Picking up from where I left off
Geez where does the time fly? Been a long while since I’ve updated this blog. The irony is that it wasn’t like I was short of things to write about, though much of that you can find on my LinkedIn feed. It’s OK, you can click follow instead of add if you’re more inclined 😉
So, where am I at since last time I wrote? Well, I’ve gone from being some bizarre hybrid system administrator/information security analyst, to a privileged access management (PAM) engineer to an IT security engineer. All this in the space of nearly a year and a half.
Am I any closer to my goal of become a penetration tester?
Why? The TLDR answer is simple: lack of focus. Why was I lacking focus you say? Combination of information overload, poor objective qualification and letting the trappings of life overtake some of my priorities.
Oh, and I joined the British Army Reserves. As of writing of this article, I am still in basic training. My motivation for joining and my experience with this so far will likely be a subject for another post. But for now, let’s get back on point.
Lessons, lessons, lessons
So lets look at where I’ve gone wrong, specifically lack of focus. Why am I lacking focus? Racking my brains, I feel like there are a few factors at work, some of which are already mentioned:
- Not being clear on what kind of penetration tester I want to be. I know, I know, there are in fact different types of pentesters. Some focus on networks, others on web applications while some degenerate barbarians are adept at mobile app hacking. Hell, there are even some space wizards who hack CPU architecture, such as Maria Markstedter. This is not an exhaustive list, there are a lot of niches to this.
- Information overload: I won’t lie, as many of you have come to discover as well, there is an absolute El Dorado’s worth of knowledge out there on this subject. There are plenty of free as well paid for courses, books and labs on how to hack different kinds of technology with which kind of tool/technique there is to hand. Unfortunately, as you wade your way through this city of gold, you come to find that each tool and technique has its own branch of knowledge, courses, books, labs to follow up on. It’s very easy to get side tracked and kind of lost.
- Letting life get in the way: This comes down to discipline and priority setting really. As mentioned, I’ve been changing jobs and have started a concurrent career with the military. The latter in particular requires a fair bit of commitment to fitness and learning. Though the job changes were not entirely anticipated, my desire to serve in the military was. Although it’s easy to make excuses and say that I only have so many hours in the day, I could also argue and say that I’m clearly not giving security the priority I said I would in my previous posts. Truth is, I want to be working in cyber security and the military. It’s at this point in my life that I have decided to do both. It’s potentially possible that I can combine the two in some form. But one of the reasons I’m writing this post is to remind myself of why cyber security and indeed the desire to be a penetration tester is important to me.
The Path of the Monkey
So now that we’ve established my shortcomings, what can I do to return to the glorious path? Well, this is my plan:
- Bloody qualify the kind of penetration tester I want to be. It’s OK to have a base skillset and build upon it, but figure it out first! Right now, it’s leaning towards network and web app. The latter gives me an excuse to develop some rudimentary coding skills. Reading up job descriptions and maybe even speaking to some of my esteemed peers on LinkedIn will likely help qualify this better.
- Stick to the high-level stuff and learn only what you need to function from tools (for now). Same again, there are one or two people slightly ahead of me on this in my network. I shall make the time to approach and consult them.
- Set aside regular time to practice what I preach. This will likely start as a smaller commitment at first, growing larger as my military basic training begins to tapers off in the new year.
- Part of this exercise can include publishing my progress on different platforms and labs. Up to now I’ve largely churned away on these in my own bubble.
- Being consistent is key, even if I get stuck.
Still, being in a career in cyber security already, I still have to remain job relevant. This has side tracked me before, so am wondering if there is a way to include this into my training without it being too much of a divergence. For example, when studying for Azure certs, look up ways to break the platform using or abusing the very tools designed to protect it. If they work effectively find a use case and study it.
Another thing to do is to read up on recent exploits and carry out my own test. I don’t need to be original (for now) and if I have to, flagrantly copy someone else work and showcase it (with credit to the source of course). With enough monkey see, eventually this monkey will do.