What first attracted you to the world of Pentesting?
I’ve always been exposed to the basic concepts of IT security, watching the older guys in my town torrenting movies using a magical thing called a ‘VPN’ or cloning and cracking PC games - all that stuff. But I wasn’t really all that interested in ethical hacking until about three years ago, that’s when I realised how much information and documentation was available online for me to teach myself. Once I was confident with the basics I tried my hand on Vulnhub a popular Capture-the-Flag site. It was there I had my epiphany: Seeing first hand just how easy SQL Injection was for regular people to use was kind of mind-blowing to me to be honest.
The fact that simply modifying a query on a browser’s URL bar allowed them to retrieve information gave me the same adrenaline rush I get from snowboarding. In that precise moment, I knew exactly which path to take: a week later I called UCAS and cancelled all of my Software Engineering choices and enrolled on Cyber Security and Digital Forensics courses instead.
Tell us about what you do here.
As an Trainee I have one more year of Uni to complete, so in these few Summer months I’m totally focused on learning as much as I can, as quickly as I can, from anyone that has anything to teach me!
Shadowing Calum has really opened my eyes to the discipline needed to deliver high-quality pentests in the real world.
I’m learning a lot from Adam about how to approach a webapp test professionally, taking the client along with you so they know what to expect. Even simple things like applying OSINT methodologies or using common tools like BurpSuite in real world - it’s all learning to me.
Outline a typical day.
- Wake up between 5-6am
- I like to build knowledge through experience. So I set myself 1-3 week projects to work on around work. Currently I’m building a raspberry cluster and learning how to modify a BIOS so I can change my laptop’s internal wifi adapter.
- Go to the office and fill up on coffee!
- Sit at my desk and practice what I’ve learned shadowing the team the day before until 8.30 when the team start to arrive.
- Keep learning as much as I can from Calum and the team
- Practicing what I’ve learned that day until 5-6pm
- [ -z “$bank_account” ] && ./beer || cd
- Dinner between 7-9pm (that’s if I am not too absorbed in whatever 1-3 week project I’m working on)
- Sleep around 11pm
What have you been working on mostly since joining OnSecurity?
I started closely shadowing Calum Boal. Learning his good habits and how to be methodical, starting with an unauthenticated prospective (OSINT), before proceeding to authenticated. Being patient, looking for the most common vulnerabilities first before documenting actions and moving on - this discipline has probably been the most valuable lesson for me.
Once I had mastered the basics, I got to do my first supervised OSINT and followed by my first supervised web app penetration test. Having Adam QA all my findings so closely and then approve my report was a great feeling.
What are you most excited about in the coming months?
Everything basically! The sheer amount of new techniques I will get to learn in just a few months is amazing in itself. Taking part in my first infrastructure pen-test will be my next big milestone - I’m really excited to get started on that one!
Quick Q&A with Nicola
How would you describe your job to a child?
I work out how to break things in order to make them better.
Before OnSecurity what was the most unusual or interesting job you’ve ever had?
I’ve done a lot of different jobs to pursue my passion for IT Security. But working a Chef at Glastonbury with two great friends was definitely the most rewarding, most interesting and one of the best experiences I have ever had. However,.. I cannot divulge any details as to what exactly made it so good. ;)
What’s your number 1 security tip?
Treat passwords like underwear:
- Have lots of them
- Change them often
- Don’t share them - not even with close friends or relatives!
What are your three most overused words/phrases?
- “We did everything wrong”. (My overly-dramatic way of saying: ‘We may have made a little mistake’)
- “One day I will sell my rig and my laptops and open an ice-cream shop!”
- “I cannot sleep knowing that <insert current challenge I’m facing here> is winning”
If your house was burning down, what’s the one non-living thing you would save?
The problem I would face is choosing between my laptops and my rig.
I’d simply ‘install’ my laptops as upgrades to my rig, creating a single ‘MegaRig’. Problem solved! 😀
Crying angrily at my laptop until it either:
Completely destroys everything
What’s your guilty pleasure?
Witnessing the moment a tow truck has to be rescued by another tow truck. Unfortunately it doesn’t happen very often, but when it does - it’s magical.
What popular quote to you hate?
“Java”. I am not sure it’s a quote exactly but I really do hate Java!
What’s your favourite noise?
The sound of my snow-board’s blade cutting into crisp snow. Especially when there aren’t any other noisy humans around.
What will finally break the internet?
If quantum computers get released onto the mass market before cryptosystems have had the chance to prepare, there could be real havoc. It’s terrifying to think of Quantum’s raw computational power in the hands of regular consumers.
Having said all that… I’m still really excited to get my hands on one!
What’s the most important thing you have learned in the last five years?
How to survive moving to foreign country without:
A. Speaking the language fluently
C. Any particular skills
D. Resorting to breaking the law (though there were times it would have made life so much easier!)
If you could be anyone from any time period who would it be and why?
Me aged ten. I wouldn’t waste any time waiting to just bump into people that shared my interest in IT. Instead, I’d enbrace Google, and direct my own learning and find my tribe online. While I’m back in the past, I might as well invest in a little BitCoin too right? :D
Surprisingly: I am not, in fact, naturally blue haired!
If you want to know more about what Nicola is getting up to - you can contact him at Nicola.Patres@onsecurity.co.uk or connect with him on LinkedIn