This is not another guide on how to get a job in the infosec industry, it is the story of how I failed to break into the infosec industry and some insight into how my thinking changed during my journey. Hopefully there are few tips in the article that may help a pair of curious eyes belonging to someone who has just stepped a foot in this field.
I believe 2019 is an excellent time to be alive for hackers who want to do good. With so many lucrative bug bounty programs, tempting vulnerable sites that offer legit rewards for white hat hackers and the demand of cybersecurity professionals going up that serves both as brain food and bank balance booster, I hardly see enough reason why anybody should pursue the life of a black hat hacker.
However, this could be the topic for another day!
A Bit Of History
There was once a time when I believed writing could make a big difference in the world and that was my sole purpose for becoming a journalist in 2006. As I grew older and wiser, I realized this was not the case. Writing and making a world a better place could have been true only had the world been ideal, but the present we have is anything but utopia. Hacking gave me a new world to explore. It gave me a feeling of empowerment that simply writing could not cater to in all these years. It made me feel more confident that I could make a difference at least in the cyber world, a feeling that was subtly eroding over the years. It also suited my introverted nature, so now I had my raison d’etre. But I needed a good plan of action to make it real.
I got myself admitted to a local academy from where I achieved my Certified Ethical Hacking (CEH) certificate. Although I am not much of a ‘certificate person’, I realized this certificate was one that could actually help in my career path and also allow me to dodge a lot of frowning looks from close people nearby. I think if you can I would really recommend you getting a certificate. CEH is one of the oldest and popular one to start with but you could also get Certified Information Systems Security Professional (CISSP), Certified Penetration Testing Consultant, CompTIA Security+, GIAC Penetration Tester, Certified Cloud Security Professional (CCSP), etc. Offensive Security Certified Professional (OSCP) is relatively new, just a decade old but it has gained rapid popularity. In fact, the more you get the merrier. But it is important to learn outside your academy as well and gather experience individually on your journey.
At the Arena Web Security Academy, I learnt much but the most valuable lesson I learnt was that I actually knew very little. I realized that I needed to dive in deeper into this world in order to understand how things worked. I began to learn a new programming language during the day and practice my hacking skills at night.
In less than 2 years, I had my first call from a leading cybersecurity firm. I was shocked! And I was happy, obviously. But I was also really nervous. “Am I good enough?” I began to question myself. This was one of the biggest cybersecurity companies in the world and I had to give it my best. The beginning of the interview went smoothly enough, but they wanted to know more about my technical work and this is where the problem began. As part of the CEH course in our academy, we had broken in to numerous sites, we had performed SQL Injections, XSS, CSRF, hacked into databases, played around with numerous tools, developed few tools as well and we had learnt most of the major things we needed to. But there was nothing concrete to show other than a certificate. My Github was empty and my Hackerone profile lay idle. In fact, there was nothing with which I could prove myself because there really was nothing! After almost 2 years in this field, I realized I was a ‘noob.’
Maybe it was anxiety or my lack of experience but after the interview did not go well, I began to re-evaluate on my life. It wasn’t like I was feeling sad about not getting the job. These things come and go. I was feeling upset at my former overconfidence. I thought I had known everything and was ahead in the game, but that was not the case. I guess this was a turning point since from then on I began to become more focused on what I wanted. Instead of being the cat that chased every bird that came my way, I had become a tiger that hunted real targets! I have a few favourite hackers who shed light into the matter. One of them said, "Do not run after everything. Focus on one thing and stay consistent there." I think what he meant by that was focus on one vulnerability but it is true for almost everything else. Have knowledge on many things but be a pro on few certain things. If you are a bug bounty hunter for example, focus on one vulnerability and seek it everywhere. Jason Haddix has some great videos on bug hunting methodology and, of course, there is the OWASP Top 10 vulnerability that's worth mentioning too. Read abundantly. Web Hacking 101 , The Basics of Hacking and Penetration Testing, OWASP Testing Guide are few great mentions. But make sure your practice your skills too!
From then on, I participated in lots of CTFS, kept one eye on all the security blogs for latest updates and another eye on all the bug bounty programs. I realized that we need to constantly challenge ourselves to become better than we are this passing instant. Ethical hacking is a very ‘truthful’ world. It is not just hackers that are exposing truths to the world. But this itself is a world of truth. Certificates don’t matter here. Recommendations are of no use (our mom or dad could be a great cybersecurity specialist but that doesn’t guarantee that we flourish in this career). Coding ability alone will not help, we need to be the visionaries and we need to be constantly one step ahead in the game. And, last but not least, the moment we stop learning, we stop growing. We become stagnant. The world of ethical hacking is a platform for raw talents so it doesn’t matter who you are, I have faith in the idea that if you have got it in you and if you are dedicated, you will surely fly above the rest.
Nusrat Jahan Pritom likes to break into places, whether it’s hacking or parkour! After 13 years in journalism, she has found love in ethical hacking and cybersecurity. If you enjoyed her article give her a follow on Twitter!