Jakub Novák from Sales: 8 years of ethical hacking at Citadelo

What are the motivations for companies to use ethical hacking services and who is still the strongest attack vector? A look at the evolution of offensive security in the Czech Republic and Slovakia over the past 8 years since Citadelo first became a merchant will open up many questions for you to ponder and perhaps even prompt you to act before you discover that an unwanted visitor is already operating on your network.

We interviewed Jakub Novak Jakub has a technical background, he graduated from the Faculty of Applied Informatics at the Slovak Technical University in Bratislava and has been working as a Sales Manager at Citadelo for more than 8 years in business development and also manages portfolios of clients with a turnover of over 100 million CZK. CZK throughout Europe, but primarily in the regions of Czech Republic, Slovakia, DACH, and across almost all segments, such as banking and financial sector, fin-tech and startups, industry, automotive, healthcare, telecommunications, IoT, etc.

Jakub, easy question to get started. What were your beginnings in offensive security ?

It's been 8 years this year since I joined Citadelo as one of its first traders. The beginning was really challenging for me. I had never done trading before and was pretty much on my own. When I think about it now, it was and always will be a huge milestone for me because I basically decided to completely change my focus at that time. And that was to jump from being a degreed technical person/developer into the world of business, which I knew absolutely crap about. I guess the main reason for me was that I saw myself personally in Citadel's previous salesman who was just on his way out. I just said to myself at the time that I was going for it, and I put everything on the line. And let's face it, I knew from the beginning that I wasn't the type that could stand looking at a monitor for 8 hours a day.

Penetration testing and related services were only being addressed by a few companies back then (turn of 2015-2016). The startups in this area were basically mainly financial entities and entities that worked closely for financial entities. These are otherwise the entities that are largely pulling this type of business to this day. That is to say, doing business in my early days in the cybersecurity world with other types of companies meant paving a whole new path. Of course, kudos to the exceptions.

What are the motivations of clients who decide to contact you for testing?

Gradually, as legislation such as cyber law, GDPR, NIS, etc. came in, companies from other industries started to understand us more and more. For me, this is not the happiest way to start with this topic, as companies more or less come out of compulsion, but it is a significant step forward. My dream progression would be for companies, and therefore the people who run those companies, to proactively and preventively address cybersecurity so that they can sleep well and focus on their business. We are not there even now.

When do they decide to contact you about testing ?

There are basically four main motivations that I have then and now:

• Consistency (compliance) with various regulations, such as the Cybersecurity Act, GDPR, NIS, ISO27k, etc.
• This is required by the client
• A security incident happens to them
• They want to sleep well and go about their business without worry, so they are proactive about security

Of course I don't want to lump everyone together, in many cases it can be a combination.

Legal regulations mentioned

At the very beginning, almost all active companies in the market basically came from the first two categories. On January 1, 2015, the Cybersecurity Act was created, and right after that in 2016, the NIS Directive. These hit banks, financial institutions, the energy industry, critical infrastructure and others first. That's when the tables began to turn. At the same time, given the rapid increase in hacker attacks, other companies began to realize that they had assets to protect in the digital world, as their loss directly affected their existence.

Development of tested sectors at Citadelo

• Financial sector
• Developers and technology companies
• Energy sector
• Manufacturing industry
• Pharmaceuticals

What is the current situation from Citadelo's perspective regarding companies' interest in ethical hacking ?

There is a growing interest from companies and this is for several reasons:

The first, which I am incredibly happy about, is the companies' own initiative. With the extreme increase in hacking attacks, it is already clear to companies that it is not a question of if, but when they will be targeted. Therefore, they want to know an ethical hacker's view of their infrastructure, application or entire organization just to protect themselves before the real black hat hackers turn their attention to them. And that's the right decision.

When we look at our statistics, which we owe to our great our excellent marketing department, we conducted 384 simulated attacks in 2023, finding 2,795 vulnerabilities. That's an average of 7 vulnerabilities per attack, and that's a lot. For a hacker, this means that he has 7 more or less critical vulnerabilities ready for his success, which he can chain together to cause enormous damage to the company.

At the same time, the NIS2 directive is about to take effect (end of 2024), mandating other market segments to perform offensive security testing. In the Czech Republic and Slovakia, this will affect approximately 10,000+ new companies and involves a total of 19 market segments.

Then there's DORA (effective Jan 17, 2025) which, among other things, directly mandates comprehensive company testing such as the Threat Lead Penetration Test - similar to our Red Teaming, which is a simulated comprehensive hacking attack on a company.

With the European NIS2 Directive and the new law on cyber security that the Czech Republic is preparing, this topic is already definitely resonating in company circles.

| In 2023, we conducted 384 simulated attacks in which we found 2795 vulnerabilities. Webs, Clouds and Infrastructure lead the way.

Download the full report here

The European NIS2 directive and the new law on cybersecurity that the Czech Republic is preparing, this topic is already definitely resonating in the company circles. What does this mean for CISOs from an offensive security perspective?

After October 17, 2024, CISOs will need to assess the so-called cybersecurity management scope, identify risks and start working to address them within a year. From an offensive security perspective, we, as Citadelo, are right at the beginning of the process, helping CISOs determine the scope of vulnerabilities in their systems through penetration testing and audits and providing suggestions for remediation.

The process for companies newly entering this regulation includes:

• Determine the size of the enterprise
• Determine if they are a "core entity" or a "critical entity".
• Undergo a cybersecurity audit
• Find and assess risks and vulnerabilities
• Develop an implementation plan
• Start implementing it within a year

Budget

For example, NCIB in the Czech Republic conducted research on real companies and determined the average value of implementing measures to be 800K - 1.2 million. CZK per company system. This will be a significant amount of money that companies will have to spend on cybersecurity, and CISOs need to set these budgets today and prepare to spend them soon.

| Set budgets today, the estimated cost is 800K - 1.2mio CZK per system.

What services are most in demand at the moment?

Penetration tests of web and mobile applications, of course, including tests of APIs where applications communicate with backends, and infrastructure (perimeter vs. internal infrastructure). There are also a growing number of requests for complex Red Teaming simulated attacks. Current trends are OSINT, Social Engineering (phishing/vishing/smishing, physical penetration, etc.) but also integration to LLM/AI.

Who or what is the most successful attack vector, i.e. entry point into a company's infrastructure, today?

Our internal statistics show that the weakest link has been, is, and dare I say probably will be for a long time, the human factor. Our long-term success rate of simulated hacking attacks by combining Vishing & Phishing is almost over 40%, i.e. almost every second victim succumbs to our simulated attacks and lets an ethical hacker into the company infrastructure. This is an alarming state of affairs. Consequently, this can be a vulnerable client application or company perimeter.

Currently, Social Engineering attacks using AI and LLM are already on the rise. As an example, a recent hacking attack where the CFO of a certain bank in Hong Kong was tricked by a combination of deepfake online meeting and phishing. The attack resulted in a financial loss of $25 million.

The use of these technologies almost blurs the distinction between fiction and reality for victims. This percentage can therefore be expected to increase.

| More than 40% of victims will unknowingly allow an ethical hacker into their company's network.

How can such a Phishing & Vishing attack take place and does it make a difference in what business sector the hacker is doing it?

The business sector does not matter. If a hacker wants to hack a company, he will do it by doing OSINT (open source intelligence) on it first. He will find out who works there in what positions, what information is available about the company in public and non-public sources, darknets, he will find out the habits of the company and its people and also if there was any data leak from the company, e.g. with passwords etc. On the basis of the information found, he orchestrates the attack through selected victims, i.e. people in the companies that are of interest to him. Or he plans a spear phishing targeting the whole company.

For a company of 100 employees, with a 40% success rate, he has the opportunity to get 40 victims to compromise stations and get into the company network.

How do you help clients defend against such an attack?

We work with clients to provide regular and thorough security training to employees, where in addition to the theory itself, we also give them practical demonstrations of various hacking techniques so that they can then identify them as best they can. And we combine this with regular penetration testing in the form of social engineering - phishing / vishing / smishing campaigns. This, in my opinion, is currently the most effective way to keep this percentage relatively low.

Employees often believe that they are more protected in the company environment and are unaware of the steps they are taking to actively create an easy entry point for hackers into the company's network and are not fully aware of the devastating impact this entails. This knowledge needs to be disseminated to them and their level of sensitivity needs to be regularly tested. Or maybe they are even aware of it, but in today's huge rush of work, the percentage of errors is increasing because everyone wants to solve every task as quickly as possible to the satisfaction of the employer.

You mentioned that there's a growing interest in OSINT. What does this service clarify for the client and is there a difference between how Black Hat Hackers do it and how Citadelo does it?

The techniques between black hat and white hat hackers are exactly the same. Within OSINT we can find out a lot of information for the client. Generally speaking, we can find out what all is available about a company for Black Hat Hackers on the web and darknets and therefore what cards they will play in a potential attack on a client. By finding out this data, the company gets a head start on protecting itself against a potential hacker attack.

Areas of Citadelo OSINT:

• Leaked names and passwords, sensitive company documents, etc.
• Reconstruction of their infrastructure, building plans.
• Management, company structure and their business relationships.
• Employee lists, details of their contact information, etc.
• Ethical hacking has become an integral part of offensive security testing.

| Ethical hacking has become an integral part of offensive security testing.

What advice would you give to companies when choosing an ethical hacking provider and what should they look for in the market?

It is definitely important to check out the company in terms of the depth of its expertise, i.e. quality generally speaking. Ethical hacking is a complex discipline and it is always good to look for a partner that has proven experience with its complexity. The expertise and seniority of the ethical hacking team is absolutely key in this regard. The adage "If two do the same thing, it's not the same thing." is doubly true in this industry. I would look for a company that has ethical hacking as its core business.

Published information on references, vulnerabilities found and CVE's or reports issued, length of time in the industry, number of ethical hackers, their technology focus and much more are all very good input. Ultimately, I would recommend meeting with the selected company and going through their processes that relate to the service, as this may be the place that will make it not only quality but also cost effective.

If we have caught your interest, contact us today to be one step ahead of black-hat hackers. EN_LEAD_FORM_SPECIAL_PLACEHOLDER