Holly Graceful breaks into computers for a living. As a skilled penetration tester, she helps secure clients’ networks and sensitive information. She is also an influential writer and speaker within the wider information security scene, creating insightful content around exploits, infrastructure, privacy, and more.
What is it that you do and how did you get into it?
Sometimes I find it hard to explain to people what my nine to five is. I think the easiest way to put it is that I break into computers and buildings for a living. Some people would call that an ethical hacker, or security assessor, my company business card uses the title Penetration Tester. Either way, simply put I use technical skill to compromise confidential data via computer networks and social skills to compromise confidential data via humans.
Personally I got into it through network engineering. I was a Cisco engineer in a past life, establishing communication systems from standard computer networks, to mobile phone data networks, and satellite communication systems. Then people decided to put confidential data on those systems and suddenly I found myself having to keep it all safe. I worked for a company which did not do a good job of keeping it safe and so I went out of my way to help them out, to point out little ways they could harden their systems.
Now finding and highlighting security issues is my only job role. I work offensively instead of defensively, which means instead of looking through code or reading configuration guides it's more in line with what an actual attacker would see and do.
Why do you love doing it?
I love it for two reasons. The first is the challenge. Penetration testing is 90% boredom and 10% Hackers-movie style awesome. I love it for those rush moments where it all comes together. I can spend hours preparing for an engagement, then when it comes to actually breaking in, talking my way past a security guard the adrenaline and sense of achievement are both fantastic.
Secondly, I like seeing the improvement, from my first penetration test where I can fully compromise the network in under 15 minutes, to months later when they’ve learned lessons, hardened systems and are really trying. That way I get the technical challenge that I crave and the good feeling that comes with genuinely helping a company improve and stay safe in the wilds of the internet.
Best or most interesting work experience of the last year?
My most interesting work will always be when a client gives us an effectively scope-less engagement, where we're allowed to perform any steps that we feel appropriate to gain access to systems. Instead of being tied into arbitrary “rules of engagement” we can pull out all the stops with social engineering, physical access, technical exploitation. In those engagements we know we can compromise the entire system, they are so many ways to do it, so it's just a case of digging in and pulling off something awesome!
Any advice for young people looking to do what you do?
Read a lot, about everything, information security is a vast field and you don’t have to work on all of it. When you read something and it seems interesting then read more about it. You'll end up just passively becoming an expert. Also, don't let not knowing something stop you. The one that comes up the most is whether you need to know how to program to start in security. You really don’t to start.
Any advice for the public about security or the internet in general?
Use Signal/Use Tor. Your password may not exceed 16 characters in length. Use multiple firewalls. Base your password on a simple dictionary word so that it’s easy to remember. You can run any file you want as long as you have anti-virus. If you don’t log anything then it can’t be subpoenaed.
“Penetration testing is 90% boredom and 10% Hackers-movie-style awesome. I love it for those rush moments where it all comes together. I can spend hours preparing for an engagement, then when it comes to actually breaking in, talking my way past a security guard the adrenaline and sense of achievement are both fantastic.”