Hacking for a living sounds like a glamorous job, but how does someone get into that line of work? ZDNet Australia spoke to the heads of three security firms in the penetration testing industry to find out.
(Curriculum Vitae image by the Italian voice, CC2.0)
Speaking to ZDNet Australia, Hacklabs director Chris Gatford, Pure Hacking founder Rob McAdam, and Sense of Security co-founder and chief technical officer Jason Edelstein outlined what they look for when recruiting for penetration testers, and what those interested in the field could do to make the jump.
Technical skills were a prerequisite for any candidate looking to start their penetration testing career. All three firms were, in particular, looking for extended knowledge of the ins and outs of multiple operating systems and network administration, but a background in development was definitely seen as an advantage.
"Good programming and scripting and good [operating system] skills are great bases to develop from. I would like to find more people who had dealt with a customer and developed an app for them and all the project management in between. As this background experience sets them up nicely for working in the security consulting space," Gatford said.
But technical skills meant nothing without some of the softer skills, such as the ability to talk through concepts with all sorts of customers, whether they are developers themselves or high-level board members who may not understand the inner workings of security.
"There is absolutely no benefit at being technically a genius if you cannot communicate effectively with the client," McAdam said.
"The issue of data security is often now a senior management and board issue, and this makes effective client liaison mandatory."
Edelstein also said that these softer skills, like having out-of-the-box thinking and attention to detail, simply couldn't be taught. He said that while both technical and soft skills were important, there was always the ability to teach someone the technical skills, which are apparently not being taught, even at universities.
Edelstein found it disappointing that most university courses failed to teach secure application development. Gatford agreed, stating that graduates needed to be able to see IT from the developer's point of view in order to be successful.
McAdam had some sympathy for the universities. He said that with data attacks tripling in intensity this year alone, it was simply impossible for them to keep up.
"There is absolutely no practical manner for this to be able to be captured into a learning module and rolled out to students in the time frame necessary for it to still remain relevant," he said.
But a degree doesn't necessarily guarantee a graduate a job in the security industry. Gatford said that it was only when comparing two very similar candidates and one had a degree that it became a deciding point. Other than that, he hadn't noticed a particular slant towards those that studied at university. Edelstein said that the reporting ability of graduates tended to be better, but like McAdam and Gatford, agreed that someone with a degree didn't typically sway his decision.
Instead, Edelstein and Gatford advised those interested in getting into the field to focus on developing those soft skills, with Gatford saying that many people, whether they were from a university background or not, simply never progress because they failed to clearly communicate.
On the other hand, McAdam said that university graduates could look at what open-source projects they could contribute to in order to make themselves better suited towards the security industry.
Studying for and attaining recognised certifications were also considered to be useful, but only to a certain degree.
"The nuances of the real world often reveal that there are gaps in the level of knowledge provided by a certificate-educated candidate," McAdam said.
Edelstein agreed, but stated that while certificates might not illustrate someone's practical experience, they at least could later provide clients with the assurance that the recruit had the requisite skills to perform their given tasks.
Gatford took a different view on certifications, stating that what was important wasn't the fact that they had one, but rather the means and effort candidates went through to get it.
"If you do it yourself then it illustrates you are passionate, which is worth a lot when I am looking at people."
Trust was an important issue for all three companies. When screening potential candidates, all three performed background checks, including scouring the internet for public information about them on mailing lists, forums and social media channels.
McAdam said that they additionally undertake police checks, including those with Interpol, where required, and if during their screening anyone comes up with the combination of a criminal history and bad reputation, they are instantly eliminated from consideration.
"This is a small industry and bad reputations are easily identifiable. An increasing area of focus is social media. If we locate negative postings in public spaces then this is also taken into account," McAdam said.
All three companies said that they would rule out anyone that had ever used their skills illegally, whether that be for fun, profit or infamy.
"We are in a position of trust with our clients and we cannot risk this. There is often too much tempting information at our disposal during a penetration test. If they were tempted once, who says they will not be tempted again," Edelstein said.
Edelstein also disqualifies any candidate that is sly enough to lie from the very beginning of their potential employment by falsifying details on their resume.
Despite all of this, there isn't always the same entry point into the industry. While Gatford was working at a big four auditing firm, he had to pick out a single junior penetration tester from 700 applicants. The firm's partners had told Gatford to focus on candidates that had double degrees, but these all became quite similar.
What caught Gatford's eye was one candidate that had listed on their curriculum vitae that he was a past Ruxcon Chilli Eating Champion. While the candidate may not have had the same or better grades than others, Gatford interviewed him and found he had a good base of technical skills as well as passion and charisma.
"He was given the job out of the 700 CVs before him as his passion and interest in this very unusual subculture and IT discipline shone through. He went on to be an excellent consultant and is still enjoying a great career as an IT security pro," Gatford said.