These are the words of Manuel Corregedor, a cyber security professional at Grindrod Bank, who will be presenting on ‘a false sense of information security' at the ITWeb Security Summit 2017. The event will be held from 15 to 19 May at Vodacom World in Midrand.
He sums up his career in the sentence: ‘studying, applying theory in practice, pushing buttons, writing pretty documents, learning from failures, improving, repeat'. Corregedor says he's always had a love for computers. "I remember when my parents got me my first computer – second hand – and my brother and I had no clue how to connect it. We eventually got it powered on but Windows wouldn't boot, we then figured out how to get it to boot by disabling certain services during the boot process.
"We had no idea what services we were disabling, you could say we brute-forced that boot sequence," he jokes.
That is where he says it all started for him. From there he took computer studies in high school and learnt how to program in Pascal. After high school he enrolled at the University of Johannesburg (UJ) for a BSc IT and did Computer Science and Software Engineering, where he learned C, C++, .NET and x86 assembly. "I then did my Honours in IT where I specialised in AI and Information Security."
In terms of his career progression, Corregedor says he lectured undergraduate, postgraduate, diploma and certificate students at the Academy of Computer Science and Software Engineering (UJ) for five years. "I lectured students on Software Engineering, Information Security and Cyber Security. I realised during my time as an academic that the concepts, models, frameworks and the like that I was lecturing about were great, and always worked in theory but I needed to find out for myself if they actually worked in practice – I suspected they did not and I was right."
In addition, he says he grew tired of hearing the phrase, ‘those who can't do, teach'. "Seriously though, this is not true because it's not possible to effectively teach students technical concepts if you don't know how to do it yourself."
Upon leaving academia, he had a choice of going into information security or software engineering. "I still remember a recruiter telling me that by choosing to go into information security I was making the biggest mistake of my life and wasting my studies and/or destroying my career. The recruiter thought I was going to configure firewalls and similar, because back then, there was no demand for cyber security skills and the field itself was still very niche."
He decided to go into the information security field, but not where he would be solely focused on the technical side of the discipline, such as penetration testing, vulnerability assessments, operational security and suchlike. "This was because I wanted to get exposure to the governance, risk and compliance side of security too. The company I joined, Wolfpack Information Risk, allowed me to have exposure to both sides which I believe is important in the field."
On what sparked his interest in the information security sector, he says: "During my studies, we had a lab that we used as students, and the one year, the administrator told me that his lab was secure and that I couldn't get access to it. Needless to say I managed to get admin access to all the machines a number of times. On the positive side each time I found a way in the lab admin would lock it down."
However, for Corregedor, the real passion started during his master's study where he set out to find a way to prevent malware. "I realised that in order to prevent malware, I would need to understand how it worked first, and I ended up creating two rootkits that were able to collectively disable Windows from booting, log keys, disable anti-virus software, hide files on disk and hide processes from anti-malware products. The development of my rootkits also opened the doors for me to get involved in a local community hacking conference (ZaCon) where I was given the opportunity as a ‘noob' to present two talks. Being a part of that conference, and watching other established security experts present their talks definitely contributed towards me getting involved in the information security field."Speaking of what he loves about his job, he says: "I love that I get to do what I am passionate about every day. In information security there are always new and interesting, albeit sometimes scary, things happening. It's really great. I am learning all the time, and I am able to assist an organisation to stop and or catch the bad guys."
In terms of frustrations, generally speaking, he says he finds the fact that a large number of companies still take too long to put appropriate information security controls in place. "This is particularly true when it comes to addressing known vulnerabilities and patching systems. Additionally, I have found that employees are being put in charge of information security without having the appropriate skills and or experience. In most cases, this results in such employees using Google to find frameworks, models, standards and suchlike, that they then try apply to their environments without understanding why the control is required or how it should be implemented resulting in more bad than good being done."
Would he have done anything differently? "I would have left academia earlier to get more practical and industry experience because the research environment differs significantly from the ‘real world' environment."