Robin Divino

Security Tech Lead, Philippines

‍

Robin Divino is an Information Security Consultant for VikingCloud based in the Philippines.  He works with customers around the globe conducting penetration assessments on multiple assets, including Web App and APIs, networks (external and internal), segmentation testing, Mobile Apps – as well as dark web analysis. Robin also conducts Web Application Vulnerability Assessment and Penetration Testing (VAPT) training and leads customer projects.

‍

Before joining VikingCloud’s Cyber Threat Unit, Robin was a programmer for five years, then moved to a cybersecurity role where he’s worked in the Information Security field for nearly seven years.  

‍

Robin built his skills and information security profile by ethically hacking companies as part of their bug bounty programs.  He has been acknowledged and rewarded by companies such as Facebook (Meta), Microsoft, PayPal, HackerOne, the U.S. Department of Defense, and more for discovering and disclosing unknown vulnerabilities.

‍

Robin also shares his knowledge with the ethical hacking community to help others learn and help in their mission – by creating YouTube videos teaching about white hat hacking and bug bounties and writing blog posts about the vulnerabilities found during bug bounty hunting. Robin is an Offensive Security Certified Professional (OSCP) and holds a B.S. in Computer Science with a major in application development.

‍

Interview with Robin

‍

Q: What’s your favorite security vulnerability and why?

‍

A: “It’s a toss-up!  Improper Authorization and Sensitive Information Exposure are my two favorite vulnerabilities.

‍

First, Improper Authorization, because it leads to many other vulnerability subcategories. It’s when the application does not properly check that the user is actually authorized to access a certain functionality, leading to multiple vulnerabilities like Business Logic Vulnerability, Sensitive Data Exposure, Account Takeover, and many more.

‍

Second, Sensitive Information simply because this is very easy to find and often bumps into a higher severity vulnerability depending on the type of sensitive information you can access. Sometimes a simple hard coded credential may lead to accessing a vast amount of sensitive data.”

‍

Q: What is the primary cause of breaches you see most often? Do you have any relatable stories you can share?

‍

A: “Social engineering, hard-coded credentials, credential stuffing attacks, and lack of data protection are all breaches that I see frequently. Social engineering includes many types of attacks that most people fall into, like phishing attacks; it only takes one account to compromise the whole network of an organization. Properly trained employees on the alert are an organization's strongest defense. Yet, when they are not trained and prepared, they become one of the weakest links - along with vulnerable applications.

‍

During my career as a penetration tester, I was able to access a database due to hard-coded credentials.  Getting in because of poor security measures was even more of a problem for the target because the accessed database stored sensitive data - usernames and passwords - in plaintext (not encrypted).  When you are compromised, a database that contains plaintext usernames and passwords is super easy to perform a brute-force attack and credential stuffing attack.  That creates a problem for the impacted business – and all those other companies that can then be hacked using the login information.  One successful attack then leads to numerous data breaches.”

‍

Q: If you could give one piece of advice to our customers, what would it be?

‍

A: “Short and simple:  Never let your guard down.  Always make security a top priority – and use experts who have access to proven best practices – and who can also help out when and if you are breached.  Not putting security at the top of your organization’s priorities can have serious consequences. I’ve seen it firsthand – don’t wait until it happens to you.”

‍

Robin’s information security experience and knowledge have set him apart from others in the industry. Numerous organizations, including the U.S. Department of Defense, have acknowledged and rewarded him for his ethical hacking expertise. He is a vital part of our business, and we’re happy he’s a member of the VikingCloud Cyber Threat Unit.

‍

Learn more about Robin on LinkedIn: https://www.linkedin.com/in/robindivino/.