Here is what I think that makes a truly great Penetration Tester:
It’s not about how many certifications or degrees that you have hanging from your wall. It’s about the way in which you think. Being able to put your thoughts to the keyboard. Thinking outside the box, critical thinking. It’s about having a clear mindset to accomplish the task at hand. It’s about experience.?
Often times this is unfortunately lost on most would-be Penetration testers. This is mostly due to the level of training they receive. Sure, people can read a book, take a few cram sessions and with good memorization sit for and pass a Certification Exam. But does that really spell out just what they know or what they are capable of? Not usually. In fact almost never.
You see, I think it’s more important to have hands on experience. Having real battle scars from being in the trenches, so to speak. Often times (and I speak from 20 years experience), what you learn in a book is not practical in the real world at all. It’s the experience you gain putting in the time working in the field, or even studying on your own labs. The thing is, you should never stop learning. This industry changes so rapidly that if you were to stop learning, you would be just as good as last weeks newspaper.?
Dedication is key. This isn’t just another job, it’s a highly skilled craft. But unfortunately I also feel that is lost on most people. They get comfortable and stay there. They refuse to be challenged, even being challenged from within themselves.?
TLDR; Never stop learning. Never stop training to perfect your craft. And most importantly, don’t stop pushing yourself and your limits. Get out of your comfortable zone, and get moving.
You’ve done the training. You’ve practiced. You’ve searched for Jobs, but have come up empty handed.
Here is my list of the Top 5 Things You NEED to do to land your dream job!
The Resume that puts other resumes to shame. A resume is just as important as your skills and training. If you can’t write a resume that is direct and to the point, you’re finished. Remember, you’re not dealing with technical managers at first. You usually meet with a non-technical interviewer. You’re second interview may be with a Technical Manager.
Dress to Impress. When showing up for your interview, do not look like you were out drinking with friends the night before and just rolled out of bed. Men, you should wear a suite and tie. Women, a nice business suite/dress. For both men and women, you’re appearance speaks volumes about you. Look sharp, but not over the top.
Direct Eye contact. Direct eye contact with your interviewer is very important. You have nothing to be ashamed about, or nervous about.
Speak clearly. Speaking clearly, and directly will improve your chances of success. Be sure to speak at a normal pace, and with passion, but not over the top. Fast talkers, or jittery talkers, you should practice mock interviews with people you feel comfortable with, like family members or your significant other.
Last but not least. Be Early! It shows dedication, professionalism, and speaks volumes about what kind of employee you will be. But there is a catch, being too early can have the same effect.
If you are interested in the potential for a career coaching course, where we will go over in detail how to go above and beyond these Top 5 Things You Need to get your Dream Job, we will be offering a course on that soon. Be sure to subscribe to this blog to receive the email update when that course rolls out.?
At least daily, I come across some very confused people looking to start training in Cyber Security / Penetration Testing. They are confused mostly by no fault of their own. After all, there is a lot of dis-information online, and shows like Mr. Robot that don’t make matters any better. And unfortunately due to the UN-realistic nature of these shows, movies and information online, these potential Cyber Security warriors are duped into believing that there is some magic tool to fast track them to Cyber Stardom. I’ve written about this in a Previous Post about the golden child of the game, Kali Linux.
So, I want to try and dispel some rumors or misconceptions in this blog article, and hopefully set some would be Cyber Security Heroes straight.?
Firstly, you can’t just skip past go and collect $100k+ per year as a Cyber Security Expert. It takes many sleepless nights over a period of many years of training to reach the level of technical expertise to land that monster pay check. Watching some Random Youtube Videos with some guy typing into a notepad with felonious spelling atrocities, zooming in and out of a terminal at a rate that would make you motion sick is not going to get you there. Seriously, it will not.
Secondly, speaking of Youtube, and other free training mediums. I find a lot of people balking about Professional Level Training Prices. And Look, I get it, the economy is unstable and a lot of people may not be able to afford the higher end training like SANS, or the like. But if you are thinking that by not investing some money into proper training, and flying by the seat of your pants on sites like Youtube, Udemy (to name a few) is going to land you that super awesome CyberSec job making $100k+ a year, you are severely mistaken. You can’t watch a few udemy courses and go sit for the OSCP, or even the CEH for that matter. You will waste your money on the exam voucher and fail.
Third, speaking about investing in yourself. Do you think these Industry Exams are FREE? No, they are not. In some cases they are hundreds of dollars, and in some other cases they can approach the thousands of dollars mark quite quickly. So, you will have to pony up the green paper at some point, so wouldn’t it be better to Invest in your proper training first so you don’t waste your money later by failing the Exam?
Fourth, Speaking about Industry Certifications, and I will make a few points here, is that they DO Matter. It will be a very super rare occasion that anyone can land even an interview without some of them (even the basic ones) on your Resume. To make another point here while speaking about Certifications, Don’t shoot from the hip and go for everything that has the words “Cyber Security” in it.
Fifth, Don’t fall for the Certification Hype. I know that sounds contradictory to what I just said, but hear me out. A lot of the companies that are hiring want hands on experience in conjunction with the Certifications. So you may be asking yourself “How the heck do I do that, if I can’t get a job without the provable experience?” And you’re right to ask that question, as so many do. Let me try and list a couple of things to help;
1. I have seen quite the influx of some of these online training places offering “internships”, and I use that term lightly, because often times it’s a dubious sales tactic. Why? Because some places charge YOU to intern with them. Yes, you read that right. They CHARGE YOU. Seems crazy right? But some people are desperate to have that “Hands on Experience”. Let me be the first one to tell you, YOU should NEVER PAY for an internship. That’s just absurd in my opinion.
2. Speaking of internships, a lot of these same types of places say they will write you a letter of recommendation. So be sure to get that in writing, or email, or something before you commit to these “intern” style programs. Often times they make you do work for them, and leave you hanging at the end. Here at PentesterUniversity we do not offer internships. However, we do offer a personalized written letter of Recommendation ONLY after you successfully pass our Certification Exams, which will demonstrate your skill level.Trust me, I won’t put my name and reputation on the line for just anyone, and the final exam is very difficult.
I can probably go on for hours on this subject, but I will spare you the time. The bottom line is, in order to get to a $100k+ Job in Cyber Security you have to start at the bottom and work your way up. And that means starting with a good learning plan and training, Don’t be afraid to hire a Mentor or Coach either, it helps for accountability and drive. Someone to keep you on course, guide you (not do for you) through the process and the obstacles, someone to keep you motivated and focused. I believe that is important for a students success, because if it was so easy to hit the top so fast, everyone would be doing it, and doing it quickly, which is not the case. And in case you were wondering, yes, we offer that here at Pentester University.
If you have any questions going forward, please feel free to email me anytime.
I often get asked by potential students “I’m xx Years old. Am I too old/young to get started in Cyber Security?” and the answer is always the same; no.?
At Pentester University we have students of all ages, some not even in high school yet, and some that are retired from another previous career. The fact of the matter is, that no matter how old or young you are, its never to late or too early to get started in Cyber Security.?
Here’s the thing; your age will not determine your learning abilities, despite the old saying “You can’t teach an old dog new tricks, and you can’t teach a young old tricks.” It’s you who determined your learning abilities. With hard work, determination, and focus, you can learn Cyber Security at any age. Heck, I know some 5 year olds that know how to use an iPhone better than me. Whose fault is that? Mine. Why? Because I haven’t devoted the time to adequately learn more about it.?
At Pentester University, I try and break down all of the technical jargon and media based buzz words into something that you can easily understand. Something you can digest, and retain without it being super boring like similar online training has been known to be.?
Have you heard the term “Scope Creep” before? Chances are you haven’t, because it’s one of the most commonly missed things to be mindful of in Information Security / Cyber Security.?
What is “Scope Creep”?
Usually during the pre-engagement phase of Penetration Testing, while you are defining your contract, you set aside a block of hours that you feel will serve as the proper amount of time to properly test your client according to the SOW (Statement of Work). This block of time is considered as the “Scope”.?
Scope creep is when a client commonly says to you “Oh hey, While you are here, can you test this ________ also, it’s something we forgot to include in the initial engagement.” And trust me, this happens more than it doesn’t. And most Pentesters are so happy to have landed another contract, they work harder to oblige the client, and work it into the already existing scope of work.?
But here’s the thing; aside from the legal problems this can pose, it will eat up more of your pre-determined block of time (scope) and you will find yourself working longer, thus decreasing profits. ?Now if you have been enrolled in our Penetration Testing for Beginners course, you will know that I constantly bring up this issue, and warn you should never work for free. In fact, there is a way to hit the ESC key on this common debacle, while still meeting the clients request.
Escaping the Creep:
One successful way I have found to do this is is approaching your client in a manner that makes them aware that you want to help, but also you need to get paid extra. ?For instance:
“No problem Mr. Customer, I certainly understand. So what I will do is have a separate Statement of Work drawn up to include the added time and resources?that will go into testing the additional resources you mentioned. Once we?get that signed and returned back, we will go ahead and work that into the schedule. Where should I send it, to your email?”
You should never ever work for free. There will never be any benefit to it, and in fact, most clients will take that as a sign of weakness, and during the rest of your business relationship, will always seem to have “Forgotten to include that” in the statement of work. It’s a serious trap. Don’t fall victim to it.?
So by now, I hope that you are able to understand how Scope Creep can negatively impact your time and resources, and now how to effective hit the ESC key in a manner that makes the intent clear and concise.?
If you have enjoyed this article, please share it with your friends and colleagues.?
I see this question posted daily on Quora, and many CyberSec Facebook groups I belong to, so I thought I’d clear it up, hopefully (doubtfully) once and for all.?
The very best Hacking tool you will ever have (drum roll please…) is YOU. Please allow me to repeat that;
The Very Best Hacking tool you will ever have is YOU.?
No, Contrary to Popular Belief, It’s not Kali Linux, or BackBox, or ParrotOS, or what ever else distribution or tool set you could imagine. It’s Simply You.
Let me explain;?
Anyone, and I mean anyone, can open an application, type some commands or click some buttons and still miss their target almost every time. Why? Because they aren’t using Logical approaches. Out of shear and random luck, sometimes you will get some results, but then again, you’re playing the guessing game taking what you THINK is the next step.
You see, without using Logic and a firm Understanding of the “Phases of Penetration Testing”, you’ve already lost the battle. You’re just going to wind up Frustrated, and burned out from wasting so much valuable time. You might even break some stuff unintentionally.?
The use of Logic with the Phases of Penetration Testing?is something we very much go over in-depth at Pentester University
And listen, this is usually not any fault of your own. Other training Platforms like Udemy and the like simply don’t teach these two simple principles. How can they? Most of them don’t understand this or even how important it is in Penetration Testing.
I tested this theory and signed up for a few Popular Ethical Hacking courses on udemy for my research. And I have literally never been so disappointed with what I watched. But really, this should be it’s own topic in of itself.. so I will spare you for now :-)?
No matter if you love Trump, or hate Trump, he’s serious about the future of Cyber Security
Last week President Donald Trump issued an Executive order outlining his plans for Strengthening Americas Cyber Security Infrastructure. ?You probably haven’t heard much about it though, since it was immediately eclipsed by other news events like the Firing of FBI Director Comey, and then the super outbreak of the WannaCry super bug.?
According to TechCrunch’s Article one key thing that is important for us in the Cyber Security Private sector is this;
“The EO?s call for federal government agencies ??especially civilian agencies ? to seek opportunities to share cyber technology makes a great deal of sense.”
And that couldn’t make me any happier, especially since Fridays Super Bug WannaCry kept SecOps up well over the entire weekend. Also, that is GREAT NEWS if you are seeking to start your own Cyber Security Firm.?
In Fact, since this news broke, I have received a ton of emails and calls regarding our Cyber Security Career Coaching services.
Do you remember the dot com boom of the late 90’s, early 2000’s? This is very similar, expect, unlike the dot com boom, there is no bubble or crash insight in the foreseeable future. So, roll up your sleeves folks, Cyber Security is going to be strong, no scratch that, Super Strong in terms of Budgets and Earnings. Are you ready for it?
“I Know Every Thing” – The Cyber Security Pitfall.
Chances are (especially in this field of Cyber Security) you’ve worked with someone who claims to know it all. And you’ve probably quickly noticed that they don’t. Ugh, I see it all of the time. I’ve worked alongside plenty of these “Know it all” types, and the fact is, they only knew what they read in a book to pass their certification test. If I had to guess as to why they act this way, it’s because of self doubt and inferiority complexes. If they could just get past that and humble up, they’d probably be fine.
It’s impossible to know everything, regardless of the Career. The so-called “Gurus” don’t even know it all. In the field of Cyber Security, this is especially true. Cyber Security, on both of the offensive and defensive side, changes so rapidly that it’s virtually impossible to know everything. Heck, you’ll never catch me saying that I am a “guru” or “Know it all” because I’m not, and I don’t. There is always something new to learn in this rapidly changing career. The sooner you realize that, the better off you will be.
The key to a successful career in Cyber Security is to be humble, among other things. Keep learning, keep moving forward, and don’t get discouraged. Our ideal student at www.PentesterUniversity.org are complete beginners. Why? Because normally there is no “I know it all” attitudes, and that is important for their success with our personalized training.
Often times as people of the digital technology age, and especially as Penetration Testers we tend to get “Information Overload”, just like computers. And much the same as computers, we need to do a Memory Dump, before we crash.?
I felt it was important to write about this in a blog article, because we all need to step away from the screen from time to time, even for just a little while, so we can regain our focus. I can’t tell you how many times I have been on a Pentesting Team, and the team spent hours upon hours going on circles just because a team member was thought to have performed a task to further the teams goal, and because of “Information Overload” simply forgot to do the task, or otherwise note the results. It’s super frustrating, so I understood; it happens to us all.
Eventually, when I was a Team Leader, before we started an active Pentest, I mandated every team member to 3 days of nothing. Meaning, no research, no testing, no report writing, nothing. It was 3 days to go do what ever they wanted (Except for the above mentioned) to clear their minds. I dubbed it “3 days of Memory Dumps, no logs”, which was quite funny at the time — Nothing worse than a memdump with no log of it lol
They key takeaway here is, what ever you do, don’t allow yourself to burn out. Take some “Me Time” out for just you. Do what ever makes you decompress and relax. Go get a deep tissue massage, go veg out and watch endless hours of Mr. Robot, or simply sleep. What ever it takes to clear your memory. You’ll thank me later when you are on an active engagement and blaze right through it like Tank from the Matrix 🙂
Over the years I have worked with a lot of people. And in that time, I have found that Traditional College degrees do not matter. Some of the smartest and most talented people I have had the pleasure of working with were merely High School Graduates. They never spent a single day in a Traditional College. On the flip side, some College Graduates I have worked with that had their computer science degrees were very book smart, but when it came to putting those book smarts to their hands to action their skills, they were clueless.?
Certifications do Matter:
While Traditional College degrees are falling by the wayside, even less required by employers, industry certifications however, are taking place of that. Let’s be honest, I think even that is going to be phased out in the next decade. Why? Just take a look around, there are a myriad of Professional Certifications these days. CEH, LPT, CISSP, OSCP, Sec+, to just name a few. And for the most part, they all test basically the same skills. And here’s the thing about these Certifications. Most of them have a re-test period, in which that Certification you worked so hard for expires in a period of time. Now, don’t get me wrong, this industry of Penetration Testing and Information Security does change rapidly, so it’s not really a bad thing to re-test. But think of the amount of money and time you have to devote to a re-cert every 2 or so years. It ads up quickly.
This is a MUST in my experience. Most of the tools we use in every day Penetration Testing tasks simply do not exist in the Windows Space, and only about half of them exist in the Apple/Mac space. There are many reasons for this. The most important reason is because Linux is open source, and the networking stack is very much more robust than its windows counterpart. So, while you do not need to be a Master Linux Super Guru, you do need to understand the basics of how it works, and some simple commands before you can pentest from a Linux Environment.?
This is another must. You must know the basics of how a Network and it’s basic protocols work in order to be successful at Penetration Testing. Now again, you don’t need to be a network engineer here, but you should have a basic understanding of TCP/IP, Packet Structure, and other protocols such as HTTP, UDP, ICMP, OSI Model, just to name a few. The more you know in this area, the better and faster you will be.
The weakest link in any security environment is the human element. And that is a fact. Now you don’t need to be a psychology major here, but you should understand how people tend to think.
For instance, lets say that you ?Pentester a Company called XYZ Widgets International, and you simply can not find a way in. They are super secure. So, in your Information Gathering phase, you find a company directory, full with names, numbers, and most importantly email addresses. You have also managed to stumble upon a portion of their website, where you can see their “Partners” i.e. other companies they deal with. You pick the partner ABC Widget Wholesalers, Inc, who has a manager of partnerships named Michael Dawson.
So, in the company directory of XYZ Widgets?you find Mary Adams. She’s a secretary for the office. You also found in that list a higher level employee, such as a manager of partner relations named James Matthews.?
So you craft yourself a pdf with a reverse_tcp meterpreter shell, pack it with your packer of choice, and craft a spoofed email from [email protected] In this email, you put a subject line of: “URGENT – Partner Application”. In the body of the email you put something like “Mary, I need your help. My boss Michael Dawson is having issues with his email or something. Ugh, you know how that is. He’s screaming at me about it, like I know anything about computers! Anyway, I am trying to help him, so he asked me to email this Partner Application to you. Could you please download it and print it out. It needs to be signed by James Matthews, and returned by email to me by no later than 2pm today. Thanks! – Sam Smith – Assistant to Michael Dawson”
Lets talk about this for a minute.?
Mary Adams, being just a secretary probably doesn’t know much about computers, and to be honest, she’s probably on some shoe shopping site, browsing for a new set of heels or something. Bing, email pops up. She quickly glances at the subject line and see’s “URGENT – Partner Application”, looks at the sender, and it comes from abcwholesaler.com – one of their partners. Mary doesn’t want to get in trouble, so she quickly opens the email, see’s her first name which builds validation of legitimacy. Then she sees her name again, this time followed by “I need your help” — she’s a secretary, she’s always doing something for bosses. This set’s her mind back into work mode, and away from shoe shopping mode. You mention your boss, so that immediately lets her know that you are a lower level person in the company, just like her. You then follow by saying that your boss is having email problems (tells her why you are emailing her instead of Mr. Dawson), and throw in the UGH at the end. This gets her mind into a place of compassion, because likely she’s been there too. You heighten the sense of urgency saying “He’s screaming at me about him email problems”, builds on the URGENCY clause you had in the subject line, and followed up with “Like I know something about computers”, which builds trust again that you are a low level employee just like her, and how bosses can be unreasonable. Now, you give her the Call To Action with sincerity – “Can you please download this, and print it out?” The Call To Action tells her brain that she needs to do this. You then follow with “It needs to be signed by James Matthews” – probably one of her many bosses. This one sentence alone does 3 things here: ?Again another sense of Urgency by mentioning her bosses name, Persuades her not to be lazy and forward it, since it needs to be printed, to be signed. You give her a dealine, sealing the urgency deal.?
You should now have a shell on Mary’s machine. Social Engineering is one of the most important things to know in becoming a Penetration Tester.?