Boosting cybersecurity with ethical hacking
Arjun was trying to hack into Capital One’s offices, but nothing worked—to his relief.
As a senior cyber security engineer for Capital One’s Offensive Security team, Arjun and his colleagues protect the company against virtual security threats. They employ ethical hacking—using many of the same tactics and techniques criminal hackers use—to keep Capital One products and networks safe.
“The longer our team does this work—and the more we collaborate—the more sophisticated our techniques get for testing the strength of Capital One’s security,” Arjun said. “As a result, our security gets stronger and stronger.”
Learn more about cyber security roles at Capital One that leverage technology and teamwork to protect the company, its customers and associates.
Decoding offensive security
Offensive Security divides its work into three teams: PenTest, Red Team and Responsible Disclosure/Bug Bounty.
Associates in PenTest, which stands for “penetration testing,” examine Capital One products and applications to identify and exploit as many vulnerabilities as possible. The tests are done with the product owner’s knowledge and can take up to four weeks.
Clint, a senior manager for Offensive Security, performs PenTests of applications and related infrastructure, like endpoints, databases and payments. This work protecting customers from threats is what convinced Clint to join Capital One in 2020 after spending much of his career working for the Department of Justice and the U.S. Navy Reserve.
“You feel like you’re part of a team and a greater mission,” Clint said. “We’re affecting change in a really powerful way.”
Red Team includes covert agents who emulate real-world attack scenarios to evaluate defensive capabilities over the course of multiple months. Arjun is a member of the Red Team, and his attempt to hack into Capital One’s offices was part of the team’s work to identify any vulnerabilities before the bad guys can.
“We get to be really creative and use our imaginations because we’re throwing anything we can at Capital One’s systems and products to try and bypass our corporate defenses,” Arjun said. “It’s a game of cat and mouse.”
Responsible Disclosure/Bug Bounty manages vulnerabilities discovered by associates and external security researchers. Aurielle, a principal security engineer, performs triage on the vulnerability reports. She then coordinates correcting the issue by working with the team that owns the product at risk and the individual or vendor who found the problem.
While Aurielle uses her technical know-how to sort through any issues, she said communication is one of the most important skills in her role.
“We have to explain to other teams—Card, Marketing or Financial Services—what the issue is and how we can make it better in a non-technical way that they can understand,” Aurielle said. “I love that educational component.”
Sharing cybersecurity knowledge
Offensive Security associates give back by sharing their findings, solutions and methodologies with colleagues across Capital One through an internally-developed resource that provides associates the chance to learn about offensive security from peers who are subject matter experts.
The Offensive Security team creates and leads workshops, demonstrations and learning tracks that help associates prepare for offensive security certifications. Jay, a senior cyber technical associate for Offensive Security, has presented on web application finding and hosted a hacking workshop.
“Our emphasis on learning and teaching is my favorite part because we’re actively equipping associates with the skills to identify and solve risks to our digital infrastructure,” Jay said. “We’re never resting on our knowledge. We’re always learning.”
For Clint, who has taught cybersecurity at the collegiate level before, Offensive Security’s work represents everything he loves about working at Capital One: continuously innovating, countless learning opportunities and sharing knowledge so the whole company can grow together.
“You don’t encounter people at Capital One who say ‘I’ve been doing this for 20 years, I don’t need to learn anything,’” he said. “We stay at the forefront of tech because we’re curious and collaborative.”