A few days ago on twitter @markofu posted a tweet which at the time I didn’t give much thought to, but on reflection was actually true (especially in my case). The tweet went something like this.
“Hi..How do I get into security, I want to be a pen tester??” -> why?? “I dunno, cos it’s cool”
This post is all about my perspective on this subject, it is in no means set in stone and as always I’m happy to talk about it further if people wish (that’s what comments are for).
Now as this is my blog, this post will focus on me, well to be more accurate, on my interpretation of this tweet. So before we begin lets rewind the hands of time and take a journey into my past.
Many many many years ago I watched a movie called Sneakers, if you haven’t seen it then watch it if you have the time. It’s basically a movie about a team of misfits who get paid to break into companies and steal data (on behalf of said company), sound familiar?? Yep it’s a Red Team basically and back then it’s what drew me into IT and IT Security.
My first experience of InfoSec was when I was at college and I got my first computer (I was a late starter), I remember spending hours writing a Microsoft Word macro that would encrypt and decrypt text within a word document. In my first IT role (back in the days of hubs) I wrote a proof of concept paper on how a “hacker” could use a packet sniffer and collect the clear text telnet data that was sent to the Unix server, to take it even further I then described how you could “steal” money from that system.
Fast forward to 2012, and I finally get around to pursuing the world of InfoSec more (feel free to add any number of lame and half arsed excuses into why it took so long). I set myself a goal to not only learn more about Information Security but to also try to “break” into the tight-knit infosec community that seems (in my experience and opinion) quite daunting and “alien”. Over the last 7 months I think I’m made good progress, I’ve started this blog, wrote my Scapy guide, attending (well actually worked) at BSides London, taken part in UK Cyber Security Challenges and tried to learn as much as possible.
So what you may be asking is this all leading to and what does it have to do with the Tweet at the start??
You see just before Christmas @markofu was interviewed on @securityninja’s blog in a post called “Random Thoughts on Education & Learning“, I posted a comment asking for advice about how to “break into security” (that’s a well used phrase) and one of the suggestions was the InfoSec Mentor Project.
During the sign-up process (to be a mentee, and I’m still looking for a mentor), one of the questions is about what you would like be able to do once you get a mentor (well something along those lines) and I wrote “Be able to perform Penetration Tests”. Why?? Honestly because at the time I thought it was COOL. No I’m not joking either, the reason being is that for me being a Penetration Tester is the closest you can legally get to being a real life “hacker” (without getting into trouble).
I mean lets face it, what doesn’t sound cool about a job where you get to “hack” into other people’s computer systems and pit your skills and abilities across a never-changing landscape of firewalls, servers and network infrastructure??
The reality though is a lot different, the level of knowledge, experience and skill means becoming a pen tester isn’t as simple as taking a course or practicing in a test lab, it’s about real world, never-ending experience and that’s it’s not easy to just jump into it as a career and if you have an already established career it’s not always something you can achieve, without some sacrifices (there are always exceptions of course).
So here’s the twist (well sort of), I’m going to start my OSCP course soon, which will teach me essentially how to perform penetration tests (that’s still cool right?), however I don’t necessarily want to focus on pen testing, but courses like the OSCP are still very important for people like me because regardless of what area I chose to focus on, I still need to understand how attacks work and be able to test and verify things on my own (good solid foundation).
You see over the last few months I’ve discovered (on my journey to become a pen tester) that I actually have more interest in other areas of infosec that might not have come to light, if I wasn’t focused on learning about pen testing.
Make sense so far??
So once my OSCP course is done (and hopefully I pass) I’m going to change my focus from pen testing to one of the areas below (or maybe all of them):
1. Exploit writing – This still confuses the hell out me but being able to write code to exploit software seems like something I would enjoy getting more into.
2. IDS/IPS – Despite not being a packet ninja (or networking person by profession), there is something intriguing about being able to dissect network packets, identify attacks and understand how to stop them.
3. Malware analysis – To be honest I’ve just added this to my list (I wanted 3 items on my list), but again it’s one of those areas that I get to take apart other people’s work (the malware writers), analyse it and then work out how to identify and stop it.
I will of course still continue to build on the skills I’ve started to develop at the moment but I want that focus on one area (or 3) because for me that’s a better fit and I really do want to give something to the infosec community (not in a dirty way either).
So are Penetration Testers cool? Hell yeah, I’ve met a few, worked with a few and to be honest what they do on a daily basis is both scary and awe-inspiring at the same time, so I can understand why people associate pen testers with “COOL”, but sometimes you have to dig a little deeper to find your “niche”.