How did you get you your job? What do I have to do to do what you do?
Since becoming a Cybersecurity Expert at TechGuard Security, I have received these questions on several occasions particularly regarding Penetration Testing or pentesting. It’s always a bit difficult to answer. It’s a difficult question, but because as most things in IT, the answer is “It Depends”. On our team of Penetration Testers all of us have come about this opportunity in our own unique way, so my answer is always the same but different. In some cases, I try to give advice on what technical knowledge to obtain or what certifications might help with gaining certain types of skills or knowledge, in most cases my answer depends on the audience. Our team has a somewhat unconventional set of skills and backgrounds, from art majors to Oracle database administrators. All of us bring a different skill and perspective to our engagements and our clients.
The New Age of Pentesting
Stereotypically, penetration testers have been thought of as highly technical introverts, that sit in dark rooms, wearing a black hoodie - with the hood up, of course - staring at a half dozen monitors developing code and drinking energy drinks in the wee hours of the morning. While it is true that our jobs are, at their core, technical and we do some of our work very late at night and that I own a hoodie - although gray not black - the stereotype no longer applies across the board. The one thing that is consistent is within our team, is our interest in technology and how things work. We are all, by nature, curious, enjoy learning and don’t sit still. Don’t misunderstand me, a strong technical background is necessary, but hardly a requirement. The modern threat landscape is a mixed bag of technical exploits and what I’ll refer to as non-technical exploits, such as vishing and phishing. What this means is that whether you are highly skilled technically or just good at making up a good story, you can be a successful pentester. Some of the most successful exploits have been caused by an employee clicking a link in a phishing email or letting the “electrician” investigate a problem.
Personal Journey
Let me bring this article back to the original question of how I became a pentester. My personal journey started rather mundane, I went to college and began my career working for a major computer manufacturer doing customer support. I then moved into an IT support role for an accounting firm. From there I determined that I wanted to focus on networking technologies and obtained several Cisco certifications, obtained a security clearance and did some work for the US Department of Defense. For years I was satisfied with my work. To be honest, I had not given much thought to cybersecurity as a career field. I knew what it was, I understood the core concepts, I managed firewalls and I even read the book “Hacking for Dummies” out of pure morbid curiosity. That being said, a career in cybersecurity hadn’t really crossed my mind. Then, while working for the DoD, an ex-colleague contacted me about some openings within his organization for IT Security roles. I had a great deal of respect for this individual (and still do). Even though I was not necessarily looking for a new career, new company, new culture, I decided to apply and just see. I was curious. Long story short I took the job and have not looked back since.
IT Security: A new Adventure
As stated, my focus has not always been on cybersecurity. One of the core concepts of cybersecurity is the notion of “Red Team” and “Blue Team”. For those of you not familiar with these terms, Red Team are the “attackers” and Blue Team are the “defenders”. Another name for Red Team members is Ethical Hackers. Companies employ ethical hackers or hire them to test the security of their networks. Up to this point, I spent much of my cybersecurity career in a Blue Team role. Blue Team is a lot like many other roles in IT except one key difference. The difference is other IT functions do not have attackers actively trying to circumvent your controls. I find this game of cat and mouse fascinating. In this game I was the cat. I always thought the idea of being the mouse was cool, but the thought of being an “Ethical Hacker” always seemed like something someone else did but a cool way to earn a living. I read articles and subscribed to message boards, but I never really considered Red Team as a valid career option. Throughout my time as a Blue Team member, I enjoyed what I did. I enjoyed learning technology and implementing controls to protect data and systems.
From Red to Blue
Fast forward several years, through conversations with another ex-colleague, I learned that TechGuard Security was looking to increase their testing team, which brings us to today. Today I get to come to work and think of ways to breach network and social defenses, this allows me the freedom to think outside the box. What I enjoy most about my career is the collaboration with colleagues and customers, as well as educating our customers about the newest threats and ways they can make their business more secure.
Interested in Pentesting?
If you’re interested in cybersecurity as a career or just want to learn more, there are a few things you can do to prepare yourself to transition into cybersecurity.
The first, and possibly most important, would be to get involved in the community. The cybersecurity community is very active and welcoming. Join your local OWASP chapter, find a meeting and show up. It’s free and filled with knowledgeable individuals that love to talk about cybersecurity.
The second suggestion would be to start learning on your own. There are many sites out there that provide free resources for individuals to teach themselves how to be a pentester. Two such sites, hackthebox.eu and hackthissite.org provide a virtual learning environment for individuals (or teams) to learn the basics of hacking. The best part is, it’s free. Legally I must include a statement that pentesting should not be performed in any capacity without the knowledge of the asset owners.
Read, read, read. There is no shortage of web resources and blogs dedicated to cybersecurity. If you’re interested, The Hacker News and Dark Reading are two great resources among many, to keep up with trends in the industry and recently released vulnerabilities.
Much debate can be had about the validity of IT certifications, but that’s not the idea of this article. Wherever you stand on IT certifications, I don’t think you can argue that they do provide the opportunity for learning. Certifications such as the OSCP are held in high regard within the cybersecurity community.