Xavier Yeo
Consultant (Attack Simulation Group)
Cyber Security Engineering Centre, CSA
Joined in 2018

Hacking for good

Xavier Yeo was seven when he first started hacking.

Turning his online avatar “super powerful”, he won the battles against other online players and scaled difficult missions in the game effortlessly.

Later in secondary school, he learnt to set up phishing websites and pranked his friends into visiting these. “I revealed the prank immediately, advised them to change their credentials and taught them ways to identify phishing websites and suspicious URLs,” he adds.

These experiments opened Xavier’s eyes to security issues that plagued computer software and systems, and the need to enhance their resilience. This led him to pursue a cybersecurity-related diploma in polytechnic, and kickstarted his career in this field.

Today, the 29-year-old is working in the Attack Simulation Group (ASG) in Cyber Security Agency of Singapore’s (CSA) Cyber Security Engineering Centre (CSEC).

Red Teamer, alert

His day-to-day activities include conducting security assessments on Government and Critical Information Infrastructure (CII) systems. This means trying to gain access by exploiting security vulnerabilities using tactics and tools that real threat actors may use - otherwise known as “red-teaming”.

Xavier says this is needed to highlight existing security gaps, thereby improving the overall cybersecurity posture, and making it more resilient against attacks.

On memorable moments, he recalled how he discovered two critical zero-day vulnerabilities in a product developed by a local firm in 2020. If successfully exploited, an attacker would be able to completely take over one of the module’s operating system within the product, he explains.

He and his team worked with the local firm to mitigate the issue. It was also his first time registering for a Common Vulnerabilities and Exposures (CVE), marking it as one of the highlights of his career at CSA so far.

Red-teaming, as the term suggests, is not a job for one person. Xavier gets the opportunity to work with team-mates who are like-minded and passionate about cybersecurity. It doesn’t hurt that they get to embark on cool hacks as part of the job!

Tough but gratifying

And it is work which he finds challenging and impactful!

Xavier says it was reported that in 2020, there was an average of 50 new security vulnerabilities identified each day. It’s a challenge just to be able to keep up in this fast-moving industry, particularly in the digital age we are in today.

The work doesn’t end during the ongoing COVID-19 pandemic either. His team worked with GovTech to help secure the then newly developed SafeEntry and TraceTogether digital contact-tracing tools, work that was “tough but gratifying” as they knew the work impacted the lives of Singaporeans.