Life of: A Principal Security Consultant

Written by

Name: Gabriel Gonzalez Garcia

Job Title: Principal Security Consultant, IOActive

Bio: Gabriel Gonzalez Garcia has more than 13 years of experience in development and security of embedded systems. From network equipment to satellite communications, Gabriel has actively exploited numerous vulnerabilities in a variety of software and hardware systems. Recently he has specialized in industrial equipment with a particular emphasis on smart grid environments.


Tell me in one sentence what your job is about…

Finding unexpected ways of gaining a privileged position in a computer system.

What was your route into cybersecurity?

I was always interested in security since the very beginning of my career, but I started developing a network scanner (similar to nmap) around 18 years ago. I was also playing around with OpenBSD to better understand the security improvements that the developers put into place. Shortly after this I became more and more interested in Embedded Systems, which is actually my area of expertise today. Along the way I learnt about reverse engineering, web penetration testing, mobile app security, and a lot more.

What's the best thing about your job?

The constant challenges. Each project requires a different set of skills than the previous one and, most of the time, you have to combine everything you know to find ways to bypass security protections. Since all projects are time-fixed and new ones start every few weeks, you have to give 100% to get the best results, which helps you to improve every day.

And what's the worst?

Some projects happen too far away. Being away for more than two weeks in a row when you have a family is tough.

Gabriel Gonzalez Garcia, IOActive
Gabriel Gonzalez Garcia, IOActive

If you could work with any client on any project, who and what would it be?

Working on a satellite project for a space agency would be pretty awesome.

What's your proudest achievement?

Being part of a happy family and having the courage to tell my wife and son, almost every day, that I love them.

What's your biggest professional regret?

I should've never switched off my home OpenBSD Server running on a Pentium 120Mhz.

No, seriously, I do not regret anything.

Who do you really admire in the industry?

Ruben Santamarta: He started exploring vulnerabilities in Windows quite a few years ago and discovered a number of ways to exploit them. He then moved to the industrial area which he instantly mastered. I love his sixth sense of feeling where the problem can be, and identifying potential targets. He is like Messi, he can score a fantastic goal anytime.

Joxean Koret: He is a very talented bug hunter and discovered lots of them in a wide variety of software products. I like his approach to problems - he does not hesitate to write any tool he needs from scratch. I also like that he is always willing to share his knowledge.

Micah Elizabeth Scott: I don’t know her personally but I have been a follower since she had a blog at livejournal.com (quite a few years ago) where she posted fascinating hardware hacking and software skills. She is a demi-God to me.

If you could change one thing about the information security sector, what would it be?

Traditionally the security industry has been full of researchers trying to promote themselves and make fun of manufacturers and ‘dumb’ developers. I totally disagree with this vision, bringing a product to life is an extremely complicated process and there are lots of factors that can lead to a security vulnerability, from a non-trained developer to risky management decisions.

What's the most misunderstood thing about information security?

The risk of deploying a product that can be analyzed by a large crowd of people. If today we ship a product with a vulnerability that we, as the manufacturer, think is very difficult to exploit because it requires lots of man-power, then there is a chance − if the product is successful enough − that hundreds of talented researches will start looking into the product. Individually, they may not have the required skillset but when combined, thanks to large communities where knowledge is shared, they can quickly find and exploit any vulnerabilities.

If you didn’t work in the information security industry, what would be your dream job?

I would've been a neuroscientist! Back in the day I spent a couple of years collaborating with a research center, helping a team develop software to perform behavioral analysis on Leeches - yes, the blood suckers. I wrote an application that analyzed the skin movements of the animal, using computer vision algorithms, when reacting to touch stimulus. It was a fascinating project and I was lucky enough to be involved in the whole process, from exposing the animal's neurons with a stencil under a microscope, to recording all the movements. The goal of this was to reverse engineer the leech's nervous system, which in many ways is quite similar to what I do in the IT security world.

What’s hot on Infosecurity Magazine?