Greig St John is the first known Grenadian to earn the coveted CompTIA PenTest+ Certification. This training makes him a cybersecurity professional that is skilled in testing systems for vulnerabilities and providing recommendations for improvement.
St John’s aptitude includes not only traditional desktops and servers but also new environments such as the cloud and mobile devices.
Hailing from Gouyave, the Penetration Tester/Ethical Hacker said not only do you have to get permission to enter a company’s system, but you must also have moral ethics. “The difference between a good hacker and a bad one is permission. Both do the same thing; one just got permission to do it. You must have a moral-ethical conduct to be a penetration tester,” said St John. CompTIA defines a Penetration Tester as a good hacker, “Although they must think like a bad guy, the end goal is to help organisations improve their security practices to prevent theft and damage.” To do that, they must enter your company’s network system to evaluate any vulnerabilities that could cause a shutting down of critical services or a serious breach of confidential data. “As a tester, you are just there to get in. You are not supposed to be looking at any stuff – any documents, just to look for vulnerabilities in the system. Ethical hackers are the good guys. They are people that like to help,” said St John.
When cyberattacks occur, the ripple effect can be catastrophic not only for the business but more so their customers. Caribbean Maritime in an article entitled, ‘Defending Against the Cyber Attacker’ stated an open door can provide access to credit card data, payroll information, cause hardware and operating systems malfunctioning and so much more. Ethical hackers such as St John, tests systems without malicious intent, and they do no harm or invade confidential data such as any documents, pictures, financial reports, so as to carry out mischievous acts. “Ethical hackers are the good guys. We are people that are here to help,” said the island’s only known penetration tester.
When asked what are the 2 top things businesses should keep in mind when it comes to security, St John frankly stated: lack of updating computer systems with security patches and then weak passwords. These to him are the easiest points of entry for ill-intentioned hackers. As it relates to system updates, he said most companies and businesses do not update their systems, many of which must be done manually. “Hackers with their tools, can crack systems in less than 10 seconds,” said St John. “In the Caribbean, cybersecurity is not taken seriously. Although there are no published hacks, many businesses put their systems at risk with simple errors such as a weak password such as, ‘Password 123’ or ‘Default123’ or ‘Password’. This, in addition to a lot of people [who] stick up their passwords on their desks or write them on their desks, while some computer systems have no password credentials.”
St John added that the passwords for wireless routers are another weak point, “People hardly change their default username and password for their Wi-Fi. Most times it is ‘Admin,’ or ‘Password’ or you could just Google the brand and it will tell you the default password for the router in some very common instances. Wi-Fi connections are left open for anyone to connect, changing these default credentials and using unique usernames and strong passwords although it is a fundamental and easy step, it goes a long way in preventing intruders from entering your network .”
Informatics Coordinator at the T A Marryshow Community College, Seldon Walker, a fellow resident of Gouyave, believes St John’s skill set is timely because services such as e-government, e-medical systems, e-classrooms and general records are built around database systems, therefore there is an urgent need for all systems to be routinely evaluated. “There are so many vulnerabilities we are exposed to because we think the companies we trust do what is called ‘due diligence’ and perform these tasks that we expect and pay them to do.” Therefore, he emphatically recommends that local companies seek expert advice from St John and others like himself who are trained in the area of cybersecurity. “St John should be highly praised as being the first in Grenada to carry the certification; it paves a new way of technological advancement in the country. In fact, he should be someone that is contacted for consultancy advice to ask: Are we doing this right?”
Walker, who has the CompTIA Advanced Security Practitioner CASP mastery certification, proposed that firewalls are not enough. “Companies may have some really good networking professionals that are good at setting up firewalls, and that is just the first line of defence and sometimes, the only line. Attackers tend to look for the weakest point which can be anywhere from poorly maintained systems to poorly trained staff, to identify what is a social engineering attack,” said Walker.
CompTIA is the world’s leading tech-association which sets industry standards and often works along with well-established Information Technology (IT) firms across multi hemispheres. Greig St John’s CompTIA PenTest+ Certification certifies him to do the following: plan and scope an assessment; understand legal and compliance requirements; perform vulnerability scanning and penetration testing using appropriate tools and techniques; analyse the results and produce a written report containing proposed remediation techniques; effectively communicate results to management, and provide practical recommendations.
Prior to St John achieving this success, he also had numerous certifications, some of which qualify him as a CompTIA Secure Infrastructure Specialist, CompTIA Network Vulnerability Assessment Professional, and CompTIA Systems Support Specialist.