My First Week as a Security Engineer
Listen to this story
My first role in security was as a Senior Security Engineer. I was living in Dubai and had just been hired by a company called scanit. An acronym for Systems Computers and Network Intrusion Team and an amalgam of something you would do as a security engineer, clever. All our clients in the Gulf pronounced it: Scan Eye Tea.
I gave up an annual bonus of 5 times my monthly salary and took a hefty pay cut to join them. I worked at the UAE telco called Etisalat (the only one at the time.) I remember telling my wife. She had a look of confusion and incredulity on her face as if I just told her I was off to join a circus. In hindsight there was a bit of juggling, lion taming, and escape artistry, but I never did answer her questions on how I would make things work considering we had a one year old at the time. I think she’s still waiting for a reply 18 years later.
I landed an interview when I sent in my résumé after discovering the scanit website. A day later, the CEO replied, and I got called in. I remember giving him some spiel that I prepared. Something gross like: “my greatest strength is that I never stop working” and saw a flash of disgust wash over his face. Thinking I blew it and had nothing to lose, I then told him that I was an amazing pentester, would do anything to work in security full-time and was dying a little each day I worked at Etisalat. He then asked me to chat with some of the other engineers in the team. After a slightly awkward conversation because neither interviewers nor interviewee were very adept at doing interviews, we began nerding out over technology where at some point after I had to explain the low level intricacies of how the TCP 3 way handshake and traceroute worked, I was hired.
scanit didn’t waste much time and had me in the field on my first week out. I received a heavy piece of metamorphic rock on my first day. Confused, I examined it further to realize it was a slate colored Dell laptop. My new peers peered over the half height cubicles to survey my new arsenal. They said that a visiting engineer from Belgium had the same laptop and that it was tough as nails. He had, according to them, taken his backpack containing his laptop on a desert safari and when the Land Cruiser stopped for a break, he got out to stretch his legs a bit. All the dune bashing beforehand had shifted the contents of his backpack which was at his feet and so his laptop had slid out of the half unzipped bag and hit the sand. In a panic to retrieve it he’d leapt out of the SUV and landed squarely on the half buried laptop with both feet. Apart from some scratches apparently it worked just fine afterwards. Well that’s handy then. If I’m unable to hack into a server, I’d at least be able to throw my laptop at it.
We had won the contract of a rather large local bank in Dubai and it was for the full works. Internal and External Pentest, Web application assessment, ATM hacking, pretty much anything we can do to steal money from the bank. My first outing with the team was on a dumpster diving mission. We were supposed to case one of the bank branches and then steal their trash. This was to catch any instances where sensitive documents were thrown directly in the trash instead of being disposed of securely. There were two big, green rubbish skips in the back of the rectangular building next to a single loading bay. The loading bay was at one of the corners of the longer sides of the building. Three of us sauntered over and began digging through garbage. We hadn’t perfected our technique yet, but it seemed to suffice to use our belly as a pivot point where upper bodies were inside the skip and our legs dangled outside as counterbalance. I was thankful that all the trash was dry and paper based rather than having to pick through the remains of a chicken biryani someone had thrown out the day prior. We didn’t scan too much, but instinctively picked up whatever papers that looked important and stuffed them in our backpacks. We found a mound of shredded paper that we grabbed as much of as possible. We moved steadily for about 5 minutes until I heard someone yelling in Arabic. I looked up and saw two bemused security guards staring at us. I knew that while they looked stocky enough to be menacing, they seemed like they would also need a breather between tying their own shoelaces. Obviously we hadn’t planned this as well as Danny Ocean had and so we couldn’t fathom that the guards would do a walk around mid-afternoon in 40 degree heat. Typically when on social engineering jobs we would revert to an air of confidence that communicated that we were meant to be there and knew what we were doing. In this scenario, we ran. We rounded the corner and ran to the car hearing more huffing and yelling in Arabic behind us. Thankfully our CEO would give us liberal access to his gray Honda Accord AND his driver who was sitting in the car with the engine and A/C running (later that day he would also help us reassemble shredded paper like a jigsaw puzzle.) We piled into the car and simultaneously yelled at him to drive! drive! drive! Which he did. We took off looking back in time to see the guards round the corner. One of them doubled over and supported himself against the building with one arm and looked as though he was about to throw up.
We returned to the office with reams of multi-layer carbon paper printouts, many pages both intact and shredded and bank stationery. After about 3 hours worth of sifting through and re-assembling the straight shredded paper, we found absolutely nothing that would help us in our digital onslaught on the bank. We did, however, find out much about its corporate clients, the credit facilities extended to them and in-depth information about them enough to warrant a social engineering attack that we did not end up conducting.
I had an absolute blast! The work was such a departure from the soul-sucking drudgery I had at Etisalat that I would have gladly done it for free. Looking at my pittance of a paycheck at the time, one could argue that I really was doing it for free. Nevertheless I was energized and looked forward to going into the office. This was all I ever wanted to do. I would daydream of working in a company like this and never imagined I would get to do it in real life. Yet, here I was, working for Scan Eye Tea. The washed out desert sky seemed just a tinge bluer and the piles of desert sand around us seemed sandier.
Later that evening at home, my wife asked why the midsection of my clothes was so grimy. I explained that I was out with the team prospecting for serious, sensitive information that was insecurely discarded from a bank.
“So you were out digging through garbage?”, she asked. Ever the reductionist.
I had no other way to articulate that I didn’t leave a high paying job in vain, just to take a pay cut and start the week out digging through someone else’s garbage. So I pulled the Dell laptop out of my bag and said, “Look, they gave me this new laptop, it’s supposedly very rugged.”