Meet Lewis Lockwood, Head of Infrastructure Application Testing in the ‘Meet the ICS Expert Series’
In today’s Meet the Expert series blog, we interviewed Lewis Lockwood, Head of infrastructure penetration testing and co-founder for Incursion Cyber Security. In this interview, Lewis shares insights into his unconventional career path, the intricacies of Infrastructure Penetration Testing, and the ever-evolving landscape of cybersecurity challenges. Join us in this conversation as we explore the core mission of his startup, the nuances between Infrastructure Penetration Testing and Cloud Assessments, and the critical role these assessments play in safeguarding organisations against the relentless onslaught of cyber threats.
Interview Questions
1. Could you please share a bit about your career journey and experience in the field of cyber security and infrastructure penetration testing?
“Throughout my life, I have always been very inquisitive, and my career is testament to my need for continuous learning and new challenges, Originally, my academic background led me to study law at university. However, it didn’t excite me as much as I’d hoped. Following a chat with my younger brother who was in the army, I shifted gears, embarking on an eight-year tenure in the army. During my later years in the military, my interest in physical security and technology piqued, eventually steering me towards a career in digital security. On leaving the army I attended a security conference where I bumped into someone who offered me a free space on a course specifically designed to help veterans upskill. Shortly after completing the course, I secured a role with Context Information Security and the rest is history.”
2. What do you enjoy most about Infrastructure Penetration Testing?
“I enjoy the personal engagement and collaboration with clients as we work through the assessment findings together. While my focus extends to intricate and sophisticated attack vectors, I take pleasure in identifying seemingly minor issues that have a major impact on the client. It’s like unravelling a thread; observing the impact of rectifying a simple control flaw, such as a misconfigured network device with a default password to an admin panel, it’s makes me happier knowing the basics are well covered. For instance, in a scenario involving 250 host devices, an annual test revealed a neglected network device. If that small fix had not been rectified, it could have led to significant economic impact on the business, had a threat actor taken their host devices down, this for me highlights the importance of addressing seemingly inconspicuous issues. This ability to make a significant difference with minimal interventions is a source of pride in my work.”
3. Could you share the core vision and mission behind your start-up?
“Our core mission is two-fold: to provide SMEs with accessible cybersecurity services and address the prioritisation gap in the industry. SMEs often face major business impacts from cyber-attacks with many struggling with the economic penalties. We challenge the unequal prioritisation of business that conduct testing based on customer revenue, ensuring all scheduled tests are conducted promptly, irrespective of size.
My co-founder and I were fortunate in that we were given the opportunity to hone our technical and consulting skills on the job with Context IS. We aim to create opportunities for veterans and blue lights entering the industry, recognising the financial challenges they may encounter as they may have to take a graduate role that doesn’t pay very much. We aim to change this by providing them with an employment and learning environment that supports their growth as they support our client’s security needs.”
4. What is the difference between an Infrastructure Penetration Test and a Cloud Assessment, aren’t they both the same thing?
“While there is some overlap, an Infrastructure Penetration Test primarily assesses a company’s physical and virtual IT assets, including hardware, software, OS (Operating Systems), and devices. On the other hand, a Cloud Assessment primarily focuses on evaluating configuration and cloud data security, with an emphasis on compliance in the cloud environment.”
5. How do you see the current state of infrastructure security amid evolving cyber threats, and what challenges do organisations face?
“Infrastructure security is lagging due to persistent tactics, techniques, procedures, and vulnerabilities. The rapid changing threat landscape poses challenges for organisations trying to keep pace. Swiftly patching critical vulnerabilities is hindered by the size of large corporations, necessitating thorough testing before release and that’s just one of a list of challenges. Many organisations rely on a variety of technologies to protect their perimeters to allow them to enhance their security controls and patch where needed to protect their assets.
The surge in hackers over the last five years is fuelled by accessible tools on the dark web, the integration of AI and automation, the rise of low-code platforms, increased device connectivity through the Internet of Things (IoT), and the use of cryptocurrencies. These factors collectively lower entry barriers, enabling individuals with malicious intent to engage in more sophisticated cyber threats. Interestingly the average age of a hacker in the UK is 17, many do not fully comprehend the consequences of their actions.”
6. How do you align Infrastructure penetration testing with regulations, and can you share your experience with specific industry regulations?
“Explicit consent is vital for Infrastructure penetration testing, in line with the Computer Misuse Act (CMA). Complying with UK laws, such as GDPR or Payment Card Industry Data Security Standard (PCI DSS), is crucial. If in doubt question and seek answers and if you are still uncertain speak with a legal expert where needed to ensure adherence to diverse regulatory frameworks.”
7. When prioritising assets for an infrastructure assessment, how do you assist clients in focusing on the most valuable or critical elements in the industry?
“The key differentiator lies in the distinction between a novice penetration tester and an experienced consultant. Understanding the business’s nature is crucial; for instance, an online gaming company would prioritise the assessment of its web infrastructure. Once we grasp the business complexities, we can provide tailored advice. Emphasising that all tests concentrate on the business rather than individual systems or assets is the fundamental principle to ensuring a successful outcome for the client.”
8. In penetration testing, how do you ensure your simulated attacks accurately mirror real-world situations, considering methods, tools, and customisation for a thorough evaluation?
“Following the 7-step cyber kill chain: Reconnaissance, Weaponisation, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives, we tailor simulations to replicate real-world scenarios. Utilising tools such as Kali Linux and custom solutions, we balance automation and manual testing. Change is the one constant in life and the cyber world, the evolution of our methodology and tools to emerging vulnerabilities is continuous, ensuring our approach stays ahead. Good question, vulnerability scans are the initial under-the-hood check, while a penetration test resembles a comprehensive MOT, delving deeper for a thorough evaluation.”
9. What role does Infrastructure assessments and penetration testing play in helping organisations to reduce the economic threat of cybercrime?
“No system is foolproof, hackers or hacktivists will find a way in if they have the resources and are determined enough. A solid penetration test guides you on safeguarding your assets, making it too costly and time-consuming for hackers to break in. Consider the supermarket HR breach; it resulted in compliance fines and successful employee law suits. Similarly, the large automotive dealer’s incident went viral, causing both reputational and economic harm. The cost of a test vs. the cost of the assets you are protecting are the key economic metrics to consider when deciding on security and penetration testing budgets.”
10. What advice would you give to anyone who has been using the same penetration testing company for years?
“Consider diversifying your approach to penetration testing providers. Sticking with the same company for an extended period may lead to a narrow perspective. New insights from different providers can uncover vulnerabilities that might have been overlooked. Embrace a new and fresh perspective to enhance the effectiveness of your infrastructure security services.”
At Incursion Cyber Security we offer a number of robust External and Internal Infrastructure Application security assessments from security cleared, certified experts. Discover how a pen test can help you to maintain compliance and increase operational resilience.