Interview with Mario Piva of SRA (Security Risk Advisors)
1) What department do you work in, what’s your title?
Technical Assessments, Manager: specializing in penetration testing and web app security.
2) When did you first get into CyberSecurity (“Information Security” or “InfoSec”)?
Junior year of college I took some info sec classes
3) How did you first get into InfoSec, what was your first InfoSec job?
Outside of classes, my first experience was a co-op job at PwC doing technical security consulting where I got to learn security strategy, compliance and penetration testing.
4) What does your typical day look like?
No two days are completely like as a security consultant, but I usually spend my days managing client teams, doing small amounts of targeted penetration testing, talking to clients about their respective projects, such as a status update or future scheduling, and also talking to perspective clients about our service offerings.
5) What is your favorite “war-story” (Client names will be redacted)?
So many war stories over the years, highlights include:
· Controlling a fleet of cruise ships
· Controlling satellites in orbit around the Earth
· Controlling an oil rig
· Controlling a diamond mine
· Breaking into a TV station and getting on live TV
· Hacking a movie studio and watching unreleased future blockbuster movies
· Hacking on location in a Hollywood movie studio
· Creating a new offshore bank
· Compromising a system controlling 13 trillion dollars (yes with a T)
· Validating credit card numbers by calling up family members and reading their card back to them
· Viewing my own kids’ medical records in the EHR system and being very happy I omitted their SSN’s from the application.
It’s also amusing to watch TV commercials or look at ads/billboards and know you’ve hacked that company! Just the sheer volume of companies that my teams and I have compromised over the past few years is mind blowing. There hasn’t been a company that we couldn’t own.
6) What is your favorite part of your job?
Hacking clients, especially the ones that openly brag about how secure their network is!
7) What is your least favorite part of your job?
Client engagement scheduling is always the least fun.
8) From your experiences what kinds of people excel in infosec?
Dedicated, proactive people that always want to keep learning. A person really needs to have a passion for the industry because things change on a daily basis. It’s not a 9–5 job.
9) What would you suggest to any students who may be interested in getting into infosec?
Take as many infosec classes as offered, get involved in the community by attending local conferences and organizations like OWASP, ISC2, etc.
10) What are your favorite resources?
Twitter is great, tons of leaders in the industry like HarmJoy. I also like to follow r/netsec and r/pwned. There are good blog sites like Krebs and Schneier and other news type sites like Packetstorm and Darknet.
11) Would you recommend any specific certifications?
It depends on what you want to do, but for technical assessments and penetration testing, as a beginner, the CEH is cheap and easy, then the OSCP for when you really want a resume builder. The CISSP is probably the most well know security cert out there.
