Behind the Screens: Inside the Mind of a Hacker

Written By Donovan McQuitter
 

Have you ever played Battleship? If not, it's a board game where you set up different size ships on a grid map and your opponent does the same.  The goal is to choose a point on the opponent's grid to attack and, hopefully, sink a ship.  But you can’t see the other person's side so this guessing game of trying to narrow down where the boats are and defeating them before they sink all your ships becomes complex pretty quick.  The same goes for defending yourself against attackers on the internet. You don’t see them or know their next move.  We just hope we don’t get hit. The phrase “Know your enemy. Know yourself.” was popularized by Sun Tsu’s The Art of War. To understand our opponent’s perspective we must think like our opponent.  Peter Nelson, a leader in security right here in North Carolina, has mastered this art when thinking like a hacker.  His path into cybersecurity offers a rare glimpse into the mindset of an attacker and the lessons every organization and individual can learn from it. Join me (MM) and Peter (PN) as we discuss the mindset of those behind the screens.

Origin Story into Cybersecurity

MM: All right! Peter, thanks for being here. I’m excited to chat with you, about Stern Security, and what you do. To kick things off, tell us about yourself and your role at Stern Security.

PN: Yeah, absolutely! So I’m Peter Nelson, Chief Information Security Officer here at Stern Security. I originally got started in cybersecurity indirectly. You know, growing up as a kid, I was fascinated with emerging technology and the internet. In my professional career, I worked different non-IT jobs, but I always had the mindset of ‘You know, this is a security issue.’

At one point, I was working in a financial institution on the retail banking side and kept pointing out security issues to auditors. Eventually, they came to me asking how I was finding these problems, and I realized I needed to move into IT. My first role was as a system administrator for another financial institution, which also had its own internal security group. When a position opened there, I joined and worked there  for a few years.

Later, I moved to a large regional hospital, which was a huge jump—from protecting about 1,000 endpoints to 20,000 so I got a lot of experience in network testing, red team exercises, and application testing. While I was working there, I found multiple zero day vulnerabilities for vendors and would disclose those before the products would go into our production environment.

During that time, I also started doing contract work for Stern Security after hours. Then, the business grew to the point where I could join full-time. Jon and I continued to grow the business, hired more,  and with the help of our amazing team, we’ve built Stern Security into what it is today. 

Exploits and Technology Left in the Shadows

MM: Wow! That is awesome and such a cool backstory. You mentioned penetration testing, which is the big focus of today. I want to go into the mind of a penetration tester.  What is that? What does that mindset look like when approaching businesses?

PN: Working on cybersecurity blue teams with organizations gives you an understanding of how systems are configured, how network protocols operate, how patching goes or doesn’t go, and where common configuration issues exist that organizations may not be familiar with. It’s really understanding the environment that you’re operating in and having the most coverage possible.

We’ve developed internally based testing methodologies for discovering common misconfiguration issues. Then we have methodologies for more complex attack chains where you have to know how to think like an attacker. You really have to understand how exploits work , how attack chains come together, and know gaining one privilege doesn't mean that’s the end. It’s ‘What else can you do with that privilege now that you have it?’

If you compromise a system, can you grab more credentials or is there sensitive data on that system? You really have to explore, within the Rules of Engagement of course, everything you can and get the most coverage from your client. 

MM: Awesome. Since you’ve had that experience working with businesses, I’m interested in this question: What are some of the most common mistakes you see businesses make—those low-hanging fruit vulnerabilities? Like one of those you see again and again.

PN: I would go back to default vendor configurations. Companies not doing their due diligence and project management on implementing new products in the environment. A lot of times we find default configurations and default passwords or elevated privileged accounts that never get changed. Those are easily compromised by somebody that gets on the network. We have an entire default password list that we’ve curated over the years with close to a hundred sets of credentials that we run against their active directory and usually get some sort of hit. 

Then there’s unmanaged systems. Admins use it for testing; they leave admin credentials on it.  Others include forgotten systems, unpatched systems, and not maintaining endpoint protection. We’ve found numerous organizations where they have endpoint protection but it's either outdated or no longer used.

MM: That’s surprising, especially when something’s outdated. Now, whether for businesses or individuals, what’s one online habit you always recommend? It could even be one you have in everyday conversations.

PN: Internally, I would say Shadow IT is a big one. Employees going out, signing up for or downloading  services that aren’t approved and doesn’t require admin to install. Finding their own solutions to stuff leaves big gaps in security.


I was working at an organization and we got a call from an employee that was using a piece of software.  It was just a standalone executable for a very specific reason. Basically it turned out to be adware. So, it’s really about educating users on sticking to approved services or applications when they’re out on the internet.  Follow those proper channels for getting stuff approved.

Impacts of Artificial Intelligence (AI)

MM: That makes sense. I’m sure I’ve done that in the past and I have seen people even download games on their work computers. So you probably hear the word AI everyday. While some don’t even really know what it means, it’s happening and we’re in it now.  How does that impact what you do? Does it help?

PN: Yeah, businesses need to be cautious with AI services, especially free versions that may use your data to train their models. For example, Gemini is now integrated into Google services. How does that affect your files that you’re keeping in there?

I would recommend organizations look into enterprise or team-level accounts that guarantee data won’t be used for training. These accounts also give administrators visibility into how employees are using the tools.

Some newer AI models also allow you to turn off memory so conversations aren’t stored. That kind of control is important for keeping sensitive data safe.

How Stern Security “Secures the Planet”

MM: I didn’t know that! I'm going to definitely research that after this. Okay, last thing then. Before we wrap up, is there anything you’d like to share about Stern Security and the services you provide?

PN: Yeah, absolutely. So Stern Security covers a lot of different service areas. I primarily manage the penetration testing services such as network penetration testing, web application, mobile, IoT, wireless, physical security, and also we have virtual CISO services, and cybersecurity consulting.

Then, we also have the Velocity product which is our SaaS product for measuring internal and third-party cybersecurity risk and provides insights and risk quantification. It turns your risks into a numerical value of what it will cost the organization to fix and what priorities they should focus on with insights on ROI. Customers can also manage their vendors with Velocity. After adding vendors, our team will verify  the assessment for the organization. They just need to put in the vendor's contact information. It offloads all of that from our customer and we take care of all of it.

Signing off…

Peering behind the screens with Peter revealed that hacking is about patience, creativity, and knowing where the cracks usually form. Peter’s insights highlight the real challenges companies face every day. What we must do is stay diligent in practicing secure habits and be inquisitive about the tools we utilize. Use strong passwords along with multifactor authentication (MFA), know the security around the tools you use, and don’t allow your IT assets to sit in the shadows. And good luck in your next game of Battleship!

Thank you to Peter Nelson and Stern Security for sharing their expertise. Follow the guidance of  an elite security team on the mission to secure the planet at:

https://www.sternsecurity.com/blog/stay-safe-online/

A special thanks to odibagas for the amazing artwork.  If you’re interested in getting any cool designs like the one for this article, you can reach out via:

https://99designs.com/profiles/2589930

Donovan McQuitter