Sheep in wolf’s clothing: How white hat hackers and pen testing help stop hacks
Episode Summary:
Many law firms make a heavy investment in cybersecurity tech, and yet attackers can simply walk straight through their front door. This episode exposes how ethical (and criminal) hackers think and act, revealing why human trust and everyday routines are often a real vulnerability attackers’ exploit. This episode pulls back the curtain on penetration testing, and the white hat hackers who help firms fix weaknesses before criminals can exploit them.
Guest:
• James Thompson, Director, principal cybersecurity consultant and penetration tester, Malware Security
• More than 20 years’ experience testing government, defence and critical infrastructure networks
• Specialist in offensive security, social engineering and red team engagements
Host:
• Jayne Gurton, Law Institute of Victoria
• podcasts@liv.asn.au | https://www.linkedin.com/company/law-institute-of-victoria
Episode Overview:
Securing a law firm from cyber attacks must take into account not just technology, but the physical environment as well. In this episode, penetration testing expert James Thompson explains what really happens when an organisation hires a pen tester and how cyber breaches can come through the front door as well as a link in an email. The discussion unpacks penetration testing, red team engagements and social engineering attacks, with practical examples from professional services environments. Listeners will learn how ethical hackers exploit human behaviour, why organisations often fall within minutes of an initial breach and what law firms can do right now to reduce their attack surface.
Topics & Timestamps:
• 02:04 What is penetration testing
• 04:40 Common vulnerabilities in office environments
• 08:49 Real-world social engineering scenarios
• 11:14 What happens after initial network access
• 13:48 Practical steps firms can take immediately
• 15:20 Choosing a penetration testing provider
• 17:20 Emerging cyberthreats and AI-enabled attacks
Key Takeaways:
• Penetration testing combines technical skill with human manipulation to mirror real cyber attacks
• Front desks, unlocked doors and helpful staff are common breach points
• Many organisations are compromised within 15 to 30 minutes of initial access
• Multi-factor authentication and reducing attack surface significantly raise the barrier
• Not all vendors offering pen tests deliver genuine human-led testing
• Regular testing and staff awareness are essential parts of cyber risk management
Resources & Links:
• Law Institute of Victoria cyber security resources – Practical guidance for legal practices | https://www.liv.asn.au/web/resource_knowledge_centre/cybersecurity-hub/web/content/resource_knowledge_centre/cybersecurity-hub.aspx
• Law Institute Journal – Cyber risk and legal practice coverage | https://www.liv.asn.au/web/law_institute_journal_and_news/web/lij/year/2025/02february/law_firms_and_cyber_risk.aspx | https://www.liv.asn.au/web/search_results_page.aspx?search=cyber
• Australian Cyber Security Centre – Guidance for professional services | https://www.cyber.gov.au
• Malware Security – Penetration testing and red team services | https://malsec.com.au
• Australian Signals Directorate Essential Eight – Baseline cyber security controls | https://www.cyber.gov.au/resources-business-and-government/essential-cybersecurity/essential-eight
About This Podcast
Cross-Examined is a new podcast from the Law Institute of Victoria. Tune in to hear experts discuss hot topics in the law and the changes shaping the legal profession. Regular episodes will cover everything from AI and cyber threats to ethical dilemmas, workplace taboos and practice management insights.
This podcast is recorded on the traditional lands of the Wurundjeri people of the Kulin Nation. The Law Institute of Victoria acknowledges the Traditional Custodians of Country across Australia. We pay our respects to Elders past and present.
Disclaimer
This podcast is for informational purposes only and is not intended to replace professional legal advice. The views expressed in this podcast do not necessarily reflect the views of the Law Institute of Victoria (LIV). The LIV is not responsible for any losses, damages or liabilities that may arise from the use of this podcast. Listeners should seek independent legal advice for their matters.
Production Information
• Produced by: The Law Institute of Victoria
• Producer and audio editor: Garreth Hanley
• Music: Garreth Hanley
• Copy and show notes: Louise Surette
Connect With Us
Email: podcasts@liv.asn.au
Website: https://liv.asn.au
LinkedIn: https://www.linkedin.com/company/law-institute-of-victoria
Apple Podcasts: https://podcasts.apple.com/au/podcast/cross-examined/id1858765728
Spotify: https://open.spotify.com/show/0zvyk5xia4wYv9YWcXphgV
Mentioned in this episode:
2026 Legal Forum advert
Legal Forum 2026: Discover the forum where lawyers come to connect, be inspired and stay ahead. The Law Institute of Victoria’s flagship, full-day conference brings ideas, leading experts and the profession together to learn, connect and shape the future of legal practice. Wednesday 10 June | Pullman Melbourne on the Park | https://www.liv.asn.au/legalforum
Transcript
Welcome to Cross-Examined, a podcast by the Law Institute of Victoria.
Jayne Gurton:Every law firm in Australia holds something criminals want, whether it's client IDs, financial records, privileged legal advice, sensitive negotiations or confidential communications. Most firms have put a lot of effort into securing their IT. But sometimes the weakest link in a law firm's cybersecurity is not the server – it's the front door.
Penetration testing, also known as pen testing, is a critical but often misunderstood security practice that focuses on gaining digital and physical access to secure systems and data.
Essentially, it's legal hacking, done by what's known as a white hat hacker, a sheep dressed in wolf's clothing who is authorised to secretly break in using the same tactics that a criminal would.
Pen testers are employed to find the vulnerabilities before the actual bad guys do, so businesses can patch the gaps before they become leaks.
I'm Jayne Gurton, and this is Cross-Examined.
Today, we are talking to James Thompson. James runs a security-cleared team that is paid to break into some of Australia's most sensitive networks across government, defence and critical infrastructure.
James is joining us today to explain what actually happens when an organisation engages with a pen tester, the unlikely gaps he finds in company defences and what it's actually like to infiltrate some of the country's most secure facilities. Legally, of course.
Welcome to Cross-Examined, James.
James Thompson:Thanks for having me here.
Jayne Gurton:Okay, James, let's dive in. For listeners who haven't come across the term before, can you explain what penetration testing actually is and how it differs from other kinds of security assessments? And beyond the technical, who actually hires you? And are you seeing corporate clients demand proof of security before handing sensitive matters to a law firm?
James Thompson:Yeah, absolutely. So, what is penetration testing? So, that is being typically engaged by an organisation to define a system and throw, basically, what you have at it – so, try and find vulnerabilities as broadly as you can in the entire system. And there's a few different types of security assessments that you can get, and sometimes they are a bit hard to distinguish between them.
So, typically, you'll have a vulnerability scan, which is something that your own team could set up, or you could outsource to a third party. That would just be an automated system that looks for common and known vulnerabilities.
Then, in the middle, you have a penetration test, which is where you actually have a human coming in, looking at systems, trying to identify flaws in the systems, trying to exploit the vulnerabilities – and also, importantly, looking for the business logic gaps that automated scanners can't do – and they are trying to look very broadly.
And then the third kind of assessment is what is typically called a red team engagement. So, instead of being focused on one specific system, they will target an ultimate goal. So, they will be given your organisation's crown jewels or the most important information or assets that you have been entrusted to protect. And their goal is to get to that end point, and try and get there any way they can, through whatever controls they can.
And the sorts of customers we typically get are in government. So, they are entrusted with various public information to protect. So, whether that be health records or classified information or whatever that organisation looks after in particular, as well as other places such as financial sector. We get a fair bit of work out of financial sector, who have a very obvious financial incentive to ensure that the money stays where it's supposed to stay.
And also, other organisations that need to have assurance that the information that another third party has entrusted them, such as someone in the defence supply chain and where there's a large corporate customer engaging a legal firm. And the company who is entrusting them with the data needs to ensure that their networks, their systems, their processes are secure to be able to hold and protect that information. And they need that proof before they hand it over.
Jayne Gurton:James, in your experience testing professional services in office environments, what are the most common vulnerabilities you find? And how do you actually get through their defences? Why do you think these gaps keep appearing?
James Thompson:Yes, so, there's obviously a lot of technical vulnerabilities and issues in the attack surface, but there's also the human element as well that shows up in many sorts of attacks.
So, the phishing attacks, vishing attacks and some of the other attacks where you just trust and rely on people that maybe show up somewhere that you think they could be or should be, and they can take advantage of that situation, that assumed trust. Maybe the timing is perfect. So, for example, you've just ordered something, you are expecting a parcel. All of a sudden, an email pops up saying, “Hey, there's a parcel, click here” – that situation – and that can extend into the physical world as well.
So typically, when organisations have asked you to test them physically, they are pretty confident in their controls, but there's been plenty of really great examples.
So, probably the most typical thing is, people assume that having a door or a reception is a sufficient security control. But usually – if you just walk into a place, you look confident, you look like you are supposed to be there – you can typically just walk straight past and get into what someone would assume to be a restricted area where only authorised people should be.
Just having that confidence to walk through and to look like you should be there is often enough to go unchallenged. And quite often I've actually successfully gotten those front desk staff to be my willing accomplice, and they've been able to guide me into the right place. So, “Do you know where the computers are? There should be a room that has lots of computers. Can you take me there please?” And they will often willingly help you get to that place. It's pretty amazing. They are trying to do their job and be helpful. So, if you think about it, that is a legitimate attack that someone might conduct against you.
So, do you have files that not secure during the day, they are left out of a desk? Keys, maybe. If someone just walked into your office and opportunistically grabbed something, would that be a problem? Or do they maybe walk in and plug something in?
Another example is the front desk reception computers. Quite often when you walk into an organisation, you'll see the front desk. They have a computer sitting right there, customer facing. It has all of the ports at the back exposed to the person on the other side of the counter. It's quite common to be able to just plug an extra USB into the back of that, that can run some attack tools. So, we've definitely done that attack a couple of times as well.
Or is there a door that staff use that might be on the side that doesn't go past reception? And when they go and get their coffee, do they go that way? And you just follow along with the group, with your coffee and walk on in. And often you can quite easily merge into the group.
People assume if you are talking to someone, they know that you are maybe a new starter, maybe part of their team, something like that. And they kind of get integrated into the group, and you can just walk in having a chat with someone who actually works there because they think you are in one of the other teams. It's pretty, pretty wild.
I did have a colleague that “attacked” an educational institute, and they sat down at a free desk and plugged their laptop in, started attacking the systems. And they didn't really know what to do and where they were trying to go, but they were adopted by the team that surrounded them, who were like, “Who are you? Oh, you just started here? Oh yeah, you need to go to the service desk. This is their phone number. This is how you get to their system. Come get coffee with us. We'll have a chat to you”.
And so, this team kind of adopted this guy, like he was paid to be there, but as far as they knew, he was completely legitimate. They assumed he was a new starter, and they just adopted him into their team and into the fold and started introducing him into the system and the organisation.
Jayne Gurton:James, you've just touched on some of the tactics you use. Can you walk us through one real-world scenario where one of these techniques actually played out inside a professional or legal environment? And do you have a specific story that might surprise our listeners about how easy it actually was?
James Thompson:One of the typical ones was walking in with a very large server, like a really massive computer that gets rack-mounted. My hands are full, it's quite heavy, walked into the building. I didn't have my pass on or anything, because I'm carrying a big server – so people were trying to help me out.
And it ended up being security that came and swiped through to let me through the side doors and through the front race-gate access controls to get into the building to help me along the way. And they even came up and pressed the button to the elevator, called the elevator and went in and pressed the floor that I wanted to get to. So, they absolutely helped me through as much as they could without stopping to challenge, “Do you have a pass? Are you meant to be here?”. And yeah, that one was straight into the organisation and then plugging that into a server room that was accessible was pretty wild.
I came in with a whole bunch of storage, and then I plugged it into their network, so that I could copy information onto my server. And I was analysing it locally, but that could have been any information that I was at that point copying onto this server that would then be in my full control and would be able to walk out of the building or take out any way I wanted.
So, if I adjusted that to the attacker scenario, it would be a massive data exfiltration event. That was in the middle of a broader security review and red team engagement. So, it was actually several months afterwards when we revealed what we had been doing across the organisation. And that included tailgating in for months, dropping devices into the network, walking out of the building with devices over yeah, many, many months.
And we presented that to the Chief of Security, and after that, there was a lot of changes. So, they actually posted a guard right next to the race gates to stop people being able to tailgate in. They tried to start challenging people who just rocked up with their hands full. So, they actually were like, “No, no – we need to see your pass, and we need to see your face on the pass, and we need to hear it beep on the swipe”. So, it did make it a less “helpful” environment, I suppose, but it definitely improved security.
Jayne Gurton:Once you've gained that initial foothold, you are inside the building or you are on the network – what happens next? And what does that second phase typically reveal about an organisation's broader security posture?
James Thompson:Yeah, absolutely. So, it actually reveals a lot. So typically, once you've broken into the network – and that could be through malware, it could be through phishing, social engineering, getting someone to run something or just plugging into the network – usually, the next steps are trying to find a foothold or a bit of access. So, you are looking for credentials that might be on the network or maybe your user account that you've landed with has too much permissions. You are just trying to find a really quick way to move and expand.
And typically a lot of organisations will fall down within about, oh, 15 to 30 minutes of the initial compromise if they haven't really focused on being tidy and cleaning up. There's almost always something that's misconfigured or something that's laying around that gives you access into the network and really quick access to compromise a whole bunch of other systems.
Typically, you don't need to be an administrator. It helps, but typically you don't need to have that level of access. Typically, a standard user has more than enough access to some degree of sensitive information. It's not compartmented.
So, I had a really fun one, in a law-related sector, where after I gained initial access, I did escalate relatively quickly to administrative. They had a setting enabled, which was called “reversible encryption” on their passwords. And I contacted my security lead and I said, “Hey, here's your password”. And he goes, “Oh”. And I was watching what he was doing, and straight away he changes his password. And so, I messaged him again, “Here's your password, you still have reversible encryption”, and he tried to make it really complex as well, so it went from a data innate character password to being multi-words and really long. So, I sent it to him again, he changed his password again, then turned on reversible encryption. So, I still had access to his password.
Once you enable a security feature, you typically have to change all the credentials. So, you would have to change every single password in the entire organisation after turning on this setting to bring them into the secure state. And until you've done that, you remain vulnerable.
Even though this guy was the security lead, who I was having fun with, he didn't realise the consequence of what this setting would do and how to actually fully remediate it. And he was just absolutely blown away that I was able to send him his password just constantly, every few moments. It was great. It's a fantastic job to be professionally evil.
Jayne Gurton:James, if a practice manager or managing partner is listening to this right now and wants to actually strengthen their firm's defences, not in theory, but this week, what should they do first? Apart from engaging with a pen tester, of course.
James Thompson:Yeah, absolutely. There's some basic controls and you actually, I think, already talked about them in the intro.
Stuff that makes my job hard. If someone has multi-factor authentication turned on, then that's already – I can't just reuse their password instantly, I've got to use a little bit more advanced attacks. But it just raises that bar, and it cuts out entire attack paths and ways to be persistent in a network or maintain my access. So good multi-factor authentication across the board. Passkeys, if you can, are really great.
And the other big thing – reduce your attack surface wherever you can. If it doesn't need to be there, turn it off. And another common attack is, you walk into a building, you see where their TV is plugged in and it's streaming some sort of corporate information, and you plug into the network port. Does that need to be network connected? Does your lobby need to be network connected? Probably not. Can you disable this? The same thing with meeting rooms – disable the ports if they are not used. Wherever you can, reduce the ability to gain access to things, reduce your attack surface.
Jayne Gurton:When a firm does decide to engage a penetration tester, how should they approach that relationship? What should they specifically look for in a vendor, and are there red flags that should make them walk away?
James Thompson:Yeah, so when you are engaging a penetration testing firm or a red teaming organisation, you want to make sure that they've got experience, they know how to handle the data – because it's most likely that they will successfully break into some sort of system and they will take some of your data – so, are they going to encrypt it if they take it out of your organisation to prevent second-stage data spill?
You also want to make sure what they are doing is actually sound, so have a look at their methodology, things you don't want them to do. And this comes from the market being a little bit muddy. You might be after a “penetration test” or a “red team”. They might call it that, and then they actually just sell you a vulnerability scan.
Will they actually have people looking at your systems? Will they actually be looking for business logic flaws as well as technical vulnerabilities? If they find a flaw, will they exploit it and see where it gets to from there? What is their scope as well? Do you want to test your physical premises? So, make sure that you are getting everything you need when you define that engagement and how big that is.
The typical red flags here – I like to use the price as an indicator. If someone goes, “Yeah, we are going to give you a pen test, and it's going to be done in two days with a report”, you are probably not getting what I would consider a pen test. You are not going to actually have a human spending a good amount of time looking out over the system, curating the results, understanding the business logic and exploiting, extrapolating where they can go from there.
Cybersecurity hasn't really been professionalised in Australia yet. There's a few different certifications and qualifications you can get. Typically, the things I'll look for when I employ someone is things like offensive security, SANS training, even competing in the Capture the Flag tournaments – just to see that they've actually done these engagements and work, and that's where their professional experience is.
There are a few industry bodies that are trying to stand up, but I wouldn't say that they have saturation yet. So, at the moment, I wouldn't suggest any one body for a cybersecurity professional yet.
Jayne Gurton:Okay, James. Looking ahead, what emerging threats should the legal profession be paying attention to over the next few years? And is there anything that's already here that firms are not yet defending against?
James Thompson:Yes, so I think the next threats that are going to come out will be a lot more of the systems that we use and rely on. So, a lot more supply chain risks and attacks, as we are seeing a lot more vulnerabilities being identified and exploited very quickly, powered by AI, and the ability for AI to find vulnerabilities and weaponise that attack chain exploitation, and even the ability to go through the data and understand what it is.
So, I think there'll be a lot of risk there, as well as the adoption of AI systems that, when these systems have been deployed and they are trusting this user input, are you trusting the user input? And then you get security issues off that, you are not securing the database. The way it's spitting out code hasn't been vetted through the proper software development lifecycle and security testing.
So, I think that's definitely what will be biting everyone in the future, sort of the explosion of AI and then the risks from people using and adopting AI and this sort of technology stack.
There's definitely been some really cool advances in the pen testing and attacking field where you are able to leverage different AI models, and generation of people and voices and videos, and everything to conduct your attacks.
And I think the big thing to defend against it is the same as always – trust but verify. You always need to verify what's going on. So sure, you ordered a parcel and you've got an email about tracking a parcel. But is it actually where you ordered it from? Does the URL match?
It's almost all the same things, except it will be a lot faster. And falling back onto well-established and tested processes should be there again. So, changing the bank account – that should always come through a well-tested, well-trodden process. And it shouldn't be able to be bypassed just because someone called you and it sounds like that person.
Yeah, so the Uber Eats delivery driver, I think, is the next threat. I definitely want to try it. I've seen some Uber Eats bags laying around, and I was like, yeah, I should pick those up and add them to the toolkit.
Jayne Gurton:What strikes me about this conversation, James, is that so much of what you have described isn't about technology at all. It's about human behaviour, organisational culture and the assumptions we make about how safe we actually are. Waiting for an incident to happen is not a strategy, and testing your defences and training your people are the first steps.
James Thompson:Absolutely. I totally agree with that.
Jayne Gurton:Thank you so much for joining us today, James, and for pulling back the curtain on what pen testing and ethical hacking actually look like in practice.
James Thompson:Thank you very much for having me on. It's been an absolute pleasure.
Jayne Gurton:And thank you for listening to Cross-Examined. Don't forget to check the show notes for links to the Law Institute of Victoria's cybersecurity resources, the Australian Cyber Security Centre and James and his team at Malware Security.
If this episode has made you think differently about your firm's security posture, please share it with a colleague or a practice manager who needs to hear it.
And until next time, thanks for listening.
