When Paula Januszkiewicz isn’t chasing down intruders or examining technology evidence for legal cases, she’s poring over the Windows source code, learning more about its inner workings. The founder of security consulting company CQURE is an IT security auditor and penetration tester, cloud and data center management MVP and Microsoft Certified Trainer, and also holds the title of Microsoft Security Trusted Advisor. That’s not bad for someone who started out administering her high school’s IT network.

Januszkiewicz will be talking about how to track down hackers in your networks this October as a keynote speaker at the first virtual version of the SecTor conference. She has lots of experience to draw on.

After whipping her high school network into shape she went on to work in a cybersecurity consulting company, but her entrepreneurial spirit compelled her to strike out on her own, setting up CQURE in 2007.

“I was engaged all the time in pen testing activities, forensics, and incident response,” she says, “and eventually in sharing the tools involved with others in presentations.” She started the CQURE Academy, which teaches virtual classes in everything from Windows security to forensics, in 2008.

Rogue admins and bad evidence

She’s seen things that would make your toes curl in her work tracking down intruders, including an admin that was compromising his own network. The client, which owned a large factory, suspected the admin’s intentions and hired CQURE to investigate him. Januszkiewicz and her team probed the factory’s infrastructure under the pretence of handling some other projects, and found that he had been bringing servers down himself and then claiming the credit for fixing them. “Then it later appeared that there was a competitor who paid him to do that kind of job,” she explains.

Another case was less successful. Her company was called in as an objective analyst to evaluate the evidence in a case of click fraud. Januszkiewicz and her team had to analyse the evidence the FBI had gathered and to see what conclusions they could reasonably draw from it.

“At the end, the guy was not prosecuted,” she recalls, explaining that the data gathered wasn’t complete. There simply wasn’t enough evidence. “That shows the importance of collecting the evidence properly,” she says. “Because otherwise, later on in court we won’t be able to act in the way that we want to.”

Nurturing cybersecurity skills

Both these cases highlight the importance of digital forensics, which is a skill Januszkiewicz has nurtured at her company over the years. “When you are collecting evidence after an attack, it is important to maintain cleanliness and not to touch anything before we actually make a dump,” she says.

Treading that lightly means following a meticulous process in which you dump the compromised machine’s memory and then its disk. Investigators often get it wrong. She recalls one case where CQURE was called for technical assistance partway through an incident response process.

“There was already some other team performing the evidence gathering,” she says. “They were doing it in a way that could potentially destroy the evidence and alter the analysis later.”

There are generic forensic guidelines for analysing something without altering it, but every case is different and forensic analysts sometimes have to adapt. In one case, she had to write a tool to extract Microsoft Event Viewer logs (evtx files) from memory before saving them to a drive. “Luckily we had already reverse-engineered evtx files so we knew how they worked,” she recalls. “It took us six months, but based on that we were able to act quickly because of the knowledge that we had.”

The company spends a lot of time conducting background work like this that doesn’t generate any immediate revenue. In one case it spent two years reverse engineering Windows’ data protection API. It does this because it has to stay ahead of the game. Januszkiewicz and her team are honing their tools. Stephen Covey talks about this in The Seven Habits of Highly Effective People. He describes the P/PC principle, which is the balance between production and production capability. Unless you spend time honing your knowledge, tools, and techniques, your ability to produce quality work will gradually decline.

For her talk in October, Januszkiewicz will distill some of that knowledge in two talks. She’ll be presenting on common PKI mistakes and also describing some of the threats that are currently working for hackers in her keynote.

“There are certain types of attacks that work every single time I start a penetration test,” she says, adding that the old tricks such as embedding malicious code in macro viruses still work because even though Windows has protections, companies aren’t using them properly – if at all.

“For example, we have had AppLocker in Windows for so many years and there are still so many companies that have not implemented it,” she says, adding that misconfiguration for some features is rife. “When they have it, they do not always do it well and you are still able to bypass it in different ways.”

As an entrepreneur, Januszkiewicz is an entirely self-made cybersecurity expert, learning as she went, often on the job. She has some sage advice for others starting out in the field.

“To start, we have to be curious of everything that’s happening in technology every day,” she says, pointing out that cybersecurity is evolving quickly. “That’s why when we hire someone new in a technical position I really like to ask the question ‘what happened yesterday? What happened last week in cybersecurity?'”

You can hear more from Januszkiewicz in her keynote speech at the virtual SecTor conference on October 21 and 22. There’s still time to register.