My Cyber Pathway: Senior Security Consultant

Could you provide an overview of your current role?

I am a Senior Security Consultant specialising in code review, reverse engineering, and hardware security. My role involves several key responsibilities:

Code Review: I receive source code from clients, analyse it to identify security vulnerabilities, and provide detailed recommendations on how to fix these issues.

Reverse Engineering: Also known as analysing native apps, I work with compiled binaries, I rip it open, make my own code from it, tell them where it’s not so great and tell them possible ways to fit it.

Hardware Security: This involves working with physical devices to uncover and address security flaws. For example, at a previous job, I worked on a project involving e-scooters for which.co.uk, where we identified and exploited vulnerabilities to exceed speed limits and all sorts of other fun things!

How long have you been in the industry and specifically consultancy?

I started working professionally in the cyberspace in 2017 or so, not counting internships. About two or three years later, I began my career in consultancy at NCC, where I was involved in projects like the E-scooter stuff. About 7 months ago I changed again to my current role.

What steps did you take to transition into the field of cyber security consultancy from your previous background?

So basically, it was more about who you know rather than what you know when transitioning from general cyber roles to a full security focus. Even getting into the cybersecurity field initially was based on connections rather than just my knowledge base. While my knowledge base was important and something I demonstrated during my interviews, it was the relationships I had built that helped open the doors to new opportunities.

Were there any specific certifications or training programs that you found particularly valuable for developing your skills?

So when I was starting out, I didn’t really pursue certifications. Instead, I learned a lot from YouTube channels like Hak5 and by dabbling in hands-on activities. For example, platforms like Hack The Box and TryHackMe were incredibly useful. There was also an old website called Security Override, which was great but no longer exists.

I also gained a lot from setting up my own projects. I went to university for networking, but I was a bad student. I was nicknamed “Minecraft Boy” because I often skipped classes to play Minecraft. However, setting up a Minecraft server taught me more about networking than my classes did. For example, during one test, despite not attending classes, I scored 100% because I had learned so much from my hands-on experience.

This approach taught me about network configuration, insolation, ports, and more. Additionally, trying to mod games helped me learn about reverse engineering and coding. Applying these skills to something I enjoyed made the learning process much more effective.

What are some of the key skills you believe are essential for a successful career in cyber security?

Networking. Like BSides, 2600s, that sort of thing. Networking and community involvement are crucial. Every position I’ve had has been because I knew someone at the company or someone who was being interviewed and thought I would also be a great fit. It’s never been about just applying cold. I’ve always had some prior knowledge or connection with the place. I decided to join my current company because I had attended their hardware opening event before officially joining. I went to network with them and get a feel for the company. I like to get to know companies through people I already know before applying because then you know, are you going to be a good fit? Are you going to like it and then they know you a bit more and go, you seem cool. You’ll fit with us and you’re probably knowledgeable enough.

How do you stay up-to-date with the latest developments and cyber threats?

Often, it’s through word of mouth within my general network. If something big happens, you’ll hear about it. There are also resources like Security Queens, created by great friends of mine. Additionally, YouTube is a valuable tool—many times, it provides deep dives into the latest developments and cyber threats.

In your opinion, what are some of the most pressing cyber threats that organisations are facing today?

As you know, cybersecurity is like a war on many fronts. There are threats in code, networking, and even insider threats. One threat that affects all of these areas is burnout. It might seem unrelated at first, but burnout can significantly impact cybersecurity vulnerabilities.

For example, consider the XZ vulnerability that occurred a few months ago. XZ is a widely used compression utility, maintained by one person. A threat actor worked over several years to increase the maintainer’s burnout. They managed to place themselves as another primary maintainer and inserted a backdoor into the utility. This backdoor was later detected by Microsoft due to a slight delay in an SSH connection.

There’s a great YouTube video titled “What Everyone Missed About the Linux Hack” by Theo – T3.GG, which explains this incident in detail. The threat actor used multiple profiles to submit patches and pressured the original maintainer to accept them. When the genuine maintainer was going through hard times, the attacker exploited this vulnerability.

Burnout can also impact the timely application of patches and even lead to insider threats if employees feel undervalued. The insidious part is that burnout can often go unrecognised until it spirals out of control. This shows how deeply human factors can influence cybersecurity risks.

What advice would you give to someone who is considering a career path in pen-testing?

If you wanted to do networking but not code, I would still recommend learning a bit of programming. I suggest starting with an easy language like Python, And then learning a bit of C. The reason I always say learn a bit of C, is if you went into programming, it teaches you how memory works, things like that. If you go into reverse engineering, you then know the underlying methods of how things work. If you’re going into networks and web apps or anything like that, you know potential issues that you can start throwing out. It’s the whole ‘the best person to break something is someone who knows how to build it” because they know where the laziness lies.

Also, don’t look at the big things, look at a small step that you can make because that small step could actually alter the course of your life.

How has pen-testing evolved since you started your journey? Are there any emerging trends you find particularly interesting?

It’s fascinating how things have evolved on the software side. While software tends to improve, the common faults persist, just with slight modifications. For example, Rust has emerged, and many believe it will resolve all our issues. Although it addresses certain categories, you can still make all the old mistakes. I’ve spoken with many Red Team members, and they frequently encounter the same issues during network tests. Some places fix them, making it harder, but generally, many try to deceive security professionals. When you dig a little deeper, all those issues are still there.

As for hardware, it’s just horrifying. The common analogy is that hardware is 5 to 10 years behind software on average, which is why I say it’s horrifying. You can often remove hardware without any security stopping you from opening it up. By connecting a few pins, you can take over the entire device, put it back together, and sell it without anyone being able to tell the difference. It’s truly horrifying.

what initially sparked your interest in cybersecurity and made you decide to pursue it as a career?

It all started from Miniclips.com when I was at school! More specifically, it was an advert for free website hosting. So I thought, cool let’s host a website, it’ll be funny and I can embed games on it and now it’s a gaming website – yay! but then the internet content filter at school started blocking MiniClips, but they didn’t block the files beneath.  It was interesting that it still hosted the iFrame and so I shared the link to all my friends etc. Then they blocked the CDN… but I could just download the files, and host them on my website and it still got past the ICF, we could play all those games again!

Let’s talk about neurodiversity and cyber security:

I was fairly sure I was like dyslexic because I had a friend who was and I described all my symptoms and they were like, ‘yeah, that sounds like dyslexia’. I told my mum ‘Oh, I think like this’ and I still laugh at her response, she said ‘You’re too smart to have a learning difficulty.’ Which is even funnier because I’d taken 5 online tests for dyslexia (I know they’re not accurate) and four came back positive.

I also may have ignored my mom’s advice and put it on my UCAS form when applying to college, so when we did the open day event, they took us to the learning area and they asked me some questions around the way I think and they said “we don’t think you’re dyslexic, we think you have dyspraxia instead – it’s a common misdiagnosis, but it’s interesting that you managed to pick it all up yourself”.

For me, being neurodiverse has helped and hindered me in my job. It’s definitely helped with thinking outside of the box but it has hindered in report writing and when sharing code, due to naming variables and putting spelling mistakes in!

Disclaimer: Any views or opinions presented in this article are Daniel Barker’s own and do not represent IOActive’s or NCC’s official stance.