Digital Detective

Lines of computer code
Author
Published date

Jeremy Dupuis ’16 has a knack for breaking things.

Dupuis infiltrates sensitive, proprietary and protected information on behalf of Ernst & Young, a multinational professional services company and one of the largest
accounting firms in the United States. He is an offensive security consultant, or, as others describe it, a “professional hacker.” The Albany area native never imagined such an exciting profession and a six-figure salary when he enrolled as an individual studies major at SUNY Morrisville.

“I didn’t know what I wanted to do,” Dupuis, who began his job at Ernst & Young in August, recalled during a telephone interview from his Houston, Texas apartment. “All my friends on campus were IT guys. We worked out a lot at the gym — they weren’t the stereotypical computer nerds. They had this confidence about them.”

In high school, Dupuis really enjoyed an elective that taught him about computer hardware devices like switches and routers, and basic computer functions. During
his second semester at Morrisville, he took a 101-level course that covered the basics — Microsoft Office functions, spreadsheets and PowerPoint presentations.
Professor Richard Marcoux was impressed by Dupuis’s energy and enthusiasm.

“I remember seeing him at his laptop working on problems on his own,” Marcoux said. “He was very serious about this and picked up the material so quickly.”

“He was pulling me into the IT field without me really knowing it,” Dupuis said, adding that he changed majors to information technology: network administration prior to the start of his sophomore year. After that, his dedication to learning the trade flourished. By junior year, Dupuis found himself continuing extra credit projects even though his grades were solid — mainly for the thrill of new challenges and also to separate himself from his peers.

“When it came to finding an internship, I wanted to stand out,” Dupuis said. “Since my peers and I were completing the same projects, the only way to separate myself was to go above and beyond.”

“He worked independently to push beyond his own knowledge and expand his skill set,” said professor Steve Klingaman, who had Dupuis in his Network  Administration, Cybersecurity, and IT Project Management courses. “Jeremy very ambitiously sought and earned the coveted Offensive Security Certified Professional (OSCP) certification.”

“Pretty much the whole company is compromised. We can make them go from heroes to zeroes in a matter of minutes.”

Like many credentials in the computing and networking field, the OSCP certification is something that IT professionals or computer scientists pursue on their own time
and at their own expense outside of their college degree curriculums. These programs are extremely rigorous and difficult. Dupuis said his education at SUNY Morrisville set him on a path to succeed.

Dupuis worked as a student employee at SUNY Morrisville’s computer help desk and made a few other stops along the way to Ernst & Young. At his previous job, with
Depth Security in Kansas City, Missouri, he worked as an IT security consultant. Before that, during his senior year at SUNY Morrisville, he served as an information security engineer intern at Secure Network Technologies in Syracuse, New York. In that role, the SUNY Morrisville graduate-to-be thought about how defenses could be strengthened by a good offense.

“I was always curious about the opposite,” he said. “What would it be like to try to break stuff?”

After obtaining the multiple Offensive Security certifications (OSCE, OSCP, OSWP), Dupuis found the opportunity to prove to Ernst & Young that he could indeed break
stuff. 

He and other members of the company’s Attack and Penetration Team are assigned to visit customer sites and infiltrate their facilities and systems. Most if not all of the
workers at those sites are unaware of the team’s presence. The task involves staking out offices — observing the entrances and exits, the security staff and even the
dress codes for employees. Team members have been trained to make fake badges, impersonate themselves as employees or contractors, and even con their way into areas where they should not be allowed.

“If you stutter or freeze, it’s going to raise some alarm,” Dupuis said. “If we get caught, we’re likely going away in handcuffs.”

Once inside, Dupuis and his colleagues make quick work of completing the challenges assigned to them, which can include obtaining trade secrets, accessing payroll
records, or by becoming a high-privileged user on the corporate network.

“Millions of dollars are at risk,” Dupuis said. “Pretty much the whole company is compromised. We can make them go from heroes to zeroes in a matter of minutes.”

The clients are often alarmed but thankful for the team’s findings, and as a result companies improve the security of their facilities and networks, Dupuis explained.

The job involves quite a bit of travel and long hours as team members often log in more than 75 hours some weeks. So far, he has loved the fast-paced, challenging
environment.

His advice to aspiring hackers and SUNY Morrisville students: If you work hard, you’ll be surprised how “lucky” you can become.

“You are working super hard for three to five years of your life (in college) to become what you want to become,” he said. “It’s not the end of the world!”

Breaking Barriers

According to the U.S. Department of Labor, the median annual salary for information security analysts with a bachelor’s degree and less than five years of experience
was $95,510 in 2017. There were an estimated 100,000 security analyst jobs in 2016, and that number is expected to increase by 28,500 in the next eight years.

SUNY Morrisville offers a minor in cybersecurity that is open to all students. “This minor dovetails nicely with our B.Tech IT programs, especially network administration,” according to professor Stephen Klingaman.

The Offensive Security Certified Professional (OSCP) is considered the most recognized penetration testing certification in the industry. This credential is usually sought by professionals in the computer science, software engineering or information technology industries who previously completed college degrees. Candidates must pass a 24-hour performance-based exam in a virtual network where they are challenged to obtain targets of varying configurations and operating systems in auto work.