The ME in “MEntal Health”
Hey, didnt I write something like this last year? Well, yes, I sure did. Originally this piece was titled “So you want to be a pentester” and was writing because I get asked a lot by people society see’s as fringe humans how to get into the coolest and best industry in the work.
Please read this in the manner it is mean, friendly and fun.
Over the past 20+ years I have had the privilege to work with many amazing minds. Many of us came from the old school of thinking where politeness and courtacy were a thing. Yes, we had the internet, it wasnt that far back. So, after a rather rough Info Security Europe (2018), I decided to rework this piece for the industry as a whole.
You really want to work in Cyber Security?
While I am sure you aren’t quite mad but after a years that will change. Welcome to the fun house. It is my pleasure to help you a little and give you an unbiased view of what it is really like.
What does it take? What is life like? How do you get that coveted job in Cyber? I have put together this paper to help you, the new and upcoming security experts of the future. Everything in this paper are my own views and are based on what I know works and what my peers in the industry have told me works for them. It certainly works here for me.
Mental Issues? Tick [sic]
The number 1 thing is listen to that voice you have inside you. There are many people who will tell you that you can not do something. There are even people who will tell you that you can. Be wary of recruiters. Basically do NOT listen to other people who will try to influence you. Believe me when I say I have seen every type of infosec person there is and those who fit in societies definition of “normal” are in the minority and mostly fill the lower grades of our industry. To put it into a little bit of the real world for you, I suffer from PTDS and Tourettes, and a certain amount (ok, a lot) of OCD. I work alongside most aspects of “the spectrum”. Honestly, I hate these labels. That is all they are after all, labels. Go ahead and list out all of the leaders of our industry from the 2nd world war to now. Notice anything?
Life as a Penetration Tester
Working in pentesting means travel. Lots of travel. Despite what you get told, you can expect to spend half your year in hotel rooms. Sometimes this will be in interesting places, often it won’t. Hours are long. This is not a nine to five job, it is a lifestyle choice.
We have the highs, travelling to Bermuda, Barbados, Miami, Cromer and the Islands of Scotland. Trips to Vega and DefCon. Wait, did I say Cromer? Yes, best fish and chips in the UK.
We have the lows too. Travel to London, public transport, over crowded trains, miserable weather, long travel times, clients who demand you onsite for 9am. Getting up at 5am. Wait, sorry, that should be 3am. Getting home at 10pm.
It all goes with the job though, where else do you get to break into systems and get paid to do it? Expect long hours, cheap hotel rooms, long flights, conferences, lots of travel and just occasionally weekends on a beach. Expect to also spend half your life writing reports. Being a really great penetration tester is fine, but if you cannot write a report that delivers value, you won’t last long.
Wait, I have to interact with people?
Heck yes. What is the easiest way to get the admin password? Ask the admin for it! I know it can be scary but part of the job is talking to clients, being on their site and interacting with them. I treat it like a game of dungeons and dragons. Or Zork. Or a MUD. It is how I remove myself from the here and now and enables me to put on my alter ego and do what I need to do. It takes time, I won’t lie. For the first few years, yes I said years, you will be uncomfortable but the sooner you jump in the quicker you swim like a pro. Just dont say outloud “Im in a corridor with exits North and West. A Grue is in front of me.” People will then know you are mad.
On the subject of interaction, don’t worry about flipping on the cans and listening to your preferred music. Just remember to keep the volume low so not to disturb those around you. Try not to do anything that may draw attention either. A lot of the time you may be “lurking” on the clients site so the goal is to stay for as long as possible without being noticed.
The easiest way to become a penetration tester is to pass the OSCP, the Offensive Security Certified Professional. Once you have this, talk to CREST about sitting the CSPA. With both of these, you are pretty much there.
With the OSCP and the CPSA, you can expect a salary starting at the £35,000 mark and should increase in line with your experience. Having said that, if you have little to no commercial experience, expect to be on a reduced figure until you can prove your worth in the practical world. At Hedgehog fully qualified testers will start at £35,000 and will be very quickly I expect then to be between £40k and £60k. Our Senior Penetration Testers have a very nice salary.
I have a [insert qualification here], doesn’t that count?
As I said above, the easiest way is with the OSCP. Your certificate counts, it demonstrates a base level understanding of penetration testing, but it is not going prove your skills in a practical way that the OSCP does. Of course, if your qualification is the GIAC G.PEN and you are reading this, skip to Getting Your Big Break, you are targeting the wrong brands.
No OSCP, what then?
You have no OSCP but you really are very keen to become a penetration tester. How do you get there? All is not lost, you can still do it. First let me say one thing, show some respect to the people you talk to. Very often I will speak with people who will very literally say “I hacked this, I hacked that, im great, im worth £50k”. I’m sorry, but that means less than zero. If you are going to take on a training role, a junior role, an apprentice role, call it what you will be prepared to throw yourself into learning and proving.
There is always a debate over whether penetration testing is an art or a science. Personally, I believe it is a bit of both but that really does not matter. Skills are extremely important more so than knowing how to use a bunch of tools. Of course, you need to learn how to use the tools but if you are a recent graduate your lecturers have probably waxed lyrical about “automating penetration testing”. If you ever hear that stand up and call it for what it is, tripe. Automate as much as possible sure, but you simply cannot automate a penetration test, not if you want high quality consistent results that deliver a positive return on your clients investment.
You need to work with an analytical mind. There is no point in using point and shoot tools that will give you predictable outcomes if you are not able to interpret those results. Somethings being able to see a secondary path of attack because of a particular result within the context of the target organisation will reward dividends. So, for all you autistic people out there, here is your biggest win. You WILL ace this. Take that “disability” every keeps calling it and turn it into your superpower.
“Performing a client test in a hardened network, everything was returning predictable results aside from one attack vector. I could see a NetAPI vulnerability which should be exploitable but very obviously should not be there. Why would a Windows XP machine be in a network of Windows 10 machines? Within the context of the business, it was likely an embedded device within a particular client interaction screen. 20 minutes later I found the vendor and had the technical specifications, which meant I could physical find the device. Access was then gained through a side channel attack. 5 previous Penetration Testers missed that one.”
The most important thing to learn is how to write a report. I have worked with penetration testers who, technically, are some of the best in the world. Unfortunately, they don’t know how to write. Unless you are in the role of researcher, you will be carrying out penetration tests for commercial clients and they will require a tangible deliverable, a report. Sometimes a report is easy to write. This is when there are many findings and you can clearly demonstrate what needs fixing.
Where you really show your value is being able to report on nothing, and find value in a desert. Imagine you are on an engagement and you testing a fully hardened and updated externally facing network. There are no vulnerabilities present and certainly no avenues of exploitation. What do you report? A penetration tester is more than a technically astute person, they are story tellers and a really good penetration tester is a talented technical author.
“I quite look forward to the hard tests. There is something satisfying about knowing you are up against an administrator that not only knows their work, but cares about it too. The big downside is that the written word suffers, and then the written word suffers you are in for a hell of a time getting the report through QA My approach is to write my story from the time I get on site to the time I go home. A Dictaphone helps massively too!”
Ok, enough about Pentesters. Many of the thoughts and pointers here work for Infosec auditors, consultants, analysts etc. It is all so very similar.
Not all Cyber Security Firms are the same
Who do you want to work for? Not all firms are the same, and certainly not all firms are equal. In many ways, you can think of Cyber Security firms the same way as car brands. You have the big firms, these are your mass market people ranging from Nissan to Lexus. Next you have your more prestige firms, your BMW’s, Mercedes etc. Then you have your boutique firms, Atom, Caterham, Lotus. Firms like Hedgehog.
Now, Infosec Europe 2018 really brought this home. It was battle of the “booth babe” term [sic]. Oh my god I hate that term. Especially those who accuse me of using them and wield it in my face more, but everyone is allow an opinion. The old great way to get an idea of the brand you want to work for was to actually go to the industry trade shows. You cant do that any more. Firms like Reed Exhibition now censor the exhibitors so much you dont get a feel for who the firms really are. But you can get a really good idea by playing a little game. Hop onto a stand and start talking to the younger generation that are staffing the stand. Talk about fashion, shoes, makeup and then flip to technology. Then flip back. If the person you are talking to doesnt start to squirm, you are talking to a tech. How many techs on the stand? How many can answer random technical questions?
No one firm is better than another, it’s just the appeal they have. Some, like ours, will do oddball work. Some like the big four will only work with large business. You need to think about where you fit and what your expectations are. Easiest way to discover what kind of firm fits you is to speak to the techs.
Do Not just send a CV
You know your brand, now you need to hunt the job. Stop! Do not just send in your CV blindly. Think about your strategy. In fact, use the PTES methodology to structure that contact. Research who, find out what you can about them and align your contact to a manner that is going to give you the largest probable success. Find them on Linkedin, Twitter, Peerlyst etc.
Now, I said don’t just send your CV. What else should you send? To me, the most important thing in a tester aside from personality is their writing style. Create an example report. It doesn’t have to be war and peace, (please, no. No double digit pages) it should highlight your ability to communicate in the written word.
I’m a [insert stupid stereotype here] and can’t get a break
I hear this way too often and it is a shame. If you have everything in line, your skills are moving up, your writing is good and you have a portfolio then there is no reason why you cannot get a break. Your problem could well be you are targeting the wrong brand.
Firstly, let me start with ladies in Cyber. There is zero reason in the world why you cannot get a break. If you really 100% believe it is because you are female, negotiate your way around my gatekeepers and call me. (Top tip, try phoning me. My phone number is all over the place!) Ok, I got flamed by some feminists for saying negoitate your way around my gatekeepers. But thing about that for a moment. I get over 100 calls a day from sales people.
If I cannot work out what the issue is, I know some very well respected member of the infosec community who will. Here is where I give a big shout out to Rose, Celene, Jane, Magda and Cassandra.
Now, Tattoos and Piercings. If you are struggling look again at the brands. I know five firms that don’t care about Tattoos and Piercings. One of the best Penetration Testers I know has a lot of piercings but she knows that for some clients she will have to adjust her look. Research your brands and you will find the ones that align well.
Now the taboo subject, Mental Illness. No one likes to talk about it but I like to throw convention out. Really this is exactly the same as Tattoos and Piercings. A great tip here is avoid any firm that has a big HR department that’s likes to tick a box. It is cruel to say, but personal experience has shown me this to be true.
Sexuality. See Tattoos and Piercings. Really, it is that simple.
Now of course, there is a gotcha in all of this. The people you are going to be targeting are busy, very busy. Often, I do not think busy is a strong enough word. But do not get down heartened if you are ignored for the first couple of attempts. Keep trying, but not every day, you may get mistaken for a recruiter.
I will be brutally honest here. Ignore what the recruiters tell you. Having a Certified Ethical Hacker certificate and zero experience does NOT qualify you for a £60,000 salary. It does not even qualify you for a £30,000 salary. I have had recruiters tell me they have the perfect candidate only to interview someone for a £60,000 role and find out they have less than five years’ experience, no OSCP and have never published anything.