Information Security.

Or to be more precise: Penetration Testing.

Having spent the best part of ten years working in systems administration, systems engineering, DevOps and eventually becoming a specialist at automation, I've decided I need a change.

Why?

As of late I've been asking my self, "Why?" when it comes to making a decision, doing some activity or investing my time into something. It's a great question and if asked (of oneself or of another person) at the right time and in the correct context it's an excellent tool for making sure you're doing something worthwhile and not just... because?

So why the move into pen' testing? Here's a list of reasons. I won't expand on these reasons in the slightest bit - that's left for you, dear reader - but what I will say is I've thought about this a lot. I'm not making this decision lightly.

  1. DevOps is dying. AI is on the horizon.
  2. DevOps is boring. Cloud providers are consuming everything. providing more.
  3. The technologies are smushing into 4-5 tools you use for everything.
  4. Automation is self defeating (and that's a good thing). You automate yourself.
  5. I'm losing my understanding of deep, technical concepts. Everything is abstracted.
  6. I fancy something more stressful. Something harder.
  7. I want to be challenged daily/constantly. I want the ground to change under me.
  8. Technologies in this space move slowly.

Feel free to reach out on Twitter if you have any questions, comments or feedback on the above. Maybe I'm missing something? Maybe I'm the boring one?

Penetration Testing

So what does pen testing offer that DevOps and automation in general doesn't? How does pen testing address the above concerns? Time for another list. I'll copy the list from above and literally answer each point directly.

  1. Security is always going to be a concern and AI can only go so far in this space.
  2. I would be hard pressed to find pen testing boring giving how fast it moves.
  3. From my studies so far, I can see me needing a lot of tools for this space.
  4. There's certainly automation in the pen testing space, but it has different goals.
  5. My technical understanding has to be deep and remain deep.
  6. Pen testing is definitely stressful. And it's certainly a lot harder.
  7. The challenge is very real in pen testing.
  8. Security moves fast. Exploits come quick. You have to be on the ball.

These aren't reasons I feel need expanding any further.

The Journey

One of the biggest questions I've been asking my self (and others) is: where the fuck do I start? InfoSec is a massive topic. Pen testing is a sub-set within InfoSec, but is still a massive industry in its own right. Where do you even begin?

I'll distill what I've found so far into a list (I just love lists!) and then expand on each item.

  1. Networking.
  2. Security fundamentals.
  3. Programming.
  4. Adam Heath (The Cyber Mentor)'s course on Ethical Hacking
  5. The eJPT from eLearning Security, via INE
  6. The Offensive Security OSCP, via PEN-200
  7. The Offensive Security OSWE, via WEB-300
  8. ... ?

Networking

I almost feel like this one is obvious. Networking is how everything is connected. It's how we're going to even access the systems we're trying to test. It stands as pretty obvious, in my book, that understanding how those communications are implemented is important. But here in lies the problem: networking is also a massive topic, so where does one start here?

Simple: Professor Messer and his Network+ course on YouTube.

I'm pretty confident I know enough about networking that I can simply visit the playlist and review specific topics as and when I need to, versus watching the entire thing from start to finish. I wouldn't recommend this approach to someone who's unsure what tcp/22 means or doesn't know the difference between switching and routing.

Just to be clear: I won't be taking the exam. I don't feel that's required at this point in my career.

Security Fundamentals

Given I'm looking to move into the field of security, this one seems obvious and a bit of a paradox: I should understand security fundamentals before I... understand security fundamentals? InfoSec is a big field but there are some foundational topics that cover the entire of the field. It's these foundations I'm referring to.

For example pen testing is about understanding how buffer overflows work, how to exploit a SQL injection, or how to socially engineer someone into giving you access to a system. But before anyone can study such topics they should understand the difference between an IDS and an IPS; the difference between a firewall and SIEM; and be able to explain what a SOC is.

So where to begin? Well guess who has us covered, yet again?

Professor Messer and his Security+ course on YouTube.

There is actually a lot of acronyms and technologies here that I'm not confident I know all that well. That means my first port of call is going through this playlist and watching videos on topics that catch my eye. Simple.

Just to be clear: I also won't be taking this exam.

Programming

Putting InfoSec aside, being able to program is an important skill in almost every aspect of Information Technology. Even if you're a desktop support technician, knowing a bit of PowerShell (or Bash depending on the desktop you manage) if a highly valuable skill.

Being able to automate parts of your job is a great way of reducing your work load (or increasing it if you tell people you've done it!)

For this part of the journey I feel I'm covered. Currently I'm confident writing entire web applications in Python and Go. I have, in fact, written entire web applications in Python and Go in the past.

If I were brand new, however, how would I go about learning how to program a computer? I'd start by just making some thing clear: there's a difference between programming and software engineering. The former is someone who can smash together some (high quality, tested, etc) code to get a job done and the latter is an individual who spends everyday programming software for a living.

In the pen testing space I'm confident you only need to be a programmer, not a software engineer (who's also a programmer: just a highly skilled, professional one.)

Here's how I'd started out:

  1. Python - freeCodeCamp.org's Python course
  2. Golang - freeCodeCamp.org's Golang course
  3. C - freeCodeCamp.org's C course

Python is excellent at getting the fundamentals in place. Golang introduces more complex concept such as compilation, strict types, static linking, and more. And C is a must in the pen testing space due to how prolific it is when it comes to writing exploits.

Adam Heath (The Cyber Mentor)

I've enjoyed Adam's content on YouTube for sometime now. I've been a subscriber for a while and he's one of the primary reasons I decided to jump into the pen testing industry.

Adam, or The Cyber Mentor as his online alias goes, has some professional (read: commercial/paid) courses that are available to anyone, and I believe they'll act as a great jumping off point for getting into pen testing.

There are plenty of other options out there, for sure, like StationX, but I like Adam's structure, his opinions on what it is you should know, and more.

The eJPT

Recently I came to the realisation that I have gaps in my knowledge. When I started out in systems administrator and worked my way up to where I am today, I never really took an academic route. I never studied for many certificates (I did some, like the RHCSA, CCENT, AWS Architecture Associate) and those I did gain have long since expired.

Certification was never something I felt I needed to do and it turns out I was right. I earn an extremely privileged wage today in an awesome industry, working with awesome people, and I never even finished school.

But with pen testing I feel like I want to make sure I avoid that this time around. I could make a dash straight for the OSCP, get passed all the HR filters, land my first pen tester role, and never look at doing a cert again (or maybe the pen testing industry demands constant certification of its cohort?) I want to avoid that option this time.

Actually I want to avoid that attitude entirely.

That's why I'm going to work my towards to the eLearn Security Junior Penetration Tester certification. It's like the CompTia Security+ of the pen testing world (somewhat ironically CompTia have the PenTest+, but it's not general availabuility yet.)

The company backing eLearn Security, INE, have a free course that preps students for the exam, which looks like it covers some great topics.

This will be the first certification I will obtain during this journey.

The OSCP

Do I even need to explain this part of the journey?

No.

But do give this a read by John Jackson: The OSCP Preperation Guide for 2020/2021.

I'll be purchasing and using the OffSec PWK or the PWK365. Depending on how I feel six to nine months from today, I may even look at the OffSec Academy.

The OSWE

All of my experience so far has been in the HTTP(S) space. I started in managed, hosted services and today I specialise in automating the delivery of web applications and services. I play around with web native technologies all day, everyday. It's what I know best.

That's why at this point in time I'm going to aim towards the path of web exploitation. So why not going for the OSWE?

Not much more to say about this.

... ?

And so who knows at that point? Maybe I won't even reach the OSWE. Maybe I'll find I prefer networking penetration instead, or even exploit development. Time will tell.

Next Steps

I will be writing up my notes and thoughts after each piece of studying or material I expose myself to. Ideally daily, but I cannot guarantee that.

Michael Crilly

Michael Crilly

A simple nerd.
Brisbane, Australia