SySS Founder Sebastian Schreiber Interviews for vpnMentor

I founded SySS in 1998, so at the moment we are 20 years old. We specialize in penetration testing, meaning, we simulate cyber-attacks against our clients' IT systems, active directories, windows clients, IP ranges and web applications. We also provide pen-testing for cars, industrial systems, IoT devices, and even coffee machines.

We use our own hacker tools to test systems, and then we write reports, which our clients can use to fix their problems and get a secure IT system.

At the moment we've got 107 employees in Germany and Austria, but we do checks all over the world, and particularly for clients in the US and China. We also do talks on big IT security conferences. This year we are going to give a talk about hacking biometrics at the "positive hack days" event in Moscow, which is taking place on the 15^th and 16^th of May, 2018.

What are the most important factors an organization must look at when compiling a cyber security strategy?

It's not easy at all to get cyber security running, as it is the most complex challenge of IT professionals today. You have to handle bad software, bad protocols that are being used, bad coding habits and errors that go years back. There are also big challenges such as digitizing old processes and constantly optimizing your performance. In our view it's most important to check where the vulnerabilities are, because it makes you able to focus on the important points, and identify the weak spots so you can fix them.

Our clients include IT security officers, who engage our services to execute simulated cyber-attacks as a means to test their systems. In certain instances, our contact isn't the IT department but could be an e-commerce business seeking to fortify their payment systems, or other professionals within an organization who require our service to enhance their defensive measures.

Cloud-based applications have introduced many new threats to both organizations and individuals. What are your views?

Cloud-Based means that you give information to others, but the question is who owns the system and who pays for its maintenance. We do our pro checks against on-premise and cloud systems alike. There's absolutely no difference if the data is hosted on your own server or on Amazon's. The vulnerabilities can live in the cloud or on-premise. The security issue with the cloud is that you give permission to 3^rd parties, however, its more than likely that Amazon's engineers will do a better job maintaining and protecting their cloud environment than you would on your own private server.

In terms of typical web application problems like cross-site scripting, OS command injections and other hacking techniques, there's no difference if you're hosted on-premise or in the cloud.

We don’t approach the human problems but we like to do live hacking presentations to show people the real risks. Live hacking is a measure we use to awaken the employees to become more aware of the risks of malpractices, but our service is not to handle the human approach. In my view there's no use in saying to employees: "don’t click on word attachments", or likewise; most employees will do it anyway because they need to do their job. Hardening the employees wouldn’t solve the problem.

We do pen testing workshops and specialized workshops about web application hacking and IoT hacking. We offer trainings, but that's only a small part of our business. We do that mainly because we want to share our knowledge with our customers.

What new trends can we expect to see in the cyber world in the near future?

I think cyber is becoming more and more important but that's not new. I have been running the company for 20 years now and I expect market growth to continue at the same rate as it has been in the last 20 years, so no strategic change on that front. IT systems may have become better today than they were previously, but nevertheless, the demand for cyber security solutions continues to grow. As for the long term future, only time will tell.