncomfortable elements of the job and carry on forward?
Robert: I think staying up-to-date and constantly training can be very draining, yet it’s an unfortunate part of the job. You may enjoy it at the beginning, but after years you start to think “when is this going to end?” Even the most passionate hackers will eventually have their physical and mental health affected if they don’t take care of themselves. It’s very easy to get burned out. Due to the constant learning there are also many professionals who suffer from imposter syndrome, even when working in the field for many years. The amount of learning never ends and nobody can know everything, so sometimes this makes you lose focus on all that you know and instead causes you to focus on all that you don’t know. Mental health issues are rampant in the security industry from practitioners, and much of it has to do with their own hard work ethic they put on themselves and the unfortunate unrealistic asks that people at organizations (outside of security) require of them.
As far as working on engagements and seeing how so many things are not secure—it can be scary when you’re dealing with industrial control systems. After a while when you find yourself working on an engagement with an organization that is very secure with a great security program you get shocked because it is much more rare than people think.
Question 6: In recent years, cybersecurity tools have exploded. Are online privacy and security tools enough to keep a user’s online activities anonymous?
Robert: Nothing is totally secure. There are even many vulnerabilities with privacy applications that come out—nothing is immune to vulnerabilities. There are controls that can be put in place to make it very hard for an individual to spy on you, and honestly, unless someone is targeted by a nation-state or an elite hacker I think most people have nothing to worry about. As far as basic things, using a VPN (Note: this article is for PureVPN, so I should at least speak to a VPN) should be a standard practice for everyone.
Question 7: Detecting and reporting vulnerabilities can be exhausting. How do you take a break from such a challenging role?
Robert: I have learned to have a work/life balance. It’s important for me to get away from the computer. To maintain my physical health, I make sure to eat healthy and exercise. For my mental health, I use different outlets like creating comic books and writing music. It’s important to have hobbies outside of hacking, even if you need to force yourself to.
Question 8: Other than hacking, what comic books are you currently working on?
Robert: My comic book company, Afterlife Comics, recently put out a few titles that are of the cyberpunk genre. I also have been putting together some horror titles that are very Lovecraftian. I am also releasing a record soon of my music; the band is called ‘Outlive’ and plays a metal/hardcore style of music.
Thank you Robert for the insightful interview, our readers will surely find this helpful. Due to increasing online threats and the severity of attacks, cybersecurity is in a tricky situation. PureVPN is ever trying to create awareness among the masses and work for a secure online world. Also, it is individuals like Robert Willis equipped with their ethical hacking expertise who give hope to the cybersecurity industry.
The cybersecurity industry is predicted to become a $170 billion market and it’s no secret that more and more manpower is needed to combat growing online threats.
Keep following our blog for all the latest about cybersecurity happenings and if you wish to follow Robert on then you can follow him on Twitter.