#WorkinginCSA: Life as a White Hat Hacker

09 Jul 2020

Ever thought of hacking as a career? For Henry Tan of CSA’s Cybersecurity Engineering Centre (CSEC), that dream became a reality. Find out how his passion for cybersecurity was ignited, and led him on the exciting path to become an IT product evaluator and certifier, and to develop initiatives such as the Cybersecurity Labelling Scheme.

1. What sparked your interest in cybersecurity?

I was lucky to be from the generation that saw the introduction of personal computers and the Internet! I fixed up my own computer in primary school and it was an Intel 286. However, I did not have many games at home and I had to play them at a computer store where many people would be waiting in line. This also meant everyone needed to complete the games in the shortest time possible and that was when I learnt from others that by modifying the hexadecimal values of the game files, it was possible to make the heroes more powerful. Soon, "hacking the game" became the game itself.
During my junior college days, I was the founding President of the Internet Research Club and we researched on the Internet and security, and discovered loopholes in trial versions of applications that could be exploited. I recalled a time where there was a Denial-of-Service vulnerability in Windows. My classmates and I would play pranks on other students by exploiting their machines, causing the infamous ‘Blue Screen of Death’! Thinking back, this was a mean prank, as it caused them to lose their work (that is why it is important to backup your data regularly).
I always knew cybersecurity was something I wanted to pursue as a career, and I am thankful that today as an IT product evaluator and certifier, I am able to find vulnerabilities legally, and help remediate them.
2. What is a typical day at work like for you?

A typical day includes toggling between managing a team of system engineers and overseeing projects. I set the direction and provide guidance, which ranges from completing the security evaluation of a product to developing proof-of-concepts to demonstrate vulnerabilities and exploits.

Recently, we also introduced the Cybersecurity Labelling Scheme (CLS), which is part of our efforts to better secure Singapore’s cyberspace and raise cyber hygiene levels. We have received positive feedback from the industry despite the CLS not being officially launched yet, and this keeps us motivated to do even better! We are now working on the detailed technical specifications and coordinating our efforts with the Infocomm Media Development Authority to prepare for the roll-out of the Scheme.
3. What makes you excited about coming to work?
Cybersecurity is constantly evolving and we are always evaluating new products, from hardware networking devices to software and mobile applications. Each product requires different techniques and skills, so there is always something new to learn.

I get to relive the thrill of hacking with my team when I see them crack their heads in an attempt to overcome the obstacles they faced, to having the "ah ha" moment when they discover a breakthrough. That is really the fun part about hacking!

I work with a great team who is passionate about what they do. We were fortunate to be given the opportunity to work on projects that impact the cybersecurity community both locally and internationally. For example, my team and I worked hard for Singapore to attain the status of a Certificate Authorising Nation under the Common Criteria Recognition Arrangement. We treated ourselves to a sumptuous collagen hotpot to replenish the collagen we lost over the many sleepless nights!

At times, we may be roped in to organise hacking demonstrations to raise public awareness of the dangers lurking in cyberspace. Recently, we were featured on Channel NewsAsia’s CyberPunk’d, and we demonstrated how downloading an untrusted application could lead to your mobile phone being compromised!

4. Tell us something interesting about your job that not many people know about.
Most people think our work is only about staring at computer screens all day. The truth is, it is a lot more than that. We have lasers, plasmas, x-rays and even focused ion beams in our labs! We use such tools to perform tests known as “Fault Injection”. For example, lasers are fired at the hardware chips at precise moments which could allow security measures such as user authentication to be bypassed or memory values to be changed. This allows us to identify and address the weaknesses discovered in the hardware.

5. What are 3 qualities that are important for someone in your role to have?

The person must be a team player, be creative to be able to circumvent security controls and have integrity so that knowledge of vulnerabilities in products is not misused for personal gains. This is why we are called White Hat hackers!