Sunday, January 24, 2016

Vicente Aguilera: "I'm not in favour of hacker credentials"

Vicente Aguilera. Co- founder of Internet Security Auditors.

Vicente Aguilera is a classic of the Spanish cybersecurity. Co-founder of the Internet Security Auditors company, which celebratres its 15 anniversary this year is his. Founder of  OWASP Spanishin 2005 and president since then. Vicente is always there, with his enigmatic smile, lucky possessor of an inestimable quality in his business: discretion.

From Catalonia, he was born in Badalona 42 years ago, Vicente is the exhausted but happy father of two angels of 4 and 2 years. When he has time, what only a happens few times we suppose, he works to improve his last creation: Tinfoleak, a monitoring tool to geolocate with more details and parameters Twitter users.

- How did you get in this world?

- When I was 10 I had very clear that I wanted to dedicate to computing. I made an algorithm and programming course (back in 1983) and after that my father, making a big effort, bought me an Amstrad CPC 6128. Like a lot of people, I shocked by the film WarGames.

- To create a company in 2001, you should had firm knowledge about the topic... Where do you acquired it?

-You acquire the knowledge about the hacking world even before you know. I remember the day that my son, with only 3 years, asked me if I wanted to play with him to search wifi. The best of all was he knew what app should he use in my smartphone and how use it!

My partners, like me, wanted to deepen on these aspects and, in greater or lesser degree, all we had some knowledge. In my case, I learnt to read and write before I was 5, and I remember I read all the books of my home. Also I liked to create things, from a periscope to a handmade flashlight, or anything I can create with the materials I could find at this age.

Some years later, I read the few computing books I had at my home and I bought the typical magazines with pages of hundred code lines that you should key in your computer if you wanted to use it. Many times, there were printing failures and you should improvise and add the missing part by yourself . I also liked to adapt the code and to create my own games from the routines I saw implemented.

After the high-school (where I studied computing classes with Bull Micral computers) and the military service, I went to university where I studied Computing engineering, as I decided in elementary school. It was there where I had my first experience with the Internet, and I started to introduce myself in security aspects (not because this subject was taught in the university, but for curiosity).

- How do you create Internet Security Auditors when there didn't practically exist cybersecurity companies?

- Actually was a risky decision. Internet Security Auditors is a pioneer company in Spain in our sector. But the credit isn't only mine but also of my partners and their capabilities. For my part, in this times I was working in a consulting firm where I managed a team of 10 people and I felt valued. It was a comfortable position. However, this non-conformity given by the youth makes you take a step foward and I decided to adventure myself in the creation of a cybersecurity company where we offered services that we didn't know how they were going tpoo be received in the market, because practically nobody were offering them in Spain. We assumed the risk and personally I don't regret.

-A lot of people has formed with you, you sponsor the NocONName... Is a good thing, from the business point of view, to be an active part of the community?

- It's a feature which defines and distinguished us from other companies. As the Jargon File collects, I think it´sexists the ethical duty among hackers of sharing their experience, boosting the open code and facilitating access to information. Also, from my point of view, generally the clients also value positively your implication level in the community.

From our beginnings we always tried to contribute, in greater or lesser degree, to the community which also feed us. We collaborate with ISECOM in projects like OSSTMM or the Hacker Highscholl, ISSAF (Information Systems Security Assessment Frameworks) of OISSG, Threat Classifications of WASC (Web Application Security Consortium) and, of course, in different projects of OWASP (Open Web Application Security Project). In the last years, we also participated in different SIG's (Special Interest Groups) of PCI SSC, and in work groups of the Cybersecurity Industrial Center.

We also had recently an active collaboration in the Innovation E-Commerce Payment Methods White Book, where we have elaborated the chapter dedicated to Security in Card Payments. We also publish articles and vulnerabilities, we keep our blog alive and we participate in the sector conventions. We assist to the NocONName since his first edition in Mallorca and we still keep going. During a few years we were touring around Spain to participate in the Hackmeetings, and we haven't ceased in collaborating with the community, as far as possible.

- Is the cybersecurity business increasing so much as they say?

- It's true the cybersecurity professionals are very coveted and, in function of their experience, are really well paid. However, they suffer fluctuations. In our country we are so far from the situation lived in USA or Switchzerland. Internet Security Auditors is a particular case because the capital of the company is 100% private. Our growthhas not been affected by fictitious enlargements caused by punctual investments, but we had an organic growth, slow but constant. We can't complaint seeing the situation of this world. Currently we count with offices in Barcelona, Madrid and Bogota and we hope to grow in Latin America.

- Which are the most popular services?

- Talking about hacking, the classic pentests, applications and training audits. However, we are also recognized in the definition and implantation of SSDLC (Secure Software Development Life Cycle). And now, we are seeing a strong demand of our cyberintelligence services.

Talking about consulting, our services are related to PCI (Payment Card Industry), like the implementation and adaptation of PCI DSS or PA-DSS. We were pioneers in the execution of this kind of services in Spain and, nowadays, we are the reference company in this field.

- It's talking about create a regulation to give something like "hacker credentials", to authorize companies and individuals to operate in this field. What do you think?

-We should know what´s on the small print and what involves it. Now, I'm not in favour of the concession of hacker credentials.

- I saw in your LinkedIn you won a "bug bounty". Is it a good measure to securize the network?

- It gives good results no doubt. The fact is more and more companies includes these programs and this is a good prove of it. But the "bug bounties" are not polemic free. In some cases, this programs aren't well defined and the control of themselves is pretty bad. On the other hand, when you report a vulnerability and another researcher has reported it previously, how can you be sure it is that way?, There are so many cases when it seems too casual taht your vulnerability, which is still being exploitable, has been identified and the manufacturer they were working on it and also their correction takes place a few days after your notification.

- When we ask to experts for the landscape of the incoming insecurity showed in the media, the most of them says that isn't so serious. What do you think?

- I agree. The security level has improved a lot regarding a few years. We made more evaluations by the personnel of the companies and from the companies which we offer the security services to and it exists a legal frameworks which, without being perfect, helps to keep a security culture.

However, it's a long way to the top. We are still identifying vulnerabilities known many years ago, and the developers are still being one of the main problems (ask to Target, JPMorgan Chase, TalkTalk or many others). The biggest interconnection of devices and the appearance of new technologies encourages too the insecurity environment we seem to be suffering.

-A casino sues a security company, Trustwave, because ir didn`t erase a malware installed on their network. Do you think it is correct?

- It's something that can happen and there's some regulation to define roles and responsibilities. For example, in case a company suffers an intrusion through a audited system, if the intrusion is for a negligence in the updates made by the provider, it´s the provider´s responsibility.

- Who will you punish, the person who entered in a corporate network by a hole or to the corporation with this hole?

-It depends of the security measures implemented by the company which suffers the intrusion and the reason of the person who exploits the vulnerability. By default, unless the intruder exploits the vulnerability(-ies) with malicious purposes, if he only reports the problem in a responsible way to the company affected I don't see reasons to denounce it. Even more, I think the company should be grateful. On the other hand, for example, if a company which manages sensible data doesn't adopt the request security measures, I understand it can/should be denounced. And if someone exploits it with malicious purposes, he should be denounced the same way.

Texto: Mercè Molist


Post a Comment