23 May 2024

Meet the pen testers: Tiago Carvalho

Claranet provides more than 10,000 days of penetration testing to our customers every year. Our penetration testers are internationally acclaimed professionals, many of whom have turned their passion for hacking into their job. Many of our pentesters deliver our public training courses throughout the year, and at Blackhat conventions. Real-life examples of attacker tradecraft that they encounter in the wild help inform and regularly update our training syllabuses. In this interview, we’ll be getting to know Tiago Alexandre Carvalho, Technical Security Trainer and Penetration Tester with Claranet Cyber Security.

How did you come to Claranet?

I was looking for a change, a place where I could build on the experience I’d had for a while in a previous company, challenging work, skilled colleagues, appreciation for the value I brought. I reached out to a few friends and colleagues. Through them, my resume ended up in the hands of one of NotSoSecure's colleagues.

In the interview the way the operations were described, and the type of work resonated with me. And here I am.

What was the first moment you knew you wanted to work with cybersecurity?

I don't think I have one moment where I "found" the calling. I always wanted to do something related to computers and programming. I found cybersecurity in my teen years back then cybersecurity was nothing compared to what it is today. There was a lot of Free Kevin. I got curious and read a lot about any thing I could get my hands on basically. In the end, I ended up starting my career in IT operations then Java programming for eight years. One day I just decided to make the change.

There’s one episode that triggered this change. In my last three years as developer, I was invited to be the "head" of the Java development team around 240 Java developers, in a Portuguese consulting company, where I shared responsibilities with another colleague. I was in charge of anything technical – preparing frameworks, architectures, and dealing with any technical delivery issues such as security fixes.

In one of those adventures, I was working on the middleware for Barclays, and one of my persistent issues was around quality, secure code, and the lack of senior developers. I was ignored until one day an auditor found a way to bypass the two-factor authentication. When that meeting ended, I was called aside and told "we want this fixed. Just tell us what you need." I knew that problem existed, but I was handling around 10 projects at the same time. I had no way to get my hands on it and fix it.

After that day, I realised my experience could make a difference if I switched to cybersecurity. So, I signed up for OSCP certification and embraced a new adventure.

What is your reputation?

This is a difficult question. I really don't know. I hope people enjoy my work as much as I enjoy doing it.

What is your biggest challenge?

Balance. It impacts many things:

  • The right balance between technical information and nontechnical communication to make your point understood.
  • The right balance between your personal and professional life.
  • The right balance between when to stop researching and when to actually start using it.
  • When keep researching and when to consider something good enough to publish.

What do you see as the biggest security challenge for organisations?

In this field, we like to think of things in binary: safe or unsafe. Over time we came up with many, many strategies, products, and philosophies.

The main issues are around communication. The way one interprets the information one reads may lead to a lot of dangerous choices, mostly due to the lack of clarity or lack of knowledge. It's easy to see examples of security issues where the description is so vague that one is left wondering how the CVSS score was made.

Then we have the human factor and the fact that we are all trying to do work. Most of the time, restrictions may generate issues in productivity or security. If an external consultant using his laptop encrypted with solution X, wants to share something with an internal employee that has another [encryption solution], they find them selves in a ridiculous situation, one I usually call “usable security”. No-one in his right mind expects those individuals to wait for someone to come up with a solution when they can solve it in a few minutes; so, they just put it in a filesharing service somewhere.

The way I see it, challenges arise in areas such as:

  • Integration: when things are not integrated there will be always roadblocks that will create the need for an alternative solution.
  • Senior staff / training / cost: these are usually related because the first thing I see suffering when costs are taken into consideration is cuts on training budgets. This does have a direct effect on skills and the creation of value-generating senior staff. Without it, everything topples like a house of cards.
  • Documentation: lack of clear and objective documentation creates environments where every item is setup and managed differently.
  • Clarity: the fear of intrusion drives things to an extreme where many times, things are obfuscated or vaguely described for fear that something might be mis-used. It’s clear by now that it doesn't work very well.
  • Popularity: from time to time, there comes a "THING", and all we listen and read about is the "THING". You can replace that with anything – AI, SIEM, IDS, IPS – this field tends to focus too much on the tooling and not on understanding the problem.

What is your life motto?

I don't know if I have one. I’m really stubborn, so I guess I could say "don't give up."

What is your biggest mistake?

Not realising that I could have made it into cybersecurity sooner.

What will you be doing in 5 years?

My plan is to keep improving myself by acquiring new skills and sharing my experience with others. One thing I found out since I joined was that sharing knowledge is incredibly gratifying. Not as much as getting a shell, but gratifying. I’m not ready to drop my techie side just yet.

For more information on how penetration testing can help you uncover security vulnerabilities, or how NotSoSecure training courses can help build the security skills that you need in-house, speak to a Cybersecurity expert today.