Introduction
Hello and welcome to this entry. This will form part of an episodic series in which I document my transition into cyber security. I have no idea how long this is going to take or if I am even successful in my quest. However I think it’s important to document, simply because there are many out there who have the same aspiration as I do. Like many considering this path, I do not have a computer science degree. In fact, I am almost entirely self-taught in what I know about technology. Inevitably I will come across barriers and hurdles along the way, no doubt making plenty of mistakes.
Why Penetration Testing?
So, why become a penetration tester? I will be frank in that isn’t so much technology itself, but rather the mind-set and approach that fascinates me. Penetration testers (also known as ethical hackers) are something of an oddity, in that they are both possessed of a moral conscience and yet can think like a predator when it comes to compromising systems. No, I don’t mean the sweaty registered offender kind, but the kind of people who can spot weaknesses and opportunities to exploit within infrastructure and businesses. They are also brilliant lateral thinkers, able to take seemingly benign functions and reinterpret their use into an exploit. This includes people. They then document their findings and present it to a client, with recommendations on how to keep their more unsavoury peers at bay.
Oh and they get paid. In the UK, you can find this salary average in the London area here. If you’re more the mercenary type, then you can check their contract day rate median here.
However the role comes with its challenges. It’s not unusual for them to work eccentric hours, depending on client requirements. They are also teetering on a fine legal edge, where if their work falls out of an agreed scope, absolute legal and reputation bedlam can ensue. In addition, they have to continuously stay relevant in their skillset and understanding of threats/vulnerabilities. It is a constantly evolving role that at times can impact your social and home life. However if you love learning and doing strange things with tech, then these can be acceptable trade-offs.
Where to begin?
Good question, once I am not sure I have the correct answer to yet. But what I do know is this:
- Infosec and cyber security are not the same. The former is more security processes and governance, the latter is more about securing the infrastructure and software itself. For a long time I confused the two, as the terms are often used interchangeably by marketers and non-technical evangelists.
- I need to get good with the following basic technologies and skills:
- Operating systems. Specifically Windows and Linux.
- Networking infrastructure. How networks are built, the protocols they use and how they exchange information between devices.
- Linked to the above operating systems, particularly Powershell and Bash.
- This will be a journey in itself, but for now I will focus on Python.
There are of course a plethora of other skills I would need to develop, namely familiarity with pentesting tools, security frameworks, other coding languages, Cloud platforms and even the ability to craft a quality report.
For guidance there are a couple of blog articles I found to be interesting and fairly succinct in their presentation. Specifically this one from Jean-François Maes and this one by John Jackson.
Plan of Action
Presently I have managed to obtain the CompTIA Network+ certification and will soon work on the Security+ qualification. However as I work as a system administrator and an information security analyst at present, I am caught up in studying for qualifications that keep me relevant in these roles.
However when I have got the certs I am working on out of the way, my next plan of attack is to work through Alexis Ahmed’s Hackersploit Youtube channel. I’ve already worked through a good deal of the “Linux Essentials for Hackers” series, making notes of the commands. I felt this was interesting in that Alexis takes a Pareto Law principal when teaching about penetration testing. In the case of Linux, he feels that 80% of what you are taught in traditional Linux training you will likely never use when doing penetration testing. As such, the videos focus on the remaining 20% that is relevant.
Still if I am to get anywhere in cyber security, I will inevitably have to go deeper on these technologies at some point. But until then, I invite you to leave a comment on where you are in your journey.