Rachael Lyon:
Welcome to To The Point cybersecurity podcast. Each week, join Vince Spina and Rachel Lyon to explore the latest in global cybersecurity news, trending topics, and cyber industry initiatives impacting businesses, governments, and our way of life. Now let's get to the point. Hello, everyone. Welcome to this week's episode of To the Point podcast. I'm Rachel Lyon here with my co host, Vince Spina. Vince Spina. Rachel.

Rachael Lyon:
Hello.

Vince Spina:
Another Friday in the books Yes.

Rachael Lyon:
In the

Rachael Lyon:
beginning of. I know. Right? I can't believe, like, we're embarking on the holiday time frame too. Can I tell you I'm already behind on my holiday shopping if that's possible? I'm usually done by this time of year. I don't know

Rachael Lyon:
if I am

Vince Spina:
the exact opposite. I am almost finished, and I had to tell my wife there's no snooping around my, my closet or any of that. And she's like, I wish you wouldn't have told me. She's like a 12 year old kid.

Vince Spina:
Like so anyway

Rachael Lyon:
That's awesome. Alright. Well, we're gonna have a really fun conversation today, everybody. I'm so excited to welcome Gemma Moore. She's the cofounder of Cybers. They are a cyber consultancy that creates personalized security solutions for global businesses, and she's a recognized expert in pen testing and red teaming. And as as I mentioned before we started recording, she recording,

Rachael Lyon:
she basically likes to break things is how she's characterized it, and I love it. I love that.

Gemma Moore:
Gemma, welcome. Thanks for having me, Rachel. It's really exciting to talk to you both.

Rachael Lyon:
Awesome. So, Vince, let's go. Yeah. So,

Vince Spina:
yeah, I'll jump in here, Gemma. So this is an exciting topic. Like, we like breaking stuff too and, ultimately, you know, helping our customers fix it as well. And I'm sure we're gonna get into pen testing and and red teaming and all that, but I thought maybe take it up a level and, start with ethical hacking. And, maybe for our listeners, maybe, define what that means. Mhmm. And then, you know, you like to break things. So what does a typical day look like in the life of a an ethical hacker?

Gemma Moore:
So it's a very good question because terminology is kinda confusing in ethical hacking. So when I say ethical hacking, I guess I'm referring to anything that involves, using adversary tactics to break stuff or find vulnerabilities in technology in a way that is ethical and legal and, you know, not damaging anyone trying to help them fix it. That's a sort of ethical part of it. But then you get sort of pen testing and red teaming and they're kind of very different things. So when you look at pen testing,

Gemma Moore:
we call penetration testing, what we're doing in there. It's also known now as sort of, ethical security testing or security testing. It's all the same thing and what we're doing there is we're taking a system or an application or something someone's developed and we're looking for all the technical vulnerabilities and weaknesses that we can find and giving them a report saying, you know, this is what you've got wrong with this thing here. This is how you fix it. And most importantly, which is probably the bit that is, sort of less fun than the actual breaking of it is is explaining why this thing is a problem because often a lot of the technical vulnerabilities, they come with a load of jargon, they come with a load of sort of technical baggage that not everyone understands and your job is to explain why somebody who isn't technical should care about this thing that's going to cost them money to fix and that whole process is is what we do with penetration testing. 

And red teaming, I say, falls under the ethical hacking umbrella as well. But with red teaming, it's a bit different because rather than just looking at technology, we're looking at people and process and what we're trying to do rather than with pen testing where we're trying to find all the vulnerabilities in a system. With, red teaming, we're looking for an attack pathway that lets an adversary get from whatever your starting point is in character all the way to achieving an objective that might be, you know, stealing a customer database or, you know, taking control of the cloud infrastructure or deploying ransomware, something like that.

Gemma Moore:
So it's a hugely broad field and there's also other things under ethical hacking as well. So bug bounty programs you're probably familiar with. Some of your listeners probably use those, and that's where companies effectively offer to pay a bounty to people that are testing their systems just sort of informally on their own time and reporting security vulnerabilities And that's another form of ethical hacking. You know, if you've got the permission and you're acting inside the law, you know, that's an ethical thing to be doing, helping people fix stuff. Lots to it.

Rachael Lyon:
And it's it's an interesting area, though. Right? I mean, because where are the boundaries? Right? It's it's almost like a gray area between defense and intrusion, but, I mean, how do you establish where the the guardrails or the boundaries are, you know, not crossing a line, when you're trying to deal with potentially destructive vulnerabilities?

Gemma Moore:
Another very good question. So, the the boundaries or the scope of if to talk about penetration testing because that one's easy. The boundaries in a penetration test are normally pretty well defined in terms of the edge of what you're looking at. So if you have a particular network, you'll normally be confined to things that are in that network. If you're looking at a particular application, you will know sort of the URLs of the host that you're looking at, you'll know where the API endpoints are that are in scope, and you will be able to say very clearly, you know, this system is in scope, this system is out of scope, and remain in what we call in scope for that pen test. 

And that lets you stay inside the area where, and this is the important point, where you are authorized to operate because most law around the world, and it does vary from jurisdiction to jurisdiction, but mostly the thing that says whether you're doing this and breaking the law or doing this and not breaking the law is whether you got the permission of the person that owns it to do it. So, you know, that's the most important consideration when it comes to boundaries. But destructive vulnerability, so there's a lot of things that can go wrong during pen testing.

Gemma Moore:
Most the vast majority of pen testers are very responsible and we typically as a breed have a very good understanding about whether something we do is likely to be destructive or not, likely to cause problems or not. When I say destructive, there's all sorts of ways pen testing can be destructive. So there's the obvious thing which is exploit vulnerability, makes the server unstable, server goes down, crash. That's an obvious one. But there's less obvious things as well. So, let's take something that we don't see very often anymore, but SQL injection for example. 

I don't know how familiar you are with SQL injection as a vulnerability, but it's a it's a problem whereby, untrusted input that comes from someone outside the application gets processed by the back end database and causes commands to execute on the back end database. And if you don't know what you're doing, if you're really irresponsible, you could potentially destroy data that's stored in that database.

[06:57] Test in Safe Environments to Prevent Exploit Impacts

Gemma Moore:
If you accidentally trigger an SQL injection that makes a database query spew out a huge number of records because you're not careful what you're doing or you didn't realize your input was going up in that database, you know, you might not destroy the data but you could cause a huge CPU load on that to completely certain something will go wrong, and in between there's a to completely certain something will go wrong. And in between, there's a gray area of I never expected something to go wrong with this. People have to have backups basically. So if we know we're gonna do something destructive, we need to know what the impact of this, you know, exploit is on a particular server or system. 

We'll normally ask to do this in like a test environment or a dev environment or something like that, so that we're not impacting live services. There's other ways you can do it as well. So if, you know, you're in a network, you're looking at a server, you have an exploit that if successful will give you local admin rights on that server for example, you can simulate the impact of that without doing the exploit by gaining the local admin rights, you know, through provision of an account or what have you and then continue from there and see, okay. Theoretically, if that exploit had succeeded, what then would the further access be and therefore what would an adversary be able to do and what would the business impact be? So it's ways around most of it but it's always relying on good communication with your customer, good communication with whoever owns the system.

Gemma Moore:
But things go wrong. They always do and things you wouldn't expect. So a few years ago now I was working for a bank and I was testing a web application of theirs. And one of the things that you do when you're testing a web application is you will fuzz input fields in the web application. And it was a very simple search field and something that I had never expected was, I put a hash character. I think in US, you call that a pound character. Yeah? Yeah. In in the search bar and the whole server crashed to the point they had to physically reboot it.

Gemma Moore:
Now I don't think I could ever have anticipated that that will be the impact of putting a hash character in a search field. And it's not something that you can really plan for other than make sure that you've got backups, make sure you've got a recovery plan in case something does go wrong, because it's unpredictable. And, yes, there's a bug there. They needed to fix it. But could I have predicted that? Could anyone have? Unlikely.

Rachael Lyon:
Yeah. Yeah.

Vince Spina:
Hey, Gemma. We talked earlier, before we kicked off the podcast, and part of the banter was around this notion of, imposter syndrome and just how wide and broad this field is. And many of us have been in it a long time, but trying to get your arms around all of it is really hard. We have a lot of listeners that are kind of early in their career and, you know, they they listen into these on different topics to kinda get a sense of what direction they wanna go in. Any skills, that you think are required to get into this notion of ethical hacking or or pen testing or that or, you know, the things that you and your consulting firm does? Like, what are what are some of the main skills, you know, people just coming out of university or very early in their career need to focus on?

Gemma Moore:
So there's a baseline of sort of technical stuff that you need to know. I mean, you need to understand how networks work. You need to understand how operating systems work. You need a baseline of the tech, but, actually, that's not the most important thing, because you can teach people the tech quite easily. It's the mindset and the curiosity. These are the things that really, sort of pick out really good pen testers or red teamers. 

They're the type of person that looks at something and goes, I wonder how that works or, you know, for fun as kids, most of them would have been taking pieces of, you know, toasters apart and putting them back together. It's that type of person that looks at something and goes, I wonder how this works and then pulls it apart and then can't put it back together.

Gemma Moore:
They tend all the Pentesters have a story like that. Yeah. It's curiosity and looking at things, looking at the world, and wondering how you can break it and how you can understand it. And the tech is only a really small part of it. It's a really, really important part, but the attitude is more useful. Impostor syndrome is like it's rife and not just amongst people that are new to the industry. It's rife amongst people that are in experienced in the industry. I've been doing this for 20 years and sometimes I still get sort of wobbles of,

Gemma Moore:
am I doing this well enough? Am I supposed to be here? Yeah. And it's it's everyone and everyone feels it at some point, and I think it's just because there's so much you could be an expert in. So you look around you and you only need to, you know, sort of look at what people are publishing on GitHub, the tools that are coming out, the blogs that are coming out, and you think this is really cool. This is absolute genius stuff. 

I couldn't have done that. But the truth is you'll find something that you get interested in and you will norm you know, the the general trajectory is you start off as a generalist and then you find something that really fascinates you and you end up sort of being a specialist in that field and developing it. And the thing that, a lot of people that are new to the industry struggle with is, asking for help, asking for advice, asking for knowledge. There's a tendency I think for people that are new to think, I can't ask stupid questions.

Gemma Moore:
People think I'm dumb. It's not like that. I've never worked in a place where people, like, guard their knowledge like a dragon around a gold hoard. Everywhere I've learned, everywhere I've worked, people have been really, really collaborative and really useful, resources to call upon when you've got something you need to do, and that's because, pretty much everyone that's working in this sort of ethical hacking area, we're all really interested in what we're doing. 

And when you're interested in what you're doing, you wanna share it with other people. And when someone comes to you and they want they want your advice on something, the natural reaction for the vast majority of people is literally to go, yes. Someone I can tell this to. Someone's gonna listen to me brain dump.

Gemma Moore:
It's it's like that. And I think, you know, sometimes you just have to be brave, admit the things you don't know, and, you know, actually understand that everyone is like that because we all are. Mhmm.

Vince Spina:
Rachael, I was gonna jump in and just ask a follow-up question Yeah. To, Gemma on that. So in in your line of business and staying on this track of imposter syndrome and we can't all know it all and, you know, it it's absolutely appropriate to ask questions. Are there any specific tools or software that you use in your daily job, Gemma? And quite honestly, we haven't had a podcast that I can remember that we didn't touch on the subject of AI. And I'm just wondering in the world of, you know, what you do, ethical hacking. We'll talk a little bit about pen testing, you know, the offensive nature of, being on a red team. But how does AI play into that or any any other key software tools that our listeners might, wanna know about?

[14:06] Tools Identify Vulnerabilities, Weaknesses, and Exposures, using Scripts.

Gemma Moore:
So tooling's an interesting one because there's tools for everything. And a lot of when you're pen testing, what you're looking at is for well, I say there's vulnerabilities. And if you're looking for vulnerabilities, you're looking for port scanners, vulnerability scanners, and, you know, nmap is the port scanner of choice for most people and Nessus or Qualys tends to be the vulnerability scanners of choice for most people, but, you know, other products exist. It's huge number of them. They all do pretty much the same thing, and that's looking for vulnerabilities. But when you're looking for doing a pen test, you're not just looking for vulnerabilities. You're looking for, like, weaknesses and exposures as well. And often what you're using is, you know, client applications for particular server applications and scripts that people have written in PowerShell or Python or you know, they're all out there.

Gemma Moore:
The there's, there's a Linux distribution called Cali that's pretty much dedicated just to penetration testing and you can just download that. There's a bunch of tools, that are that are well configured for most technical pen testing jobs and they do a good job. So so in terms of tools, huge broad spectrum of things that could be useful. And it changes all the time. You know, people are releasing tools constantly. But, you know, you'll find a technique, you'll find a tool to do the technique, there may be 6 other tools. Everyone tends to curate their own favorite little toolset. That's another thing that you develop over time is your own little favorite tool set.

Vince Spina:
What about AI? Any anything in that world? You guys you're There

Gemma Moore:
we go.

Vince Spina:
You're playing

Gemma Moore:
with? That's how AI tends to get used for. So AI, also the generative AI stuff, for a lot of pen testers, it's really helpful for, writing code surprisingly because we tend to we tend to get in a situation where we find something we haven't seen before and then we need to write a really specific script to do something really specific to this thing that we found. And it's not something that you're gonna, you know, write a full, you know, proper tool for. You just need a quick script to get a job done. And actually for those situations, I think a lot of pen testers have found generative AI very time very much time saver for this is an input. This is an output I need. Can you write me a quick script, Python or otherwise, you know, to get this job done? And it's pretty good for that. And another area in red teaming where it's coming in really useful is in, pretext development for phishing attacks.

Gemma Moore:
So, generative AI platforms are really good at writing very convincing marketing text and if you want someone to click on your phishing link or download your document, very convincing marketing text is what you need. It's really good at that. Just on the other side of things in terms of tactics and techniques being used by adversaries, I think AI is, a very interesting thing to think about if you are running a business because we're now effectively in a situation where the, a sort of the state of the art with deepfakes is such that you literally cannot believe your eyes or ears and as a society, we're not ready for that. 

Like, nobody is ready for that. Mhmm. Humanity, you know, we are programmed to believe that people are people and that we're talking to people and I'm talking to to to you guys here. I can see your faces and I think you are real people. But we're at the point where actually you couldn't be convinced of this.

[17:21] No good solutions for verifying communication identity.

Gemma Moore:
You can't be sure. And I don't really know what the answer to this is because we go back to secret code words as being the countermeasure for this or, you know, having individual, sort of cryptographic signatures that we're verifying with each other as a countermeasure to this. And I don't really think we've got good solutions to this problem of not knowing who you're talking to or what they're saying. And for for me, from a sort of looking at it from a point of view of the red teamer, there's a ton of ethical problems with emulating that threat and thinking about how you simulate that threat as well. 

Because, I'm pretty sure if I sent a phishing email and I pretended to be you Rachel to Vince, you'd be annoyed about it but you wouldn't be really upset. But if I called Vince and used your face and your voice to talk to Vince, I feel like emotionally that would be a very different thing for you. Right. Wow.

Gemma Moore:
And we don't think about that very much.

Vince Spina:
You couldn't fake Rachael because she has a glow and an aura to her.

Gemma Moore:
So I

Vince Spina:
would know I would know if

Gemma Moore:
it's not

Vince Spina:
the real Rachael.

Gemma Moore:
But, yeah, it's an interesting thing. I mean, on the defensive side of things, of course, AI is doing great work in terms of being able to identify adversary tactics on the fly. Like a lot of the tactics of adversaries are pretty, easy to detect if you have the resources of an AI looking at all the activity on your network and that's really, a huge step forward in terms of defenses. But what that inevitably means is that there is gonna be this arms race of evolution and adversary tactics and that's likely to be fueled by AI in the similar way. So it's interesting, Vince, is what it is. It's interesting and new, and that's what we like when we're pen testers. Interesting and new is good. Yes.

Rachael Lyon:
Yeah. Wow. It causes me pause thinking about that. I never thought about that, you know, the emotional impact, right, of

Gemma Moore:
Well yeah. And when it comes to pretending to be people, it's all it's all emotional levers. I mean, so here's here's a here's a thing for you. So, you know, there's a load of SMS scams. Someone, normally the older generation, they'll get a text message and it will say, hi. It's your son. I've lost you my phone. Can you send me some money for a new phone? This is my new number.

Gemma Moore:
Right? That happened to my mother-in-law a few weeks ago. Now if you think about the deep vac, imagine if that would been a phone call and it was her son's voice.

Vince Spina:
Right.

Gemma Moore:
And then you take that further and how far would you go with that simulation if you were an adversary? Is is is the son screaming? Is he in trouble?

Rachael Lyon:
Yeah.

Gemma Moore:
Has he been kidnapped? Like, all of this stuff, if it's your son's voice and that's the, you know, it's proof of life, I I mean, I wouldn't do this. Criminals will, but if you sort of extend that type of emotional leverage, people will do what you want them to do. And in cybersecurity, I'm not gonna go down the route of saying people are the weak link because they're not people are people and you need them.

Rachael Lyon:
Right.

Gemma Moore:
But people are susceptible to emotional manipulation in a way the systems are not. And now the tools are there to really, really turn the thumbscrews on emotional manipulation.

Vince Spina:
Yep.

Gemma Moore:
And the countermeasures aren't brilliant.

Vince Spina:
Yeah. Just quick story, Gemma, and then Rachel, I'll let you jump in. But, I I do a lot with cryptocurrency, and my colleagues used to laugh. They're not laughing with Bitcoin over 90 now. So I'm just saying. But I can tell you, I sold a little bit of my crypto when it when it crossed over into the nineties, my Bitcoin. And I'm telling you within a half hour, I had an email saying, you know, hey. You sent this to this wallet, which I didn't do, whatever, and click on this if if you hadn't done that.

Vince Spina:
And I literally got what what really freaked me out is I got a phone call and the person said they were part of, the tier 2 security team. And, you know, usually, you get somebody with a bad accent and doesn't speak English very well. This person was super polished, and he knew some stuff about me. He purported to be from the wallet company, and he started asking me questions. And I said, this doesn't seem right to me, and I'm in this industry, but it he had me thinking.

Gemma Moore:
Yeah.

Vince Spina:
And I'm like, you wouldn't call me and ask me these questions. And I and and literally when I now poke back, he hung up, and then I called my wallet company and found out, said, hey. It came from this this number. This is the questions. I go, yeah. We would never do that. But, I mean, it was professional, both the email that popped up and the, the call that I got. And, you know, I'm a I'm a skeptic by nature.

Vince Spina:
We we tend to be in this business, but if that would have been, like you said, my parents or somebody who doesn't think about this on a regular basis, it was quality. Like, it would you know, you would have thought that those folk you know, those were both legitimate.

Gemma Moore:
And you can't blame people for falling for it. You can't. Yeah. You have to make sure you've got the controls in place. It means that if they do fall fall for it, you know, you're not catastrophically damaged. And this, you know, if you think about that type of scam, that's the type of thing where, you know, someone impersonates the CEO and asks for an invoice to be paid immediately. It's exactly that type of financial reward immediately. Then that's it is a business for the adversaries.

Gemma Moore:
It's it's it's a 9 to 5 business with holiday and sick pay and, you know, proper working practices. It's it's professional. Right. Yeah. You hit the nail on the head.

Rachael Lyon:
It's I received one of those emails this week, although, it came from, like, a Gmail account, so I knew it wasn't our CEO. But it was, you know, hi, Rachel. It's it's Ryan. Can you get me these gift cards or, you know, whatever it was that I just thought it was hilarious. I'm like, I don't think he'd send it from his Gmail address, but, you know, but, you know,

Gemma Moore:
but my my

Rachael Lyon:
other question is, what happens if you just don't answer the phone, Vince? Like, what if you don't talk to the person? Does Yeah. Well, I did you know, usually if it well, usually, yeah, if I don't know the

Vince Spina:
number or scam likely or something

Rachael Lyon:
pops up, I won't.

Vince Spina:
I'll wait and listen, but it it had, it spoofed the, the wallet company that I use. I mean, it was it was as close to being legit, and I just thought, yeah, this was weird. You're asking me questions that, I don't think are appropriate. And I'm very, weird about how I answer too because, you know, the notion that they're they're capturing your voice and your, your commands and things like that. So I, yeah, I'm I'm not as jovial when I get a call like that as I am like this. I'm like, I try to try to mess it up as much as possible.

Gemma Moore:
Yeah. It is funny. I mean, I've seen they they used to be the ones that that used to potentially be amusing were the ones that, used to call you up being tech support. And I know I know several this is the type of thing Pentas is like to do. Lots of people in the industry like to do it. You know, who'd keep them hanging on the phone, spin up a quick Windows virtual machine, then let them have access to it, and let them waste their time doing things with a Windows machine that that have nowhere to go, just to waste their time. And that's the sort of, you know, stuff that Pentas has like to do to scammers. But, you know, it it is business, and, you have to be mindful all the time, and you can't really trust anything these days.

Rachael Lyon:
No. No. Not at all. Kinda speaking on pen testing, I'm gonna be fun to kinda double click in that a little bit. What scenarios do you think pen testing is preferable or even essential compared to, other forms of security assessments?

Gemma Moore:
So there's sort of 2 different types of pen tests that we tend to do, and there's the one that's based on compliance that you have to do, and that's normally you have to do a pen test. We've got to put the tick in the box, and we need to check that everything is as we expect it to be in this environment or what have you. And that's the one where, you know, you just you have to do it. The one that I think is really useful is the one where you're trying to find out things you didn't know and we often sort of refer to those as sort of, they come across sort of scenario based pen tests or things like this and they tend to start from a premise. So they'll start with something a question like okay what if somebody gains access to our building and plugs into our network? 

What can happen then? Or you know we've just acquired this company in you know the United States and we're integrating them with our network. What happens if there's an adversary in their network that we don't know about? You know, how can we manage this process safely? What are the vulnerabilities we've got at the moment that we don't know about? And you can find so much about an organization from those type of pen tests and they can come as a huge surprise to the people that organize the network. I mean I'm talking about mostly on premise solutions because, the cloud has changed everything. We can talk about that in a bit as well but when it comes to sort of on premise networks, a lot of the places that still have on premise networks are large companies, big organizations.

Gemma Moore:
They've been around for years. They have thousands of users and in a network in that type of organization, you find that there's so many things, that shouldn't still be there that still are there and over time stuff just builds up. It's like the back of a closet. If you run through a network like that, it's like the back of a cupboard where things have been shoved and you find things out that people didn't know. You'll find that there's normally a whole bunch of file shares that nobody has accessed in years that will have things like config files on them that have got passwords in, that have local admin on various machines in the network that then let you take control of those machines and in the domain network on premise pretty much by the time you've got control of 1 local server you've got control of the whole domain, it's just a matter of time at that point. 

So, you know that that's the sort of clutter. You find people's home directories not just of, you know, people that still work there but you know going back for decades of home directories and information documentation and things like this. And I I often say this to the security teams because normally when I'm looking at security when I say this, you'll see the look on people's faces and you will realize that this is very true.

[27:34] Common Passwords and Undocumented Systems Risk Security

Gemma Moore:
Normally what you will find is that there is a single password that gets used everywhere that people think is not important and at some point in the past someone picks a password and you know it's probably in the UK based on a football team it'll be you know Liverpool01 exclamation mark or something like that and someone will put it on everything they thought that wasn't important. It'll be on you know like a printer that sits in the corner that doesn't do anything and it will be used for like the guest wireless or something like that and you can guarantee everyone knows that password and also at some point in the past someone has put it on something that they really shouldn't have put it on because it's very sensitive and almost certainly when you've got a big on premise network you will find something like that that lets you escalate privileges and move laterally. 

And as soon as you tell people about it, everyone's like face palm. Yes. We knew this thing existed. We never thought anyone would find it and they all just look very sort of shamefaced when you bring it up and it happens every single time. And so people are people everywhere and you know you're always fighting a battle against people doing their thing and you know the the system that you know that Dave wrote 20 years ago and then he left the company and it's got to stay on and it sits there running and nobody knows how it works except Dave who's now left and didn't document it but if we turn it off everything breaks so it just stays there and yes things like that they crop up all the time in on premise networks. So, yeah, pentesting can be a really good way of finding out those things that you just didn't know.

Gemma Moore:
Because the the other thing is patching is only part of it. So the cleanup is entirely more important and not more important, just as important.

Rachael Lyon:
And I hate to do this, but we are at the end of today's podcast. To all of our listeners out there, thank you so much for joining this week. And for our new listeners, welcome. If you're enjoying the conversation, please subscribe. We're on all major podcast platforms. Until next week everyone, stay secure. Thanks for joining us on the To the Point cybersecurity podcast brought to you by Forcepoint. For more information and show notes from today's episode, please visit www.forcepoint.com/podcast.

Rachael Lyon:
And don't forget to subscribe and leave a review on Apple Podcasts or Google Podcasts.

About Our Guest

Gemma Moore, Co-Founder, Cyberis

Gemma is an expert in penetration testing and red teaming. She started her career in cyber security nearly twenty years ago, working her way up from a junior penetration tester to running the penetration testing practice in a specialist consultancy by 2011. She is a founding director of the information security consultancy, Cyberis.

Over her career, she has held CREST certifications in Infrastructure, Applications and Simulated Attack, and now focuses most of her efforts on planning, running and executing red team and purple team exercises.

In recognition of her outstanding level of commitment to the technical information security industry and the highest level of excellence in CREST examinations, Gemma was selected to receive a lifetime CREST Fellowship award in 2017.

Gemma was a contributing author to the BCS’ “Penetration Testing: A guide for business and IT managers” 

Gemma was named “Best Ethical Hacker” in the 2018 Security Serious Unsung Heroes industry awards, and has been honoured by SC Magazine as one of its 50 Most Influential Women in Cybersecurity, and by IT Security Guru magazine as one of its Most Inspiring Women in Cyber.

Follow her on LinkedIn