AusCERT2020 interview with Chris Gatford

AusCERT2020 interview with Chris Gatford

AusCERT2020 Conference Interview: Chris Gatford from Hacktive.io

Leading up to the AusCERT2020 conference, we sat down with Chris Gatford from Hacktive.io about his involvement in the conference and the recent work he has done for the SBS.

Tell us about your professional career?

I was the type of kid that would take my toys apart and put them back together with less parts, and then terrorise my sister. Looking back, I would like to think that this was the start of my hacking passion. I think it’s important to remember that hacking is not just about breaking into computer systems. It’s a way of thinking, and a method for approaching problems such as out-of-the-box thinking and solving problems by doing things differently.

I was introduced to the IT industry as a child and after creating my own computer out of a cardboard box and motherboard, I soon realised I had a knack for this. After school, I completed a business computing degree and became a system administrator. I was responsible for looking after computer networks and had to draw on out-of-the-box thinking whenever an issue arose. During this role, my interest in security began to grow.

After several years, I eventually jumped into The Big Four and got involved in IT consulting and testing computer security.

You are the founder and Director of Hacktive.io, what does your company do?

Hacktive.io is actually my second business. My first business venture was founded in 2008 and I sold it soon after. I learnt a lot from this experience and started my second business Hacktive.io. At Hacktive.io, we engage with organisations across the world and test their physical security and computer/network security. We focus on helping our clients understand the security vulnerabilities of their networks, applications, premises, and their people.

Can you expand further on social engineering tests and how these tests are completed? 

Often a customer will approach Hacktive.io and request that their company’s environment (a building or third party site) get tested. Firstly, we obviously get permission from the company. Then we will conduct the social engineering tests on the physical environment, the people/employees of the company, and their IT department.

Following the social engineering test, we teach the company how they can better defend themselves against hackers. More so now, than ever before, individuals and employees are getting targeted by hackers. We equip businesses with common and useful tools that are available to everyone.

What made you want to be a part of the AusCERT2020 Conference?

I have been a long believer and supporter of AusCERT, and have attended every conference since 2003. The fact that it’s the oldest IT security conference, and it’s still going strong after all these years, is a huge testament to the company. To be among so many professionals who share information on staying secure is a huge honour.

Can you tell us more about the tutorial you ran at the conference? 

My tutorial was on “How to build a security awareness training program” and demonstrated how Hacktive had infiltrated and extracted sensitive information from organisations, and the mechanics involved in an attack. I discussed how to reverse the process and understand the mechanisms involved in breaking into the organisation. I am also a strong believer in computer-based training, while also reflecting on how to excite and energise a workforce to be interested in computer security again.

You were recently interviewed on SBS, can you tell us more about this? 

I was very lucky to have the SBS team alongside a Red Teaming Pen Test. SBS was able to capture the reasons behind our testing and record us walking away with a company’s equipment. We were able to show how easy it was to use a company’s own devices to hack back into their network.
 

What do you see as some of the biggest cyber threats in today’s society?

The first cyber threat that comes to mind is that information security is hard, and breaking into systems can be a very easy job. However, it is really difficult to build systems, maintain them and in the long-term keep them secure. So it’s critical to have the right tools in place to monitor security, because ultimately ransomware is still an effective attacker.

The second cyber threat that comes to mind is invoice fraud. I often hear instances of ‘customers’ pretending to change their bank account details and then the invoices are getting paid out to the wrong bank account. The financial fraud impact on business is massive and businesses must recognise that fraud is still alive and well.