Welcome to this post in the Interview With A Pentester blog series! We will interview a White Oak Security expert to discuss what is a penetration tester, how this cybersecurity professional got into pentesting, some advice for junior pentesters, and more.
This post will be formatted in an interview-type style and all opinions are those of the interviewee.
How To Become A Penetration Tester
Tell us about yourself! How long have you been penetration testing for, what types of certifications do you have, and what do you like to do outside of work?
I have always been drawn to technology! I’ve been pentesting for 5+ years with the OSCP, eCPPTv2, eJPT, CEH, SEC+, Linux+ certifications under my belt. I enjoy messing with electronics, movies, cinema, comedy, outdoorsy stuff like hiking, hunting, shooting, and most of all hanging out with my family. My world revolves around my daughter and son.
How did you get into pentesting, what sparked your interest in cybersecurity?
I grew up where no one had computers in their home, they were far and few in between (and really expensive). I had a buddy from a well-off family, who moved out to California and had a home computer. I went to visit and was quickly hooked! They were playing games and having fun, it just fascinated me. My uncle was on the technical side and eventually got a set up for me at my home. It was so expensive and slow, but I got so infatuated with it!
When it broke, you had to learn or know how to fix it. Then the AOL days came around, installing things, networks… everything was vulnerable back then. I liked looking around, poking, manipulating, figuring out how to break and fix things. It was just something I just did. As computers became more popular, I was helping other people with theirs and the love for technology just grew. Naturally, I just had that hacker aspect.
I’ve always liked Science Fiction and Cyber Punk stuff – when I saw the “Hacker” movie, I became drawn to it and now it’s a huge comfort. I’ve seen it a million times and even put it on in the background when I need motivation!
How To Get Into Penetration Testing
What was your career path into cyber security penetration testing?
My security testing began in the Navy. I supported the US Navy in various NSA, DOD aquisitions, programs, cyber testing assisted engineering, etc. I was also CIS admin for the financial sector and some sister companies – lots of IT, tech/phone items, managing service providers, and network support. A lot of hands-on experience with a LOT of different technology. I also did some short-notice traveling with this – which was new to me (didn’t travel or leave the country when I was younger) and intimidating to brief commanders on the systems and explain things to non-technical people. It was a really good skill to learn through a pretty cool, yet shocking and crazy, experience.
I truly fell in love with Red Teaming while working for the NSA – planning cyber test attacks for the Navy, bringing in a ton of analytics for the systems in a short amount of time, and learning to use the big picture of what goes into exploiting vulnerabilities. The methodology behind doing all of this was where it all clicked for me.
What is your advice that you’d give a new pentester?
While I was interviewing people, the first thing I would ask is “What do you do with computers outside of work?” In my experience, a lot of people were looking for their first civilian job and thought they knew cyber so they’d go into cyber security… BUT they didn’t have PASSION for cyber security.
I always say for pentesting, you gotta have passion. Is it your hobby? Do you like learning it and keeping up with it? Are you eager to jump into it? Passion is huge at White Oak Security – the whole company is passionate about security testing and helping our clients. It’s not really like a 9-5, Keep Up With The Jones, type job. It’s something you have to (and want to) put your time, effort, and exsposure into. Get your hands on lots of diverse systems and don’t be scared to try stuff.
What are some of the most helpful resources or certifications for penetration testers?
Before diving into courses and certificates, I think it’s super important to understand methodology and how to see vulnerabilities/weaknesses. You have to gain the knowledge of whole picture – understand attack surface, get exposure to various branches of cyber security, learn the exploitation process… I did a bunch of self-learning.
The Cyber Mentor, Heath Adams, has lots of quality content that’s really useful and now has courses with TCM Academy – I always refer people to him.
What was your biggest hurdle of becoming the competent and experienced pentester you are today?
I shied away from the development side of things, being a network guy, the coding side, and web app stuff – it was harder for me to pick up on. There’s quite a bit of self-doubt more than anything in this industry because you get into your head when you don’t feel comfortable.. and you want to do well if you’re testing someone’s product. However, that’s the really great part about White Oak Security – when you second guess your own thoughts and methods, someone is always validating you, talking you up, and happy to help you. It’s so cool 🙂
What helps/helped you overcome some of the challenges of the cybersec industry?
I have the ability to very quickly pick up new technology – which is important in an industry that’s always evolving and changing! I also have a good way of delivering and communicating to non-technical folks as to not overwhelm or alarm them. I take pride in my people skills, making sure clients feel comfortable to ask questions and communicate throughout the whole engagement. Anyone can poke and prod, but not everyone can make sure they feel reassured. I try to represent White Oak Security to the fullest – whether you’re my coworker or client, I am genuinely here to help you and treat you like family.
How do you stay current with the everchanging penetration testing landscape, products, and tactics?
I’m always on my computer or have my computer with me. I like to utilize LinkedIn (which spiders out to other resources) and Twitter. The connections I’ve made and kept through social platforms have become so important. I really try to stay active in the community – whether it’s a junior pentester or not, I try to connect and help where I can, especially Flipper related.
What is your biggest pentesting pet-peeve or most frustrating “hacking” misconception?
My biggest pet-peeve is that people think hacking is easy. Everyone wants to be a hacker and I hear it all the time from junior guys, but the biggest misconception is that you can just jump into it. You have to put time and effort into it, get the experience because there’s a lot of methodology that is put into it – it’s not just hacking. You must be aware of what you’re getting into.
I also have to say that some senior pentesters get really big egos – like to the point where they don’t help. It goes back to being socially awkward and able to communicate as a normal person. Some of these more experienced penetration testers get annoyed with the lack of knowledge that junior testers have or react really toxic way when people ask questions. They forget where they came from once – they may be awesome at what they do, but forget that everyone has to start somewhere. I try to never turn people away from help… even if its something I’ve taken for granted or that “everyone should know” in the industry.
This community can be really aggressive. Nevertheless, it’s usually welcoming and I have created many friends from all over the world that have helped me or mentor or allow you to ask questions and feel valued – I stay connected to them through LinkedIn and keep in touch that way! You never know what connections and relationships you’ll need.
How do you see the future of pentesting changing in the next 10-20 years from now?
I have been seeing complacency and laziness because places are sticking with internal pentest methodology and not branching out into Red Team or Purple Team events yet.
I think companies shy away from this type of pentesting because they don’t want to hear how bad it is or they have a system, they can blame someone else because it takes the focus off the actual individual, so they get a little lazy and it opens up for complacency with “cyber in a box” or “red team in a box” type situations. I have an experience where one guy from a Blue Team left and no one knew what to do. They had a fancy system and all this great stuff, but no one understood it or knew how to operate it.
It’s a collaborative effort on both ends to secure vulnerabilities. Everyone may say “pentest” but it’s more like cyber survivability. Test if your company can survive! Is it set up to still operate while things are occuring? This is how you know what will happen and how things will progress under attack.. it’s more than a pentest.
Working With White Oak Security Penetration Testing Experts
What’s your favorite part of pentesting?
I like breaking stuff! I’ve always liked the feeling, like a heist is happening, and the thrill behind the threat element. Physical security testing really gets your heart pumping! I feel like a spy. If a client says I can’t do something, “oh my security is so strong, there’s no way you can pass it” …well, I try extra hard to do it. I’ll do everything they say we can’t, and then some 🙂 It helps the client improve their environments and I get a good challenge, sense of accomplishment, and sometimes even a little chuckle out of it.
What is your favorite service to provide?
Red Teaming and Purple Teaming with a Social Engineering aspect… the physical security events are so exhilarating.
It’s one of our most important services, in my opinion, as it gets the actual employees involved. Most of what I’ve seen is that you can have the strongest defenses, but the untrained user pokes the most holes in those defenses. Those holes in the system can affect your whole company, making it vulnerable to attackers. User error and the human element will never go away – so it needs to be properly addressed.
How can clients prepare for White Oak Security / penetration testing services to help set them up for success or best utilize the testing?
Clients should know their systems that they are operating. We run into it a lot, where the client knows the system, but we may be working with the wrong party. So, know what type of tech is in use and stay up to date on all the technologies and threat landscapes at play.
What is something that many clients miss or don’t understand about penetration testing?
Set up time. Many clients don’t realize how much time it takes to get ready for the testing events and how much prep time it involves.
What is something that makes you love working with a client?
I like down to earth clients that communicate during/throughout the engagement. I like to chat and make sure I get to know them and they know me. Building this relationship allows them to feel comfortable asking me questions and vice versa. I also appreciate when they are on time and on top of things! I like when they are flexible and understanding as well, but that’s kind of a common courtesy.