Ever thought about becoming a professional ethical hacker? As part of a regular series on security jobs, SC asked some prominent Australian penetration testers about how to get into their industry and what it takes to succeed.
“It’s sexy. Or at least, as sexy as you get in the IT industry,” says Nick Ellsmore, head of business development for Stratsec. Few other jobs pay you to flex your offensive muscle. And by finding the holes before the criminals do, you’re still one of the good guys.
“It’s a job that attracts a certain type of individual – someone who is naturally inquisitive, someone who is patient, someone who needs to understand everything they’re playing with,” says Drazen Drazic, managing director of Securus Global.
And there’s an undeniable “rebel” allure to the job. HackLabs director Chris Gatford saw it as “an opportunity to develop and utilise interesting technical, business and analytical skills. You have the opportunity to travel to interesting locations and be involved in testing items which people may never get to see”.
The career has a bright future too. As long as there are criminals – and there will always be criminals – there will be demand for security professionals to test technology defences. “If the data breaches of the last few months have taught us anything, it is that testing systems for security weaknesses is going to be a key skill well into the future,” Ellsmore says.
Pen testers are often able to work remotely, and travel to some of the world’s best security conferences. Neal Wise, managing director of Assurance says his staff travel regularly within Australia and abroad, and attend Black Hat, Defcon and Kiwicon every year.
“Working in security testing can be a lot of fun,” he says. “To call our industry 'colourful' is an understatement. You get to work on solutions you'd never be able to legally encounter otherwise, and getting to the point where you can affect the operation of these solutions during the course of your work is pretty rewarding.”
Wise also notes that pen testing is a portable skill. He was sponsored to move to Australia in the late '90s and recommends others do so if they are given the opportunity
Breaking things for a living sounds fun, but it demands a thick skin. For all your hard work, it is ultimately up to businesses to accept or reject the security report you’ll hand to them at the end of the job.
“You can find awesome vulnerabilities, demonstrate how an exploit can be disastrous to an organisation, only for it to be ignored or brushed aside as an accepted risk of doing business,” Drazic says. “While things have gotten a little better over the last 10 years, there’s still a long way to go.”
And writing the reports can be a drag. “No one likes writing reports for the work we do,” Wise says. It can push the job into long and odd hours, Gatford notes. “You can spend long, long times in front of Microsoft Word writing reports in front of customers.”
Wise also notes that after a while, the job has a tendency to turn testers into spooks. It is a concept that is not hard to imagine – you are at the coalface of security with first-hand insight into the state of security.
“You quickly get a sense of how fragile a lot of technology is and you spend your life viewing everything with that critical approach,” he says.
And it’s a hard job. Formal study is not necessary, but an immense appetite for learning is. “If you don’t eat, breathe and live the technologies, you’re going to progressively slip behind,” Ellsmore says.
He goes further: “It is highly unlikely you are going to be pen testing for 20 years, so see it as valuable experience and a valuable development path, but one that doesn’t answer the question of where you are ultimately going.”
“At some point, you may find that deep down inside, you are a builder, not a breaker.”
Pen testing isn’t something you’ll often find in a salary survey (software testing is broader and security manager is about governance). Ellsmore warns that recruiters will inflate figures to get you to sign up.
Expect to land between $45,000 to $75,000 as a starter. “When you start, it’s about the company and your ability to learn and develop, rather than the cash,” he says. Work hard and you can quickly earn between $90,000 to $120,000 within a few years and later, depending on bonuses, you could score $200,000 as a niche tester for a good company.
Gatford says US pay packets are between $10,000 to $20,000 less compared to what’s on offer in Australia.
Drazic says many testers will prioritise good working conditions over pay packets.
“Everyone wants recognition in terms of remuneration, but it’s not always the primary driver. Most pen testers would rather work for a good and committed specialist company with a passion for the industry”. Large organisations like Australia’s banks have great internal teams, but you will need to seek them out, he says.
Research your employer when you start out. Wise says a good work place can be identified by its perks, pay, staff and clients. “Gossip is pretty common in our industry. Ask around you'll find someone who has an opinion about a prospective employer.”
Pen testing organisations won’t get excited by your university degrees and certificates. In fact, some ignore them.
“For us, we don’t ever look for penetration testing certificates on a CV,” Drazic says. “Nor as a differentiator – we assess the person and their skills. We haven’t seen one university degree or ‘hacking’ certification that can even bring someone to entry-level if that person hasn’t had the passion in the past, started their own research and learning many years prior and doesn’t continue to do so or participate in the industry.”
The security industry is full of people who have spent their time researching niche areas in technology, and skipped the typical IT career path and its university degrees. These were former network engineers and systems administrators who have maintained an interest in security.
Wise, a former systems administrator, says these people can be the best candidates. “Frankly some of the best resources I've known are these self-motivated people who get stuck into some area of research and make it their own.”
“This isn't to say that people from academic backgrounds aren't out there in our industry but, from my experience, people with more practical technology backgrounds are who we encounter, who we hire and who we are.”
The benefit of advanced degrees is a bit of an unknown, but Wise says it can’t hurt.
What is necessary is a passion for the industry. “Learn the tools, the techniques, and practice. Read constantly. Surround yourself with other people who are interested in the topic and learn from each other,” Ellsmore says. “If you find it easier to learn with a ‘finish line’, do some certifications specifically about pen testing, but don’t expect that to teach you all you need to know.”
Communication skills are also important. Gatford notes that pen testers who can master both the human and technical elements of the job will stand out.
The job isn’t defined by regular work hours. Good pen testers spend time at home working on their research fields. “They know they have to stay on top of the latest news, research, techniques and stay abreast of new technologies that will bring new security issues to the IT world,” Drazic says.
But keep your research on the right side of the law. “Knowing right from wrong and how to conduct ethical research is fundamental,” he says. “Jail is a great deterrent for employers.”
Pen testing is not a jack-of-all-trades job, or one learned in a classroom. “You need the talent, and an innate ability to take things apart and find their weaknesses,” Ellsmore says.
Knowing a chapter in a textbook does not equal success. “It’s knowing the whole book, so to speak, better than others,” Drazic says. “A great pen tester is someone who knows the technology they are testing better than anyone else.”
“Talent is good” Gatford says, “but the right attitude and communication skills will win every time.”
All four directors want someone who is a tinkerer, a little obsessive, and hard working. You need to have skills in a niche research area, but also a firm handle on the basics.
Everyone wants to get ahead in their career. To succeed as a pen tester, you need to get involved in the community. Dive into your niche technical area and share your findings with others.
“Get involved in all sides of the community, both ‘business’ and technical security groups, and participate in a sincere, respectful manner,” Wise says. “Share your research. That's part of that 'paying back' concept”.
He says pen testers should expose themselves to technology and initiatives like international standards and certifications. “This will help you understand the context and intent for risk management. This stuff may be boring but it's important to justify why information should be protected in various ways.”
Gatford agrees. “Show initiative and invest in yourself and your chosen area of study.”
And it’s okay to spend your time in a faded black tee in the office.
While Drazic notes that being media savvy is both scarce and unnecessary in the industry, a kind personality helps. “There are a number of people in the industry who are technically great, but have the personality of an InSinkErator,” Ellsmore says.
All the better if you can be a "renaissance man or woman”, Wise says, and place your work in context of a diverse exposure to technology and life. “It'll make you a more effective professional and more interesting to work with.”