TAMPA — Jessica LaBouve breaks it to companies gently. Their pride and joy, the application or platform they spent so much time developing, isn’t secure.
“It’s almost like you’re telling them their baby’s ugly,” she said.
LaBouve, 24, is a penetration tester for Tampa cybersecurity company A-LIGN, an ethical hacker who kicks the metaphorical tires on a company to find their security weaknesses. But instead of exploiting a weakness she finds, LaBouve points it out to the company and tells them how to improve. She likens it to what a personal trainer does.
“You really don’t like (personal trainers) when you’re working with them,” she said. “But when you see the results, you’re like, ‘Oh. This is why I’m doing this.'”
A-LIGN is a cybersecurity auditing company that helps companies shore up their security practices to meet industry and legal standards.
Most of the issues LaBouve finds are common missteps. Google a “Top 10 most common vulnerabilities” list and chances are, LaBouve has found one of them in each audit she does. Among the most basic offenses are employees who use the default username and password, which is guessable, or keep login credentials in an easily-findable spreadsheet.
“The easy stuff shouldn’t be the stuff that I’m finding,” LaBouve said.
LaBouve and her team primarily test a company’s web applications — such as a website — and their network — a company’s computers, servers and internal network. Internal networks are where she often finds some of the most glaring vulnerabilities, as companies tend to protect their systems from being penetrated from the outside. LaBouve likens it to letting your guard down when living in a gated community.
“You think you’re safe from the outside, so you don’t lock your door. You don’t check your windows,” she said. “I’m going around companies and I’m checking their windows, and I’m checking their locks. I’m making sure they didn’t leave a key under the mat.”
She also does “social engineering” tests, where she interacts with employees and tries to get them to disclose login credentials or give her access to spaces she shouldn’t be allowed. Often, she’ll send emails impersonating an employee such as a human resource representative, asking them to reset their email and follow up with a call to make sure they got the email. There hasn’t been an audit yet where she wasn’t able to obtain at least one set of login credentials.
LaBouve finds that she stands out in an often male-dominated field. She was the first person to graduate from Middle Georgia State University’s cybersecurity program in 2017, and was often one of just a handful of women in her classes.
“When I walk into a room, your last thought is a (penetration) tester,” she said.
But that only helps her do her job better, she said, especially when she needs physical access. If they don’t consider her a threat, her job is easier.
LaBouve’s ability to communicate with her clients and break down complex technical topics is an asset, especially for those who aren’t as technically minded.
“I’m here to guide you through this process,” she said. “I want to make you better and myself better.”
It’s easy to blame a company for having lax digital security, but LaBouve said it isn’t always an issue of laziness or incompetence. The security landscape is evolving rapidly, and there are so many things to keep track of that some fall through the cracks.
Keeping up with the field, then, is paramount to successfully vetting a company’s security. LaBouve and her colleagues stay up to date with their skills by completing certifications, volunteering in the community to expose themselves to different people and methods, and attending conferences.
Spending the majority of her week breaking other people’s security means she thinks deeply about her own digital vulnerabilities. LaBouve isn’t on many social media platforms, and doesn’t put out much information about herself. At home, she has a robot vacuum, but it isn’t connected to the internet. And she doesn’t have any home assistants, such as Amazon’s Alexa.
“You have to walk a fine line, right? You don’t want to be paranoid and terrified,” she said. “But at the same time, be cognizant of the risks you’re taking and what you do.”
Part of staying sharp and present at work for LaBouve is finding joy outside of the office. She describes herself as having an “always-on-the-go” drive, and opts to be outside or with friends. Much of her spare time is spent at the gym, where she practices powerlifting.
“I’ve always been into different things,” she said. “I think that’s why the hacking works, too. I like to be unconventional.”