Tips and Tricks for Aspiring IT Security Professionals
If you’re interested in entering the cybersecurity field as an ethical hacker, you’ll definitely want to read this blog post Q&A interview with a professional ethical hacker in the UK who asked not to be named to minimize his digital footprint online. Because I have a lot of students in my courses who are very interested in pursuing a cybersecurity career, specifically as an ethical hacker, aka, a penetration (pen) tester, I thought it would be beneficial to interview someone who does it for a living to give you insights into what he does and the skillsets you need to know to be successful in this specialty.
If you enjoy this interview or have any potential follow-up questions, please give the blog post a nice rating at the end, and leave your questions as comments. If I get enough, I’ll see if I can do a follow-up interview.
Can you share a bit about yourself and how you got into the IT security field?
I’d be lying if I said that my entrance into cybersecurity was a product of lifelong passion, honed through bypassing website blockers at school or leeching free internet access from insecure networks. To be honest, I got into it in a fairly unglamorous way; after a few years of playing poker professionally, I fancied a new challenge and was drawn to the IT industry for its in-demand and potentially lucrative job offerings. After playing around with a few programming languages without a clear goal, a friend recommended looking into cybersecurity as an option, citing the Offensive Security Certified Professional (OSCP) certification as a good way to get my foot in the door. After registering for the course back in June 2018, I soon fell in love with everything about the industry, earning the certification at the close of the same year, and began working as a full-time penetration tester soon after.
Can you share a bit about your current ethical hacking/pen testing job and what you specialize in?
I currently work at a consultancy firm in the UK, delivering penetration tests for a variety of organizations across multiple sectors. Day-to-day, my time isn’t always spent strictly hacking – it can also involve scoping upcoming engagements, writing reports for recent tests, or enhancing internal capabilities through working on tools/methodologies to improve the quality of our delivery.
I have a particular interest in web application security (which, conveniently, is by far the most common type of test requested by clients!), but have experience across a variety of delivery types, including external infrastructure (e.g., public-facing assets), internal infrastructure (e.g., an organisation’s intranet), wireless networking and build configuration reviews.
In no particular order (except number 1!):
- The ability to effectively and efficiently use Google (completely serious). As a penetration tester, you’ll constantly be confronted with new services, technologies, and problems, most of which you’ll be able to learn more about – and potentially find ways to exploit – through using Google as a starting point.
- Basic networking (i.e., common network protocols, ports, services, and IP address theory).
- Scripting (no need to discriminate against any particular language – anything that works to speed up a job/automate a menial task can be a great help).
- Familiarity with UNIX-like and Windows operating systems (file and permission structures), as variants of these, will usually be hosting the services you are trying to hack!
What are your thoughts on the OSCP and its applicability to real-life pen testing in the workplace?
(Not a paid advertisement, I swear) It does a really good job of giving both entry-level and more experienced IT professionals a strong foundation of skills needed for penetration testing. From teaching basic enumeration techniques, exploit research, and requiring the very realistic process of documenting your findings thoroughly in a well-written report – all in a time-limited environment – each of these produce transferrable skills to a career in penetration testing. Add in the resilient, ‘try harder’ ethos that you’ll need to succeed, and the OSCP does a great job overall.
The main difference between the OSCP and “real-life pen testing” is that the use of automated tooling is disallowed in the OSCP exam – a decision which does have its own merits – but often serves as an integral part of penetration testing at a commercial level (e.g., through tools like Metasploit). OSCP students can still familiarize/use these tools in non-exam, lab environments, though, which is well worth doing if you want to practice using them before entering into the professional world!
To follow up on the OSCP, which ethical hacking certifications would you recommend to people aspiring to break into the field?
I’d recommend any of:
- Offensive Security’s certifications (there’s more than just the OSCP), as these continue to have a good reputation in the industry and can help you land a job, or, at the very least, get past the HR barrier/automated CV checker for an interview;
- PentesterLab for web application testing (not so much a certification, but does offer e-badges as proof of completing challenges);
- Any of The Cyber Mentor’s certifications; he is well-respected in the industry for producing high-quality, free/inexpensive learning content.
- If you’re based in the UK, Singapore, or Australia, then CREST-related certifications (such as the CPSA/CRT/CCT) have perceived value. However, these are not the most exhilarating exams to prepare for and are also super expensive. You’ll likely be better off pursuing a more practical, hands-on certification (e.g., the OSCP with its PWK lab) and then getting your employer to sponsor a CREST-related exam if the certification is required for work delivery!
Are there any particular tools that you use the most that you’d suggest people learn?
I’ll preface this by saying that there’s more than one way to skin a cat (e.g., multiple tools exist which fulfill largely the same purpose), but below are some of those which make up an integral part of my personal toolkit (not exhaustive!).
Web Application Testing
Are there any particular services you’d recommend for people to learn and practice ethical hacking?
A ton! Most of these are free/relatively inexpensive (the cybersecurity community is great at sharing knowledge). In no particular order:
- HackTheBox is a good starting point for honing your skills. There’s also a bunch of related sub-resources:
- For newcomers to hacking or CTF-style labs, I’d recommend working through boxes rated as ‘Easy,’ particularly those which have been retired and have freely available walkthroughs to guide you if you’re stuck (such as IppSec’s great video walkthroughs).
- HackTheBox Academy is also a new offering that has some free courses for learning tools and exploitation techniques.
- PortSwigger’s Web Security Academy is a great free place to learn web application testing techniques in a hands-on lab environment. They conveniently break the labs down into different vulnerability classes, scaling in difficulty, so you can spend a good deal of time honing your skills and become confident in different vulnerability types one by one.
- TryHackMe is another free resource, offering great guided material/challenges for newcomers and more experienced penetration testers alike.
- PentesterLab is a platform with extensive application-focused testing labs, providing a ton of different micro-lab environments with supported walkthrough material and e-badges for proof of completion.
- Bug bounty platforms (such as HackerOne, BugCrowd, and Intigriti) allow you to hack real-world organizations* and receive points – or in some cases, monetary rewards – for being the first person to successfully report a valid security issue. While some of these public programs will be competitive and thoroughly-tested environments, they can present an engaging way to practice things you’ve learned against real-world targets rather than (sometimes contrived) lab environments.
*Disclaimer: always read and follow each program’s rules/scope when participating in these!
What are your thoughts on the importance of writing and communication skills in ethical hacking?
Hugely underrated and a skill that is greatly appreciated by clients. In many cases, the only deliverable that a client will receive from a penetration test is a report. A tester could have delivered the most rigorous, complex, and impressive penetration test known to humanity – finding a bunch of critical issues along the way – but if the report at the end of it is badly written, then the client probably won’t come to this conclusion. It’s particularly important to be considerate of what information is useful to a client and cater to this accordingly:
- A client will usually want to know if/how a finding impacts their organization’s security posture in a practical, demonstrable way.
- It’s also helpful to provide clear, actionable remediation steps for the issues we pen testers find. Think of it from the client’s perspective – if you’re an overworked, underpaid system administrator, spontaneously tasked with the delightful job of addressing all the security vulnerabilities affecting your organization’s assets… what’s the chances of you resolving all of the issues detailed in a report if there are no clear steps on how to fix them?
Soft skills such as verbal communication – particularly the ability to convey complex ideas in non-technical speak – are also super valuable and can help in getting C-level folks to appropriately allocate resources for outcomes that need it.
What’s the number one piece of advice you’d give someone new to IT that says they want to become an ethical hacker?
You’ve (probably) got to love it to be a truly great penetration tester. Cybersecurity is an ever-evolving space; new vulnerabilities and exploits are discovered every day, and if you’re not prepared to keep up with these developments as the landscape changes, you’ll likely become a less effective penetration tester. Similarly, the very nature of consultancy-driven penetration testing will require you to constantly learn as you’ll be regularly faced with new environments with potentially unseen technologies.
Fortunately, there are so many different areas to specialize in (from web applications to mobile apps to infrastructure, networks, embedded systems, IoT devices, and even physical security – – (legally) breaking into buildings!), that if you’ve got a base interest in IT/security, then you’ll more than likely be able to find something that suits you.
Any other words of wisdom you’d like to share?
You don’t need to have years of technical experience to get started in this industry. If you’ve got a passion for it and a willingness to learn, anyone can get there. It’s a bit of a misconception that hacking always involves green, unintelligible Matrix code flying across a screen and a young teen wearing a black hoodie. Anyone can get into this field, and I’m sure we’ll benefit from having you in it!