SySS Founder Sebastian Schreiber Interviews for vpnMentor
Founded by managing director Sebastian Schreiber, SySS GmbH has become a successful and rapidly growing IT security company, serving as a professional security partner for businesses of all sizes. In this interview, Schreiber stresses the importance of penetration testing and shares insights from his work. Share
I founded SySS in 1998, so at the moment we are 20 years old. We specialize in penetration testing, meaning, we simulate cyber-attacks against our clients' IT systems, active directories, windows clients, IP ranges and web applications. We also provide pen-testing for cars, industrial systems, IoT devices, and even coffee machines.
We use our own hacker tools to test systems, and then we write reports, which our clients can use to fix their problems and get a secure IT system.
At the moment we've got 107 employees in Germany and Austria, but we do checks all over the world, and particularly for clients in the US and China. We also do talks on big IT security conferences. This year we are going to give a talk about hacking biometrics at the "positive hack days" event in Moscow, which is taking place on the 15th and 16th of May, 2018.
What are the most important factors an organization must look at when compiling a cyber security strategy?
It's not easy at all to get cyber security running, as it is the most complex challenge of IT professionals today. You have to handle bad software, bad protocols that are being used, bad coding habits and errors that go years back. There are also big challenges such as digitizing old processes and constantly optimizing your performance. In our view it's most important to check where the vulnerabilities are, because it makes you able to focus on the important points, and identify the weak spots so you can fix them.
We work with IT security officers, who order our simulated cyber-attacks to test their systems. In some cases, it would not be the IT team who calls us but rather, an e-commerce who want to make their payment systems bulletproof, or other professionals within organizations that need this service to improve their defenses.
Cloud-based applications have introduced many new threats to both organizations and individuals. What are your views?
Cloud-Based means that you give information to others, but the question is who owns the system and who pays for its maintenance. We do our pro checks against on-premise and cloud systems alike. There's absolutely no difference if the data is hosted on your own server or on Amazon's. The vulnerabilities can live in the cloud or on-premise. The security issue with the cloud is that you give permission to 3rd parties, however, its more than likely that Amazon's engineers will do a better job maintaining and protecting their cloud environment than you would on your own private server.
In terms of typical web application problems like cross-site scripting, OS command injections and other hacking techniques, there's no difference if you're hosted on-premise or in the cloud.
We don’t approach the human problems but we like to do live hacking presentations to show people the real risks. Live hacking is a measure we use to awaken the employees to become more aware of the risks of malpractices, but our service is not to handle the human approach. In my view there's no use in saying to employees: "don’t click on word attachments", or likewise; most employees will do it anyway because they need to do their job. Hardening the employees wouldn’t solve the problem.
We do pen testing workshops and specialized workshops about web application hacking and IoT hacking. We offer trainings, but that's only a small part of our business. We do that mainly because we want to share our knowledge with our customers.
What new trends can we expect to see in the cyber world in the near future?
I think cyber is becoming more and more important but that's not new. I have been running the company for 20 years now and I expect market growth to continue at the same rate as it has been in the last 20 years, so no strategic change on that front. IT systems may have become better today than they were previously, but nevertheless, the demand for cyber security solutions continues to grow. As for the long term future, only time will tell.