As I refuse to use stock imagery of hackers with the faceless hoodies and code cascades, I thought I'd use a picture of what InfoSec Consulting actually looks like.
These Opinion posts are something we're trialing - only reflecting the views of the poster and not Comfortably Dumb as a whole. They're designed to get people talking, and maybe sparking new Opinion posts as a result. Here's my first one - about where I think a lot of people go wrong when entering the industry from a background of CTFs and Hack The Box - confusing their first job as an ethical hacker/pentester as an extension of that, rather than the consultancy job it actually is.
Background:
Since I left the military in 2018, I've had more than a few people message me over a variety of platforms to ask me questions about cyber. The topics ranged from what to study, what worked and what didn't on CVs/resumes and whether CTFs and Hack The Box experience counted when it came to demonstrating skill and experience.
Since the publication of the Cybersecurity Field Manual v1 back in January and the launch of Comfortably Dumb the week after, that number has skyrocketed. I'm delighted that the things I publish seem to have a positive effect on people out there working their hardest to break in and progress in this industry - and I'm delighted to help in any way that I can!
And it is true, companies more than ever place value on skill-building through gamified platforms like Immersive Labs, PentesterLabs, AttackDefense and most famously Hack The Box. Whilst primarily intended for use as practice labs for people to gain skills in penetration testing tool usage and computer hacking without going to prison, they have also significantly gained recognition amongst employers as a feasible measuring stick of someone's potential (along with certifications, etc.) when they have no commercial InfoSec experience.
It's not necessarily I think that experience primarily gained through platforms like this is not "valid" in some way - it absolutely is and people have to break out of the "can't get a job with no experience, can't get experience with no job" loop somehow.
It's that I think that platforms like this ingrain a mentality (through rewarding it with points and rank advancement) that the point of this skillset and thus the point of the job is to "win" and get in every time, and that if you don't find a vulnerability or weakness you've "lost" somehow.
This is not necessarily a problem in and of itself when restricted to the platform itself - after all, it's the entire point of HackTheBox to get user, then root. You get the points for it, and when you've racked up enough - you make it to the next rank and stick it on LinkedIn or the HTB Forums. The feedback loop is complete, the dopamine released and you have another hacking addict on your hands.
It has been something I've noticed though, that when people (especially very young people) that have primarily built their experience (or have all of their experience) from platforms like these they tend to carry this "win or die" mentality with them into their first jobs as pen-testers and security consultants.
Why I Disagree With This "Root or Bust" Mentality:
I think this mentality of treating your security engagements this way - as a sort of war-game where you "win" by finding the most serious vulnerabilities you can on a client's application/network misses the point of what we do as security consultants on more than a few levels.
Firstly, you did not "lose" a pentest or engagement because you didn't find remote code execution or manage to pop a shell at some point during your testing time. Nor was that test a failure - or even a bad engagement. The point of what we do is not pick the lock to the door or jimmy the window every single time, whether by hook or by crook. It's to establish whether the proverbial house has enough security measures in place to put off most intruders, bar the most determined and talented.
If you couldn't find anything that allowed you full administrative control and were only able to report that there were minor misconfigurations, you didn't lose and it does not reflect that you're a bad consultant. It could mean this specific client actually has their stuff together, and it should be duly credited in the report. I try to make it a point that if something is done well by a client, it gets mentioned as and when I can in a report. Your job is not to "own" the client, nor is it to find something so bad that it endangers the IT manager's job - we all play for the same team!
After all, when you take a job at a consultancy or even as a self-employed pentester, I personally believe regardless of your background you cease to be a "hacker" in the purest sense of the word whilst you are AT work and on client engagements. I feel that penetration testing and security consultancy are different pursuits and should be treated as such. I don't mean by this that the hacker mentality is not useful during an engagement, and that creativity should not be employed in your attempts at compromise.
I just mean that the mentality of "owning" and "winning", I feel, are not as compatible with the goal of helping our clients make themselves more secure as people might think it is - and have a lot more to do with the ego of the consultant being preserved than servicing the interests of the client who is paying our wage.
Conclusion To My Rambling:
You might not agree with what I'm saying, or that it doesn't apply to you specifically. I agree, many consultants learn consultancy skills over the course of their careers and did not know them upon turning up at their first cybersecurity jobs. It's something I think you pick up over time and learn a little more about on each engagement - and I think this opinion is more aimed at people attempting to make their way in, or who have just managed to break into the industry for the first time.
It's that mentality - learn something off every engagement in case it comes in handy on the next - that I think makes for truly effective security consultants - rather than a "win at all costs" mentality that mainly serves people competitively hacking rather than consulting. When you do it for a living, sometimes it pays to remember that there are real people on the other side doing their best with insufficient budgets, time and manpower to keep their company's resources secure. Our jobs as consultants are to help them out with that task. Like I said before, we play on the same team!
Playing Devil's Advocate though, I think that the measurement of skill driving people who hack competitively to get better can be immensely valuable too. Get 1% better every time is as good a mentality in InfoSec as it is anywhere else. The creativity in approach that games and CTFs force upon you to get the end goal (usually a flag) is also something that will come in very handy over a career in information security, regardless of where it takes you.
Anyway, that's my two cents on the issue - let me know what you think?
Comments