He sneaked up to the 20th storey of an office building, armed with a laptop and wireless adaptor. Nonchalantly, he hid in a toilet cubicle and started hacking.
But he was not committing a crime.
As a security consultant at Centurion Information Security, Mr Sayed Hamzah, 26, was hired by a client to hack into their system to test how secure it was. The company is a Singapore-based provider of penetration testing and security advisory services.
He told The New Paper: “It was shocking to see how easy it was to hack into people’s systems. I could see personal information such as passwords.”
Mr Hamzah added that there are three aspects to cyber security – detect and monitor, defend, and attack.
Penetration testing, which is the company’s specialisation, falls under “attack”, where security is tested.
“People think cyber security is about protection. The incident response aspect (detect and monitor), such as investigating, is perceived to be good, because it’s to protect,” he said.
“But a misconception about penetration testing is that hacking is used for evil, so there aren’t many people in this area.
“Protecting is not enough. How do you measure how well security controls are? You need someone to test it, to take on an attacker’s perspective.”
Mr Hamzah decided to step into the field of cyber security when he was in Secondary 3 and his friend’s Friendster account was hacked. It sparked his curiosity and he wanted to find out how it happened.
He decided to pursue a diploma in cyber and digital security at Temasek Polytechnic’s School of Informatics and IT, where he graduated at the top of the cohort in 2011.
A year before, he scored a four-month internship with Interpol in Lyon, France, where he was assigned to the Information Security Incident Response team, responding to security incidents that occurred within Interpol headquarters.
He practised investigative and malware analysis techniques to investigate how trojans, a type of malware that is often disguised as legitimate software, and viruses work.
He said: “I would take an affected laptop and investigate what the virus did to the machine, such as whether it affected other employees’ laptops and take steps to reduce the impact of the virus.”
Referring to the popular TV show, he added: “It’s like CSI, you have to do it in a controlled environment because you don’t want it to spread elsewhere during the course of the analysis.”
After completing his National Service, Mr Hamzah went to the Nanyang Technological University (NTU) School of Computer Science and Engineering, where he did a degree in computer science.
There, he felt that the course did not cover much about penetration testing, so he founded the NTU-CSEC (Computer Science and Engineering Club) Offensive Cyber Security Club in 2015.
He said: “Cyber security is getting more… important. Developers should have knowledge of cyber security, so that when they develop their application, they’ll have security in mind.”
Greater need for cyber security talent
As Singapore moves towards a digital economy, we will depend more on technology.
So, we will need more cyber security talent to protect and defend our cyberspace, said Miss Mandy Mak, course manager for the diploma in cyber and digital security at Temasek Polytechnic (TP).
She told The New Paper: “The demand for cyber security professionals is reflected in the recent government announcements to train more of such professionals, even those who wish to switch careers.”
TP’s course covers securing, testing and auditing critical IT assets against cyber-attacks and responding to cybercrime incidents.
The course focuses on developing skills-based cyber security professionals through a practice-based curriculum.
Miss Mak said: “For example, if they are taught ethical hacking, they must demonstrate that they are able to perform a vulnerability and penetration assessment on a given infrastructure. They must also give recommendations to eliminate, if not to mitigate the vulnerabilities found.”
TP’s Students’ Security Chapter, an interest group, also organises cyber security events such as the All About Security and Forensics Seminar each year to network with the industry and keep themselves up to date with the latest news on the security landscape.
“They have a holistic experience that enables them to be well-skilled and well-informed cyber defenders,” said Miss Mak.