Last time, I talked with Glenda Snodgrass. She’s a founder and the president of The Net Effect, a cybersecurity services company. This time, I had a fascinating discussion with Nitha Suresh. She taught me a bit about penetration testing and aircraft data networks.Kimberly Crawley: Hi Nitha! Tell me a bit about what you do.Nitha Suresh: I am currently working with Synopsys as a security consultant. I am a penetration testing consultant. My passion for cybersecurity dates back to the time when I started to break into TV locks and crack dial-up passwords as a child. I always had that analytical and investigative sort of mind. I would spend hours trying to figure out why something went wrong. After I graduated in information technology, I decided to give a shape and form to my passion. I started Googling topics that I’m interested in. That’s when I decided to do my Master’s in information security.While doing my Master’s, I published my first IEEE paper. Then I did an internship in a company where I was tasked to hack them. That became my first penetration testing engagement. In the past two and a half years, I’ve done pentesting and cyber maturity assessments, and I have managed security operations.I have published two IEEE papers so far. I’m researching security in aircraft data networks and also on streamlining social media intelligence gathering for optimizing crime investigation.KC: Aircraft data networks? How do they work? What do they entail?NS: Aircraft data networks were introduced as a concept in the ARINC 664 specification. They consist of the usual networking devices such as bridges, switches, routers, and hubs. Aircraft data networks are divided into four domains depending on the kind of data they process: passenger entertainment, passenger owned devices, airline information services, and aircraft control. Physical control systems are usually located in the aircraft control domain, which should be physically isolated from the passenger domains.However, this doesn’t always happen. If there is a physical path that connects both domains, there is potential for an attack. A lot of research has emerged on the security of aircraft networks. In recent research, the Panasonic in-flight entertainment system used by many major airlines was found to have multiple vulnerabilties that allow attackers to control what passengers see on their in-flight display. Vulnerabilities like SQL injection attacks and complete bypass of credit card checks were also revealed. There have also been studies on the vulnerabilities in the ADS-B signals in aircraft.KC: What are the subjects of your IEEE papers?NS: One was on introducing vulnerabilites in cloud computing into aircraft data networks. This paper highlights the security vulnerabilities in the cloud and in the VM migration process. It also highlights the methodology of cyber attacks the can exploit these vulnerabilities.My second IEEE paper is an integrated data exfiltration monitoring tool for a large organization with a highly confidential data source. This paper highlights detecting exfiltration by profiling traffic and applying correlation.KC: Given your research in cloud computing, do you agree with people in our industry who insist on always having some sort of local data backup?NS: Yes I do. Accessibility when the network is down is important. Other security concerns such as how well the data in transit and the data at rest are protected are also crucial. There needs to be protection against eavesdropping, electronic theft, physical theft, and any sort of glitches in hardware or software.KC: What are some of the biggest misconceptions about the work you do?NS: People don’t know that pentesting is unsafe; it can be intrusive and can have unexpected consequences. Another one is that pentesting can be conducted only via outsourced services. People don’t know they need experienced staff to conduct pentesting. Also, pentesting results can create more problems for IT security.KC: Do people actually think pentesting never causes damage to networks?NS: Yes, this is when the testing is carried out with necessary level of planning and due diligence. They can ensure that the exploits can be trusted to execute only a set of controlled actions and that they will not have any unexpected or residual effects on the assets being tested.KC: What would you say to a young girl who wanted to enter your field?NS: I would say that if you are passionate about this field, then you will never have to work, as the saying goes. It is important to explore the breadth of opportunities and how a career in cybersecurity can progress. I would suggest not to wait until you fall in to this field from other routes. Rather discover your passion, streamline your choice, and engineer your way into it. Finding a mentor is very important in this field. Mentoring can help you connect with various communities, get appropriate and timely guidance, and develop confidence to thrive in this profession.KC: Is there anything else you’d like to add before we go?NS: I have always felt that two issues that people fresh to information security face are having to have experience for the first job and a pervasive lack of mentoring in the industry. Especially in developing countries, it is difficult for women in cybersecurity to find mentors to discuss research topics, get good guidance, and progress on the right path. I am discussing with Cheryl Biswas on extending the support of the Diana Initiative to those of my friends who need support and encouragement.KC: Excellent. Thanks for speaking with me today.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.