What is “Jarno Baselier Cybersecurity” and what do you do?
Jarno Baselier Cybersecurity is a high-quality security testing and educational company. We specialize in performing penetration tests (pentests) in industrial environments and corporate office environments.
Jarno Baselier Cybersecurity is founded in 2022 by (no surprise here) Jarno Baselier. The company started after many years of experience in the field and because the demand for high-quality pentests is significant, specially within industrial environments.
Securing IT components within industrial environments is something that becomes more and more critical and not many specialists have the knowledge to perform these tests correctly and with the right amount of care. Since I have been working in these environments (we call them “OT” or “Operational Technology” environments) for years and have given quit a lot of training I decided it was time to help more organisations by offering my services to them.
When I started out in the cybersecurity world this was not so mainstream as it is today. We are talking 2010/2011. At the time I was working as a system engineer for a large dental company in the Netherlands. Cybercriminals where rising and so was law enforcement. Think about GDPG (called AVG in the Netherlands). Since I was dealing with system security I really wanted to know and learn how attackers work. Because, we can only protect what we know right?
At the time there where not many certifications regarding “ethical hacking”. The one that stood out at the time was ECCouncil’s Certified Ethical Hacking. So I decided I needed that certificate to know in-dept how cybercriminals work. Well, a little spoiler… this was not so true. Because this turned out to be just the beginning. Nevertheless it was a nice certificate to start in this business. My teacher at the time was Tim Pearson. Tim was a very inspiring person and later on became a friend of me. After the course (that lasted a week) I drove Tim to the airport and he offered me an “internals position”. Basically he was saying “do the nasty work for free and I’ll learn you the tricks of the trade”. And so I did. Later on I participated in writing the v9 course for the Certified Ethical Hacking course.
I learned a lot these first few years. Not only technically but I also had so much fun practicing and helping out that I knew this was what I wanted the do in the future. In the years that followed “cybersecurity” became a hot-item. More and more breaches where disclosed to the public (with help of the media). The awareness of companies and employees raised and attackers became more-and-more sophisticated. Hacking nowadays looks nothing like hacking in the early 2000. Attacks usually are not that easy anymore and take a proper planning and a high level of skill. Because attackers get more sophisticated, defenders also need to keep evolving in knowledge and skill. That is the ever-lasting “cat and mouse” game that is similar to what is happening between criminals and the police.
So that was what I did in the years that followed. I tried to learn and practice as much as I could. I started my own blog back in 2014 and recently I started my own YouTube channel. Both channels are Dutch but focused on delivering great quality content specially for offensive security specialist. I believe we have a shared effort in making the world a better and safer place. By sharing my knowledge I hope to help others so they can grow and share new knowledge on there own. That is the beauty of the cybersecurity world. There is so much to learn that I’ll keep learning every day.
My father always told me that it doesn’t matter what I’ll do in life but to be the best in the thing that I’ve chosen to do. So after I gained more knowledge I started working at a Dutch CERT also carrying out multiple penetration tests and learning more about defending/monitoring capabilities.
Every test I perform is not only valuable for the company but also for myself. Sometimes these tests are offensive and sometimes we collaborate with the so-called “blue team”. The blue team is the “defending party” performing tasks like monitoring, response, thread hunting etc. When the red team (me, the offensive party) and the blue team work together we call this “purple teaming”. Lately we see that “purple teaming” is a vital part of good security strategy. Usually we start an engagement with a red-team approach and later we “replay” the lessons learned together with the blue team so they can learn and see what we did and we can help them to find the right artifacts and build functional triggers.
After performing many penetration tests varying from different scopes (on-premise infrastructure, webapps, cloud infrastructure, operational technology) and after gaining more certificates to qualify myself (OCSE, OSEP, OSWE, CSA) I used my channels not only to share information but also to really teach. My YouTube channel contains a lot of “educational” video’s that are specially created to train my colleagues for free. The channel will get 100 educational video’s this year covering a variety of topics and good for 75 hours of training. So when that project is done I might consider creating a “paid” training.
Having a social channel for so long has many benefits when it comes to “trust” and people willing to hire you. Because the high demand for penetration testing services and training wishes I decided to establish my own firm. This gives me the ability to take the jobs that I find highly interesting and to teach the way I believe is most effective. Sometimes my masterclasses are 2-4 hours and sometimes it’s more intense and they are spread over a couple of days. This depends on the skill-level and the number of attendees.
The challenges the business/market is facing
From my point of view the market is facing many challenges. From advanced attacks, rising costs to the shortage of qualified personal. For 2023/2024 I see 3 main challenges.
1. Security Operational Technology in Industrial Environments
For years cybersecurity was focused on all regular ICT components like Windows operating systems, Active Directory user orchestration, WebApps and common protocols like TCP/IP. And although many assets of “regular” ICT are found within industrial automation this field remains completely different. Think about:
· The use of specialized protocols (like Modbus, Profinet, DNP3 etc.);
· The use of specialized software;
· The use of specialized hardware;
More importantly, all IT components manage specialized hardware controlling machines. And sometimes these machines are vital. So downtime of these machines can result in huge financial losses, accidents and even the loss of human lives.
The thing is that all of these machines are very expensive and have a long lifecycle. Some machines are running for 20-40 years. Because of these long lifecycles the machines and the controlling software is not build with the latest security best-practises. Besides this it is also hard to plan scheduled maintenance timeframes in a running environment. This makes patching and updating the systems very hard. So in industrial environments the stakes are high and the security is usually outdated. Hackers know this. Industrial environments are hackable and because of there high-stakes they are ideal for malicious attackers willing to extort their victims. So the need to test and secure these environments was never higher than it is today. As a pentester you need to know what you are doing in these specialized environments because 1 little mistake may result in downtime and huge financial losses. This asks for qualified testers that know how to perform security tests safely in these sensitive environments.
2. Ransomware Extortion
Extortion, as described in the previous paragraph might be the biggest cybersecurity thread at this moment. Traditionally ransomware encrypts sensitive files on the computer and asks for a ransom to unlock these files again. However, the process of encrypting every file on a system is a time-consuming process. This gives the victim time to intervene and save some data by terminating the malware before data is encrypted. Besides that, companies have the potential to restore from backups without paying the ransom. The new hype is to only exfiltrate data and extort the business by threatening to publicly releasing the data. This type of attack is faster to carry out, harder to detect, and cannot be fixed using backups.
3. (Cloud) Third-Party Threats
Another big change in the cybersecurity world is the fast adoption of cloud computing. SaaS tooling is being adopted in rapid speed but also IaaS (Infrastructure as a Service) is being implemented at large scale and usually exists besides on-premise infrastructure. Usually these environments are relative safe, but unfamiliarity with cloud security best practices, the cloud shared security model, and other factors can make cloud environments sometimes more vulnerable to attack than on-premise infrastructure. Attackers have the advantage that they can test these environments on global scale. A big trend is that besides cloud service users also cloud service providers are being targeted. This way a cybercriminal can gain access to their customers’ sensitive data and potentially their IT infrastructure. This way the impact of an attack can be way bigger and more beneficial for an attacker.
The opportunities the business/market is facing
Since we are facing advanced attacks on a large scale in an ever expanding ICT environment the work of blue teams and red teams was never this important. As an example, a few months after the COVID-19 pandemic hit in 2020 the number of cyber attacks increased by 63%. And 2021 was even worse. The number of breaches through the end of September 2021 had already exceeded the total 2020 number by 17%. 2023 will be no different. The alarming increase in the number of breaches and cyber attacks is compounded by another worrisome trend: the rising cost of breaches.
This knowledge and the fact that there is a huge shortage in skilled personal makes there is a high demand for almost all kinds cybersecurity professionals. Red team, blue team and management jobs. Think about:
· Cybersecurity engineers
· Cybersecurity analysts
· Ethical hackers
· Malware analysts
· CISO’s and ISO’s
This means there is enough work in this branch, there are many training opportunities and a good salary can be earned.
Advice to others about business
Since the cybersecurity industry is booming there are many startups (like myself). In a “booming” industry a lot of money is earned while the quality is not always guaranteed. Everybody tries to get it’s share. We see there is a need for auditors of security suppliers which issue a seal of quality after a successful audit. This way companies know that at least internal procedures are in-place and enforced.
Delivering the best quality to your customers is vital in this sensitive branch. Pentesters need to advice in making the environment more secure instead of making it more insecure after a pentest (I have seen this happening more than once). To do so I advice organizations to invest in themselves and in their personnel. Make sure the company gets at least a seal of quality and the pentesters are trained for the jobs they need to perform. Also show the customers your personnel is trained so the customer can be assured the job will be well done.
Another tip I like to give is to send the same team to the same company at follow-up jobs if possible (if the personnel is trained to do so). Seeing a familiar face is always nice. It gives the custommer a feeling of trust and for the pentester it’s fun to work in an environment that they already (partially) know. In the end this will also be beneficial to the final quality of the test.