Father
Professional
- Messages
- 2,602
- Reaction score
- 768
- Points
- 113
You will not gain any new practical knowledge about the profession of a pentester from this text. Its goal is different — to debunk unfair stereotypes that come from ordinary people, young professionals and businesses. Immerse you in the realities of social relations related to the profession, make you empathize and smile a little.
Chapter 1. THE PHILISTINE
The average person is divided into two types. The first is people who do not even try to formulate the concept of hacker for themselves, and therefore do not operate with it. They say: "I don't understand it, I don't get into it." It does not occur to them that there are specialists motivated by maintaining the security of systems, and not hacking. As a rule, these people know for sure that you need to cover the buttons with your palm when entering the pin code, and seal the laptop camera just in case. At the same time, they have the same password on all their accounts. There is no concept of basic information hygiene, but there is a belief in anonymity and privacy on the web. We end up with Frankensteins made up of superstition and lack of meaning.
The second type is those who have learned from news and pop culture. For them, a hacker is a character who, sitting at home, hacks the Pentagon for fun, and at the same time works for the state. On TV, they say how hackers once again robbed a crypto exchange for millions of dollars, and therefore this specialty is necessarily criminal. All hackers should be transplanted, because they steal other people's data.
On the one hand, in their understanding, hackers are autistic-geniuses with antisocial personality disorder, but unlimited talent in the exact sciences. They are feral, unsightly, and lonely. On the other hand, they look like special agents or spies. Cinematography gives you an association with a tough guy, a jack-of-all-trades who can hack a super-system in a second, save the world and go into the sunset.
The stereotype of brilliant sociopaths simply appeals to the viewer. It applies to all representatives of the exact sciences: physicists, mathematicians, programmers, and others. In fact, all people are social animals. You will never meet such an exaggerated outsider in your life, especially a successful one, because for development you need to be in contact with the community and colleagues. White hackers are ordinary people who work, study, are interested in their work, develop and enjoy their results-complex professional hacks.
Hacker is a stigmatized concept. The media only talk about high-profile scandals, but it will always remain a mystery to society how many clever hacks are made every day by specialists for the benefit of companies in order to protect them and leave it under the NDA. Hence the skew of public attention in the direction of intruders. And that's okay.
As today's information wars reach a new level, business needs specialists more and more sharply, there are fashionable training courses. Through their advertising, a wider audience learns that it turns out that not all hackers are bad and many work with companies.
Chapter 2. ASPIRING PROFESSIONALS AND THE DIGITAL GENERATION
Hacking banks is an integral part of life
"Did you break the bank?" - everyone always asks. Apparently, just as every journalist dreams of writing a novel, so every hacker dreams of raising money in this way.
In fact, as the dean of MEPhI always said, there is no point in breaking the computer if it can be taken out through the window. This idea confuses people, because you are not a real hacker if you are looking for easy ways. For example, even at work, I will not break through the webcam, if it is easier to get into the perimeter, stick my nose in the port and try to do something on the spot. But it feels like you were supposed to run a hundred meters, but you only ran the last 20 meters.
Shock content, but a hacker is not necessarily about a computer, coding, or remote hacking. The new school focuses more on the goals, rather than on hacking methods. For example, an asset is assigned that the business considers the most dangerous to discredit, and pentesters are trying to find access to it. There can be a variety of ways to do this. They will already be sophisticated in companies with well-developed security processes: a large multi-component SOC in three shifts, self-developed security rules, their own security policies, and physical security. If the company has five security perimeters and you managed to get inside, for example, using a drone, then you have successfully completed the project.
A profession with seven seals.
The most common belief that you can stumble upon in simple communication with friends is that they do not know that there is such a profession, they think that specialists have been honing their skills for decades to work in the field of offensive security. And it is also impossible to get there from the street, because these are some special people tied to the state, if they want to leave, they will definitely be put in jail.
Ethical hacking is legal (if done correctly), developed and widespread, both with and without government involvement.
In general, information security is easy. Teach me!
— Teach or hack the minecraft server for me, so that my brother doesn't play this nonsense all day long, we already have scandals in the family.
— Can you hack my ex's VK and I'll buy you a beer?
— Fix the kettle, you're a programmer!
Jokingly, every pentester will remember a lot of similar requests. Also, quite often, friends or fellow students show interest in the topic and ask to teach some chips. They think that this is a request from the category of teaching how to make apple pie, but in fact they are asking to teach how to make an internal combustion engine.
But if you honestly start learning pentests, if you are very motivated, it is really easy — the first time is always wins, endorphins. They push you to develop. This is how it works for the first 2-3 years, then the world of real information security begins. You are given real projects with EDR, SOC, binary operations. There are no more quick wins, there is not enough engineering back. Even worse, even when you bring a vulnerability, you need to prove it. There is always a period when there is an internal breakdown and people suffer a lot.
The rotation of skills in information security is incredibly fast. For example, 10% of the tools we use now appeared six months ago and will disappear over the next six months, replaced by others. The evolution of tools that attackers use is very fast, so in order to remain effective, you need to be as adaptive to new opportunities and trends as the attacker. They want you to "not break" their products, and if you check at least current hacking methods (you won't have time to check everything), you can reduce the likelihood of your product being damaged.
There is also a stereotype that you must definitely unlearn at uni. This is good, but not as important as for a professional mathematician or programmer. But the courses are not as effective as they say in advertising. The course promises earnings from 200k after passing and the middle level, but this is not the case. Even annual courses are still a minimal base. You will need to study further, gain experience, complete internships and reduce salary expectations at the start by 4 times.
It is also often said that you need to drive CTFs to practice. This is a great experience, but CTF plays the role of a university, gives a lot of acquaintances and connections, and practices experience in working as a team. If you want to learn a pentest, you need to take a pentest, go ahead and break through web faces. Bug Bounty is also a different process.
Chapter 3. BUSINESS
You were hit anyway, who cares who?!
Hackers are villains also because the line between good and evil is blurred and conditional. The paradox of the state of knowledge — you can not remove from your head the information about the business that you received in the course of working for it.
The fact is that a good hacker has already chosen a profession and set priorities. The most expensive thing that he or even information security companies that provide penetration testing services have is their reputation. The potential risks to reputation are higher than the benefits of double-dealing. In addition, all actions are legally protected by a variety of non-disclosure agreements.
But this does not mean that you do not need to control specialists at all. They should be encouraged not to stop there. It is very difficult to direct your competencies to everything at once, you can move a millimeter away from your tasks and drown in a quagmire. The less stupid the process becomes at the level: googled a vulnerability, broke through, passed. The deeper you delve into it, the more granular the competence grid becomes. A separate pellet is a separate skill. To develop it, you need a very deep understanding of the processes. You need to increase both the depth and width at the same time. You're getting needle-thin.
We need to motivate people to develop, go deeper, there is a whole world in a bottle, otherwise they simply will not be able to give a competent audit.
Who needs us?
Companies often focus on the term "risk", which implies probability. And from this they decide that they will not break through us, we are small and no one will look at us. Indeed, it is possible that the Tula pig farm has never been hacked, because no one knows about it, but this is the exception rather than the rule. And most often, those who think so become victims of hackers and simply do not know about it.
For example, a small foundry used an ancient version of ColdFusion and when they were tested for penetration, it turned out that the Chinese have been mining crypt on the server for at least 3-4 years. They gained a foothold and spread across the entire enterprise network, bringing with them a huge set of tools: a separate client for host machines, a separate one for server machines, and even for ARM devices there was a corresponding build. That is, they gained a foothold everywhere, making their own milking parlors out of the plant. This resulted in a 1000-fold acceleration of the natural wear and tear of all equipment.
This is not an investment, but an expense
Business owners think in terms of money and profit. In this regard, information security is a waste. The attitude to information security is initially rather negative, simply because it forces them to spend money that will never lead to a return on investment.
All you need to understand is that the dilemma that constantly arises before a business: invest in reducing the risk of losing money, or in increasing profits, but with possible danger.
It is impossible to assess absolutely all possible risks even theoretically. Attackers are constantly looking for new ways to attack, and what was considered safe yesterday may turn out to be a threat tomorrow.
You don't need to load managers with technical information. You should focus only on those risks that will cause the company to suffer maximum losses. And estimate how many resources are required to neutralize each of these threats. This will allow you to calculate the investment leverage — the ratio of risks to costs. Business leaders can and should formulate tasks for information security specialists. To work effectively, a CISO must be steeped in business challenges and have sufficient authority to make quick decisions. The business interests and tasks of the information security department should be synchronized.
These were the main stereotypes that the Awillix team remembered. I hope it was interesting, useful and informative.
Chapter 1. THE PHILISTINE
The average person is divided into two types. The first is people who do not even try to formulate the concept of hacker for themselves, and therefore do not operate with it. They say: "I don't understand it, I don't get into it." It does not occur to them that there are specialists motivated by maintaining the security of systems, and not hacking. As a rule, these people know for sure that you need to cover the buttons with your palm when entering the pin code, and seal the laptop camera just in case. At the same time, they have the same password on all their accounts. There is no concept of basic information hygiene, but there is a belief in anonymity and privacy on the web. We end up with Frankensteins made up of superstition and lack of meaning.
The second type is those who have learned from news and pop culture. For them, a hacker is a character who, sitting at home, hacks the Pentagon for fun, and at the same time works for the state. On TV, they say how hackers once again robbed a crypto exchange for millions of dollars, and therefore this specialty is necessarily criminal. All hackers should be transplanted, because they steal other people's data.
On the one hand, in their understanding, hackers are autistic-geniuses with antisocial personality disorder, but unlimited talent in the exact sciences. They are feral, unsightly, and lonely. On the other hand, they look like special agents or spies. Cinematography gives you an association with a tough guy, a jack-of-all-trades who can hack a super-system in a second, save the world and go into the sunset.
The stereotype of brilliant sociopaths simply appeals to the viewer. It applies to all representatives of the exact sciences: physicists, mathematicians, programmers, and others. In fact, all people are social animals. You will never meet such an exaggerated outsider in your life, especially a successful one, because for development you need to be in contact with the community and colleagues. White hackers are ordinary people who work, study, are interested in their work, develop and enjoy their results-complex professional hacks.
Hacker is a stigmatized concept. The media only talk about high-profile scandals, but it will always remain a mystery to society how many clever hacks are made every day by specialists for the benefit of companies in order to protect them and leave it under the NDA. Hence the skew of public attention in the direction of intruders. And that's okay.
As today's information wars reach a new level, business needs specialists more and more sharply, there are fashionable training courses. Through their advertising, a wider audience learns that it turns out that not all hackers are bad and many work with companies.
Chapter 2. ASPIRING PROFESSIONALS AND THE DIGITAL GENERATION
Hacking banks is an integral part of life
"Did you break the bank?" - everyone always asks. Apparently, just as every journalist dreams of writing a novel, so every hacker dreams of raising money in this way.
In fact, as the dean of MEPhI always said, there is no point in breaking the computer if it can be taken out through the window. This idea confuses people, because you are not a real hacker if you are looking for easy ways. For example, even at work, I will not break through the webcam, if it is easier to get into the perimeter, stick my nose in the port and try to do something on the spot. But it feels like you were supposed to run a hundred meters, but you only ran the last 20 meters.
Shock content, but a hacker is not necessarily about a computer, coding, or remote hacking. The new school focuses more on the goals, rather than on hacking methods. For example, an asset is assigned that the business considers the most dangerous to discredit, and pentesters are trying to find access to it. There can be a variety of ways to do this. They will already be sophisticated in companies with well-developed security processes: a large multi-component SOC in three shifts, self-developed security rules, their own security policies, and physical security. If the company has five security perimeters and you managed to get inside, for example, using a drone, then you have successfully completed the project.
A profession with seven seals.
The most common belief that you can stumble upon in simple communication with friends is that they do not know that there is such a profession, they think that specialists have been honing their skills for decades to work in the field of offensive security. And it is also impossible to get there from the street, because these are some special people tied to the state, if they want to leave, they will definitely be put in jail.
Ethical hacking is legal (if done correctly), developed and widespread, both with and without government involvement.
In general, information security is easy. Teach me!
— Teach or hack the minecraft server for me, so that my brother doesn't play this nonsense all day long, we already have scandals in the family.
— Can you hack my ex's VK and I'll buy you a beer?
— Fix the kettle, you're a programmer!
Jokingly, every pentester will remember a lot of similar requests. Also, quite often, friends or fellow students show interest in the topic and ask to teach some chips. They think that this is a request from the category of teaching how to make apple pie, but in fact they are asking to teach how to make an internal combustion engine.
But if you honestly start learning pentests, if you are very motivated, it is really easy — the first time is always wins, endorphins. They push you to develop. This is how it works for the first 2-3 years, then the world of real information security begins. You are given real projects with EDR, SOC, binary operations. There are no more quick wins, there is not enough engineering back. Even worse, even when you bring a vulnerability, you need to prove it. There is always a period when there is an internal breakdown and people suffer a lot.
The rotation of skills in information security is incredibly fast. For example, 10% of the tools we use now appeared six months ago and will disappear over the next six months, replaced by others. The evolution of tools that attackers use is very fast, so in order to remain effective, you need to be as adaptive to new opportunities and trends as the attacker. They want you to "not break" their products, and if you check at least current hacking methods (you won't have time to check everything), you can reduce the likelihood of your product being damaged.
There is also a stereotype that you must definitely unlearn at uni. This is good, but not as important as for a professional mathematician or programmer. But the courses are not as effective as they say in advertising. The course promises earnings from 200k after passing and the middle level, but this is not the case. Even annual courses are still a minimal base. You will need to study further, gain experience, complete internships and reduce salary expectations at the start by 4 times.
It is also often said that you need to drive CTFs to practice. This is a great experience, but CTF plays the role of a university, gives a lot of acquaintances and connections, and practices experience in working as a team. If you want to learn a pentest, you need to take a pentest, go ahead and break through web faces. Bug Bounty is also a different process.
Chapter 3. BUSINESS
You were hit anyway, who cares who?!
Hackers are villains also because the line between good and evil is blurred and conditional. The paradox of the state of knowledge — you can not remove from your head the information about the business that you received in the course of working for it.
The fact is that a good hacker has already chosen a profession and set priorities. The most expensive thing that he or even information security companies that provide penetration testing services have is their reputation. The potential risks to reputation are higher than the benefits of double-dealing. In addition, all actions are legally protected by a variety of non-disclosure agreements.
But this does not mean that you do not need to control specialists at all. They should be encouraged not to stop there. It is very difficult to direct your competencies to everything at once, you can move a millimeter away from your tasks and drown in a quagmire. The less stupid the process becomes at the level: googled a vulnerability, broke through, passed. The deeper you delve into it, the more granular the competence grid becomes. A separate pellet is a separate skill. To develop it, you need a very deep understanding of the processes. You need to increase both the depth and width at the same time. You're getting needle-thin.
We need to motivate people to develop, go deeper, there is a whole world in a bottle, otherwise they simply will not be able to give a competent audit.
Who needs us?
Companies often focus on the term "risk", which implies probability. And from this they decide that they will not break through us, we are small and no one will look at us. Indeed, it is possible that the Tula pig farm has never been hacked, because no one knows about it, but this is the exception rather than the rule. And most often, those who think so become victims of hackers and simply do not know about it.
For example, a small foundry used an ancient version of ColdFusion and when they were tested for penetration, it turned out that the Chinese have been mining crypt on the server for at least 3-4 years. They gained a foothold and spread across the entire enterprise network, bringing with them a huge set of tools: a separate client for host machines, a separate one for server machines, and even for ARM devices there was a corresponding build. That is, they gained a foothold everywhere, making their own milking parlors out of the plant. This resulted in a 1000-fold acceleration of the natural wear and tear of all equipment.
This is not an investment, but an expense
Business owners think in terms of money and profit. In this regard, information security is a waste. The attitude to information security is initially rather negative, simply because it forces them to spend money that will never lead to a return on investment.
All you need to understand is that the dilemma that constantly arises before a business: invest in reducing the risk of losing money, or in increasing profits, but with possible danger.
It is impossible to assess absolutely all possible risks even theoretically. Attackers are constantly looking for new ways to attack, and what was considered safe yesterday may turn out to be a threat tomorrow.
You don't need to load managers with technical information. You should focus only on those risks that will cause the company to suffer maximum losses. And estimate how many resources are required to neutralize each of these threats. This will allow you to calculate the investment leverage — the ratio of risks to costs. Business leaders can and should formulate tasks for information security specialists. To work effectively, a CISO must be steeped in business challenges and have sufficient authority to make quick decisions. The business interests and tasks of the information security department should be synchronized.
These were the main stereotypes that the Awillix team remembered. I hope it was interesting, useful and informative.
