Steve McMunn, Penetration Tester
If you’ve been following along so far, I introduced myself in this blog post about converting from a role in the military into cyber security. I joined PGI as a junior Penetration Tester and my job is essentially ethical hacking; it involves finding and exploiting security vulnerabilities in IT infrastructure and web applications to gain access and then possibly extract some small piece of data of value, in order to prove that the system I’m testing is not fully secure.
I thought I would share my experiences of starting a new role in cyber security, so those looking to make the leap have a better idea of what to expect.
Day to day as a junior Penetration Tester
Starting any new job is a little bit daunting, but in this case, it was a new job in an entirely new career and at a time where I could only meet my new colleagues virtually (thanks, Coronavirus). Needless to say, it was a strange feeling. Luckily everyone was welcoming.
My first week involved being introduced to heads of all the teams, learning about what PGI is doing and trying to achieve, the current projects and my training path. Once the onboarding process was over, I was on shadowing duty–shadowing one of the senior Pen Testers and asking millions of questions to learn as much as possible. Initially, I did worry about asking too many questions, but this concern was met with: “Don’t think that asking to many questions is bad because it’s not”. I knew this was a good opportunity to learn as much as possible from someone who had plenty of experience as a Penetration Tester, and while reading and doing exams is one thing, being out in the field is another.
I learnt that writing lots of notes is key. Anything I didn’t understand, I used my evenings to look back on what I did and try to learn in detail, so I fully understood. Being able to ask someone for feedback was really useful too. And it meant that I generally didn’t make the same mistake twice (which is always useful when you’re trying to impress a new teammate).
Out in the field
The day of my first solo penetration test arrived. I was feeling confident because of my experience with the eLearnSecurity junior penetration tester exam and previous practice on labs. I was genuinely really looking forward to it.
I was tasked with conducting an external penetration test—try to find vulnerabilities and then try to exploit them. Understanding the scope of the job to ensure I wasn’t testing anything I shouldn’t, and taking notes and screen shots were crucial. After completing the test, I reviewed my findings and made sure I had all the information I needed to start writing my report.
An important point I want to make here is that Capture the Flag (CTFs) exercises (of which I had done many) and penetration testing aren’t quite the same for two key reasons:
For those of you who have done CTFs, you will know that you’re definitely going to find vulnerabilities and exploits and then eventually after privilege escalation, gain user root to have full control of the box. However, in a real-world penetration test, you’re not always going to achieve this. In fact, there may be tests in which you find nothing and your report will consist mostly of informative findings.
Secondly, in CTFs you can pretty much use any script/tool and not really have to worry about what the tool will do because if you break the lab, you can just reset and start over, but when you’re testing a client’s web application for example, you don’t have that luxury. You can’t just use any script unless you know exactly what that script/tool does, as it may do something out of your scope or even worse: opening ports on the companies devices.
I’ll pass on a great piece of advice I was given: If you don’t know what the script/tool does don’t use it or ask someone more experienced.
The last step: Writing the report
Lastly, it was report writing time. While it’s not as much fun as the actual penetration test, it is the most important part of the job. The report writing requires me to fully understand what I have identified, explaining in detail what the issue is, the impact if this was exploited by an attacker and how to either fix or remediate the issue.
Once I’d finished my draft, I sent it off for review. The senior Penetration Tester who reviewed it came back with a lot of corrections but it was expected and I found the feedback really helpful.
One thing I had to grasp is the style of writing, which will generally differ from company to company. I spent most of my time on technical development, but not a lot of time on writing and communication. But, practice makes perfect! I’d also recommend taking some time to understand whichever platform is used for reports.
Is ethical hacking/penetration testing for me?
Absolutely. I really enjoy penetration testing/ethical hacking. In particular, I like that no matter how experienced or knowledgeable you are, you’re always going to learn something new. A career in penetration testing offers a good variety of work and a chance to be geeky.
I know there is a big need for penetration testers, especially in this current climate and I know so many people want to get into cyber but don’t know what it is like or even know how to get into the industry. Going from no experience into cyber, to becoming a penetration tester is achievable by anyone if you’re willing to grasp the challenge with both hands. The best part about it is when you’re successful on a project, it’s really rewarding.
PGI is helping to narrow the cyber security skills gap
We offer virtual and face-to-face cyber security training, including the sought-after Qualified Security Team Member (QSTM) course. Contact us to book your place.
Alternatively, if your organisation would like narrow your cyber security skills and diversity gaps, consider our career conversion programmes, a cost-effective way to get the right people.
Contact us to talk about how we can help: +44 (0) 845 600 4003 or email@example.com