The Hacker Mind Podcast: So You Want To Be A Pentester
To help more people to become penetration testers, Kim Crawley and Phillip L. Wylie wrote The PenTester BluePrint: Starting A Career As An Ethical Hacker.
In this episode of The Hacker Mind, Kim talks about the practical steps anyone can take to gain the skills and confidence necessary to become a successful pentester -- from gaining certifications, to building a lab, to participating in bug bounties and even CTFs
Vamosi: When I was in High School, I seriously wanted to be an astronomer. I mean, look at the stars at night--so many mysteries to solve. I thought I would live my life on a mountain top staring at the night skies through some massive university-sponsored telescope. The infinite universe-- so much yet to learn and discover. Then I sat down and talked to an astronomer, and found out that much of his time was spent writing proposals, getting shot down, then writing new proposals, then, once the proposal was approved by the department, negotiating time on the massive university telescope -- all of which means maybe you get a few hours of actual sky time each year. Okay, that’s not what I thought an astronomer does. So, my first year in university, I switched my major.
Often when I talk to people about pentesting, it’s the same problem. They focus on the physical aspects-- some might say glamorous side -- of the job. By that I mean the jumping over barbed wire fences, the crawling through ventilation ducts, the putting on of makeup to look like that woman from headquarters most people only see from emails -- you know, the John McClane in DIE HARD aspects of pen testing. And yeah, there’s some of that. I mean who wouldn't want to do that for a living?
In this episode, though, I’m going to focus on the much more common digital pentesters side, you know, the people who are hired to break into the digital organization, the networks, the software -- and this they can do pretty much anywhere, often without much travel. Much less exciting, perhaps, but that’s only because Hollywood choses to focus only on the physical and not really get into the digital side. But that’s okay. There’s plenty of work in the digital realm, important work. But what does the day to day look like for the average pentester? I mean really? In a few minutes I’m going to talk to a pentester who’s written a book that can help take your current skills as a sys admin and security engineer and turn them into skills needed to become a great digital pentester.
Welcome to The Hacker Mind, an original podcast from ForAllsecure about our expectations around people who hack for a living.
Want to Learn More About Zero-Days?
Catch the FASTR series to see a technical proof of concept on our latest zero-day finding. This episode dives into vulnerabilities discovered in web servers.
I’m Robert Vamosi and in this episode I’m going to focus on people who are paid to break into an organization’s networks, and what background and skills you’ll need to be successful, and what steps you can take to get from here to there.
Vamosi: You’ve undoubtedly seen Kim Crawly’s work; her byline appears on a number of blogs from a number of different outlets. She is an impressive force within the infosec world. She is also the co-author of The Pentesting Blueprint, from John Wily and Co., available wherever books are sold. Together with Philip Wylie, Crawly draws on her own experience as a pentester to map out what kind of skills and mindset one should have if one wants to become a successful pentester. Which brings up a very basic question: What exactly is pentesting?
Crawley: Pen testing is when you simulate cyber attacks, so you're not actually conducting cyber attacks because you have the consent of the owner of the network or the computer application that you're penetration testing, but within the rules that your client has given you. You are acting as your cyber attacker. So you're simulating cyber attacks, you're pretending to be the bad guy hackers, but you're one of the good guy hackers, because your job is to find security vulnerabilities, by doing what they might do.
Vamosi: So, in order to secure your network, you have to think like a criminal hacker and then attack it like a criminal hacker. You want to see if they can penetrate your security, and cause it to break in some way.
Crawley: Yeah, you can't discover all the vulnerabilities that your network or your computer or your application has until you engage in the actions that a cyber attacker might take. So that's the purpose of pentesting basically
Vamosi: So if I’m hearing this correctly, then as a pentester you get paid to pretend to be a bad guy and break into network systems and applications all day, just like the real hackers do. And you do this all day. Hacking day in and day out.
Crawley: People hear about it and they think, oh cool this is like a movie we get to do all the bad guys stuff, but they don't realize that a lot of the work is your client will give you a specific scope. And you can’t do anything outside of that scope or outside of your legal contract, then, that was a cyber attack, and there's legal recourse there.
Vamosi: Yeah. Pentesting is actually a serious job, with serious legal consequences if it’s done badly. There’s sometimes a very thin line between pen testing and criminal hacking. So as much as you are paid to think creatively like a hacker, there are guardrails, and there are hard limits in scope. Again, you are simulating cyber attacks -- you’re not actually conducting cyber attacks.
Crawley: So there are rules and you must abide by them. And also, There's a lot of paperwork involved. I'm not sure if Phil and I maybe didn't mention it too much. In the book, but a large part of the pentesting role is writing reports writing lengthy detailed reports. I think I mentioned a little bit in chapter seven like being able to communicate with customers or clients is a really useful transferable skill.
Vamosi: This happens in other industries as well. Often we romanticize the fun parts, but neglect to learn about or even to hear about the boring day to day aspects of those same jobs. Like airline stewards, they get to travel too all the exciting parts of the world, right? But, meanwhile they’re dealing with cranky passengers, the crying baby in back, and then when they get to that exciting city, maybe in a forieng country, they’re catching up on their sleep, then on the next flight out, so … not so glamorous.
Crawley: It's like the misconceptions that lay people have about being a lawyer, we look at shows featuring lawyers like Law and Order or Ally McBeal or whatever, as I oh so if I'm going to be a lawyer I'm spending all my time in the courtroom and yelling Objection, Your Honor, and stuff like that. When you speak to a lawyer in real life, they will tell you, 90% of the job I'm in my office, and I'm handling paperwork and I may be in the courtroom 5% of the time if that.
Vamosi: Why would you hire a pentester? Think of it as an audit, a double check of all the security systems in place today -- will they perform as expected under an attack? Once you’ve decided a pentest is right for your organization, you’ll then need to decide whether you’re hiring a pentester inhouse or third party. In other words, do you want the pentester to have some knowledge of your network, in which case you’d hire an internal team to test very specific aspects of your organization. Or do you want your pentester to have no idea, in which case you’d want to hire a third-party to test your organization the way a criminal hacker might.
Crawley: There are security testing firms that all they do or what they focus on is third party penetration testing is very useful for organizations to hire them and we've explained in the book the difference between black box testing white box testing. And, in the middle, grey box testing.
Vamosi: In security, we refer to testing done on the inside, maybe even having access to the source code, as white box testing--the application and network information is available to the tester. You can also bring someone in from the outside and give them some, but not alot of information, that’s grey box testing. And there’s black box testing, where the third party has no knowledge of the applications or network.
Crawley: You want to hire an outside security testing firm for black box text testing because anyone inside of your organization will understand your network better than an outsider for white box testing, you could have a third party firm. And you just explain to them like the network schematics and which applications you have and some of the configuration stuff. see bring them up to the level if you're doing white box testing or larger companies can have their own internal red teams.
Vamosi: Okay, so a few more terms here: Red Teams and Blue Teams, and Purple Teams. These are inhouse pentesters who are hired by an organization and work from within .. but each with very different goals. In Episode Five I talk about Blue teams. These are the teams that are vigilante and are given a mandate to fight the bad guys. The Red team, then are the bad guys, and they’re sitting there, sometimes side by side, thinking of new ways to attack the network that the Blue teams are trying to defend. And the Purple teams, they’re a economic team that does both red and blue team exercise -- get it? But all these pentesters are inside the company. Meaning they are all conducting white box testing, which means they know something about the network, something about the company. Given that, why would you necessarily want a red team inside your company?
Crawley: A red team can engage in a lot of penetration testing. And they also try to specifically devise campaigns that mimic trends that we see in the mobile cyber threat landscape. So for instance in 2017 during the whole WannaCry, and NotPetya phenomenon. A lot of red teams were simulating that within their own networks because it was a new growing threat, it was the hot new thing to worry about. So you want to have a campaign where you're trying to do that, to see if your network can succumb to that particular threat.
Vamosi: WannaCry and NotPetya were ransomware campaigns in 2017. Unlike other malware, ransom not only infected machines, it encrypted all the data, then asked for a ransom to decrypt them. Sometimes the decryption worked, sometimes it didn’t, creating headaches for system admins worldwide who didn’t have good backups in place.
Crawley: So yeah, pentesting is way more complicated than if I applied to a lay person, as a third party as a third as a third party like an external pen tester you might be doing both white box and black box. People who work for companies, Red Team internally can realistically only be doing whitebox test,
Vamosi: Often, though, when organizations brings someone or a team from the outside in for a limited amount of time to attain a certain goal, which could something be broad, like to gain sys admin privileges to the network, they do so in a way that is very narrowly scoped. They don’t want you poking around willy-nilly, so areas of the network definitely off limits, and certain tests are not allowed. Indeed, much of the process in pentesting is negotiating the terms that an organization is willing to expose to an outside audit.
Crawley: You will have a document problem with your client that defines the specific scope of your penetration test, for example, that this defined scope could be, you're only going to perform network vulnerabilities on a certain segment. And you're not supposed to do network vulnerability tests outside of that network segment.
Vamosi: By now you’re probably thinking, oh, this all this paperwork, maybe it’s only for the digital pen testers. Not so fast. Scoping applies to the physical pen tester as well.
Crawley: If you're a physical pen tester. The contract might say you're allowed to try and mess with the server room doors and you're allowed to try and sneak into the ductwork, but you're not allowed to. You're not allowed to steal physical keys for instance. So, you on day one, you will be certain of what you're doing, because no company sensibly hired a third party 10 pen test, without a lengthy agreement as to what you should be doing what you're allowed to do what you're not allowed to do what parts are you're supposed to test.
Vamosi: And this also changes how I view a pentester’s first day on the job.
Crawley: Maybe pay one isn't actually you're on the site, and you're going through the list of things to do, day one is spending time sitting down with the client, discussing what you can do what you can't do, and making sure that you agree to what you're doing, there has to be assigned legal agreement with the rightful owners of the networks, the buildings, the applications. And it's that signature on that contract your obedience to the scope of that contract that makes the difference between you being a legitimate penetration tester, and you being a malicious cyber attacker.
Vamosi: The whole issue of what’s in the contract vs what’s not in the contract--and more importantly who knows and understands this on the inside -- might seem boring or perhaps someone’s else’s concern. Actually it’s very important to a pentester, and this became an issue in Iowa, near Des Moines, where two experienced pen testers from a company called Coalfire were operating according to their documented pen test agreement -- and they still got arrested. Everything seemed to be going fine until they tripped an alarm in the Dallas County Courthouse -- which they were hired to break into. When the alarms went off, they were under the belief that their Get Out of Jail card would come into play. A Get Out of Jail card is usually a letter with contact information; call the number and the person on the other end would vouch that ‘Yeah, they had permission to break in.” And that should have worked. Except, in this Iowa country, there was politics at play, and the people who signed off on the penetration test of the courthouse didn’t necessarily have all the jurisdiction they needed in order to do that, so while all that settled out the pen testers ended up spending some time in jail for breaking and entering. This type of case is rare, but it does point to the need to get all the documentation and approvals secured up front. So there’s that. Then, on the backend, you have this massive report to turn in, detailing everything you did and found. So, realistically, how much of a pentester’s time is spent preparing the paperwork vs actual hands on hacking? A lot?
Crawley: Probably, like as much as like a lawyer does more paperwork and a lot of it is coming up with a legal agreement with your client and trying to also figure out what their security needs are. But a lot of it is sitting down at your desk. You have all this data, you have the logs coming out from network vulnerability scanners, you might have recordings made of social engineering attempts and that sort of thing. And you have to look through all of that data that you've gathered over the course of the pen test. And now you got to write reports. It really varies because there's so many factors involved that makes each pen test experience unique, but you could be spending more than half of your time writing reports.
Vamosi: For some of you, I’ve now totally killed the vibe on pentesting. The cool factor just got lost in all the paperwork, legalese. The heard truth is not everyone is suited for this type of work. And being able to deal with the negotiations and the paperwork, well, that’s indicative of an important character trait needed to be a pentester: that is, attention to details. I mean if you can’t handle the details, then what do you think working in infosec is all about?
Crawley: Because security vulnerabilities are details, if you're the kind of person who looks at the problem and you see the forest, but not the trees. That's not good because your report should be describing each of those trees in detail. You can get the defensive security people, and the client to take action on your vulnerability findings, if you're not really detailed about them. So actually being a good writer, being able to communicate your ideas well writing is a really overlooked skill in pen testing but you'll find it's absolutely necessary. So it's not just making a detailed report but also be detailed in how to test things.
Vamosi: Cool. So someone like me, a Communications Major, could ultimately find work as a pentester perhaps. Okay, so we’ve talked about what skills you need. What, as an employer, should I look for when I hire a pen tester?
Crawley: I think sometimes particular technical skills are sometimes --particularly technical skills-- are overrated. You want a particular mindset, like Phil and I write the book The Hacker mindset knowledge about a particular application for instance, can be taught. But mindset, can't be taught. So, I, if I was hiring a pen tester I would look for someone who asks a lot of questions. In the pen testing role, asking questions for me is not a set. You should have a curious mind, and it's better to end to ask a question than just make assumptions. So, also somebody who has a lot of questions is a curious person who has a hacker bias that, see what to look for someone who a seems really curious and excellent questions, and maybe be someone who is dedicated to self study, because you're constantly going to be learning stuff sometimes college and university and certification programs can be very useful. no one in this industry I would honestly say everything I needed to learn I learned in school.
Vamosi: Yeah, it’s true. You can get pretty far in infosec without a formal degree in infosec. And that’s actually good, bringing in people educated from all different backgrounds -- psychology, art, material sciences, medicine -- it only helps improve our understanding of infosec. In fact, infosec is probably one of the rare fields where you really need to just pick it up from experience along the way.
Crawley: The vast majority of us if we're being honest, you're going to say, maybe I learned a few important foundational things in school, but the vast majority of what I learned I learned on the job. And I learned from reading books, blogs, and by playing around and doing my own hacking, that sort of thing. So you want to find people who are self starters, and who are good at educating themselves. So I would say don't judge a person based on their knowledge or experience so much judge them on their attitude and their ability to self educate.
Vamosi: And there’s also a lot to be said for transferable skills. Say you’re interested but you don’t have all the technical chops. Say you worked in a factory-- you have detailed knowledge of how it works, what’s done day to day, that can transfer and contribute to your pentesting skills. Apart from the digital, networking side of pen testing, remember there’s also the physical testing side. Your knowledge of how factories work, how corporate campuses are laid out -- all that can help get you inside a building. With physical pentesting there’s also a bit of social engineering, and a bit drama and theatrics as well, but underlying all of this the mindset of can I defeat the security currently in place in some meaningful way?
Crawley: If you're gonna focus largely on physical pen testing you might want to take some block picking courses and stuff like that. I mentioned in the transferable skills like skills inventory chapter. If someone has a background working as an HVAC technician. Your familiarity with the vents will help you as a physical pen tester, you'll know how to climb through those vents like Bruce Willis his character and Die Hard, so that's actually a common way that physical pen tester.so occasionally that movie stuff is somewhat realistic.
Vamosi: For a pentester, remember that technical skills also need to transcend what tools are being used. This is important. The ability to think beyond those tools, it seems like that is a critical part of the hacker mindset for a pentester.
Crawley: I think one of the biggest misconceptions about pen testing is a C network vulnerability scanning applications like metta sploit framework or open vas, so on and so forth, nessus, and they think, okay, that's a pen testing application so you run the network vulnerability scan. And there you go, and then you get the results and that's the pen test. So one has a lot of experience in the field will tell you that some pen tests you might not be ready to network vulnerability scanner at all. Other times when you do need to use it. It's one component of various other things that you're doing. If running nessus or rally metals boy is 90% of your work, you're not doing a property thorough pentest.
Vamosi: Good point. You can’t just run tools all day and call that a pentest. If it’s just a matter of running a few automated tests, we’d all have great security, and data breaches would be a thing of the past. I would think that in addition to attention to details you’d also need a bit of creativity as well.
Crawley: Yes, definitely. Um, a lot of the people I interviewed in the book. I was so impressed because they had actually developed scripts and applications to test for particular vulnerabilities. Some of the people I've talked to in the book, their scripts, and sometimes their entire applications were actually implemented into Kali.
Vamosi: There are at least two complete operating systems available for pentesters. The more famous of these is Kali Linux, from Offensive Security. The other is Parrot OS, which you can download from ParrotLinux. Both preloaded with many security tools. And it’s free. So download the latest image, install, then open it up and you’ll find wireshark and burpsuite and so much more. I’ve used Kali in training classes at Black Hat; it literally is a Swiss Army knife of infosec tools.
Crawley: I do mention Kali in the book, especially in the in the lab segments. There are other pentesting operating systems like Parrot. I didn't mention Parrot but Kali has the majority market share as far as pen testing operating systems are concerned.
Vamosi: Having an arsenal of tools is good. And some would say the more tools the better. How common is it for pentesters to write their own?
Crawley: I mean I don't have any exact figures. So anecdote. But maybe like 10% of like application and operating system and network pen testers, who are confident as software developers Yeah, they do develop their own tools when they find that there are certain types of vulnerabilities that they need to scan for, and the scripts and the applications to start there to do it. Sometimes the scripts that pentesters develop actually become plugins in network vulnerability scanners like necess medicine. So you might not just be creating your own standalone application you might be contributing to an already to an already existing application.There's network vulnerability scanning applications built into Kali. I know that a squid framework is included in Kali. But sometimes you might be scanning for very specific types of vulnerabilities, for instance, you might be testing for susceptibility to denial of service attacks, you might need to stress test things you might need to run specific scripts outside of note that foldability scanner just tests for certain vulnerabilities. Everything is like really thoroughly documented I'm really impressed by their documentation team, it. I think if you go, I mean there are other types of pen testing Kali and Parrot OS and those applications might not be very useful for like physical pen testing.But yeah, spend like a month or more, just with Cali just exploring everything reading the documentation. That is probably like one of the number one tools in any pen testers lab. Some people do prefer parrot. So, maybe try parrot as well download parrot give it a try.
Vamosi: In addition to what skills you need to become a pentester, The Pentester BluePrint discusses what tools you need to build your own lab. So, before we go too far, it’s good to remind everyone that you can’t just try these security tools on, say, your corporate network, or even a friend or family member’s computer. There are laws about computer abuse of systems that are not under your control, that you don’t have permission to use.
Crawley: One of the most important things I think in a pen testers education these days is to install Kali just just take, take some time, take a week.You don't have to install Kali onto your hard drive you can run it off of a USB stick or, or a DVD. In order to try out all the applications. You can obviously do on it on random computers because that's a malicious cyber attack. So get used to installing virtual machines, become familiar with using virtualization clients like Oracle VirtualBox or VMware and run ISOs for like wide variety of different operating systems, and just set that up and use that the target for some of the tests.
Vamosi: A virtual machine is literally that, a computer that runs virtually inside your own computer. It has its own operating system, its own resources, and its own drive. The beauty of it is that everything that happens inside a VM is contained, and once you’re done testing something, you can shut it down and then open a fresh operating system the next time, and the next time.
Crawley: But run Kali, and spend a week or two or more, going through all the various applications in it, and going, there's also a lot of excellent documentation on their website.
Vamosi: Okay, so you’ve got an inquisitive mind, you’ve got some tools like Kali or Parrot, you’ve even built your own lab, what further advice does Kim have to someone looking to start their career in pen testing?
Crawley: Okay, um, read the book. The book is obviously designed for people who have no experience and are curious about the field.
There are certain things that we recommend like Phil and I, we both recommend such as try looking for bug bounties if you, if you really want to get into application pentesting.
Vamosi: Bug Bounties. In Episode 9, I talked with Stok who runs a popular YouTube channel where he talks about the world and the culture of bug bounty hunting. Basically it’s hacking for money; you find a vulnerability, and if the company validates it, you get a bounty. And while there are some people who are earning up to a million dollars doing this, there are other advantages just by participating in the challenge.
Crawley: One of the best ways to build a resume, without before you get an opportunity to get hired is to participate in bug bounty programs. One of the best sources for bug bounty information is the hacker one website just google hacker one, and they have a complete list of bug bounty programs, and you don't have to apply for a job with a bug bounty program. most of those are just open to the general public, and you just have to abide by the guidelines. So, if you're comfortable doing stuff like that. That's an easy way in. And for application pentesters they might want to see some bug bounty work on your resume before they consider hiring you.
Vamosi: In Episode Seven, Tim Becker said that in order for him to get really good at Bug Bounties he needed to specialize. Is specialization necessarily good for a pentester?
Crawley: I think because of the growth of the pen testing market, sometimes specialization can actually be quite useful. You might find as a software reverse engineer, or as a bounty hunter, that you are better at finding vulnerabilities in hardware drivers, or you might find that you're better at looking at them in. In web applications for instance, maybe you come from a web development background. You should then focus on web vulnerabilities and some bug bounty programs are for particular web applications and websites. It might be a bad idea to, to try to be a master of all trades because then sort of a jack of all trades because then you might be a master of none. Application pen testing is a really quickly growing field. So, now that there are a lot more people in that job market. It might stand out. If you can, if you can show that you're good at finding a particular kind of software vulnerability. And then the other thing that both Phil and I really strongly recommend are Capture the Flag competitions CTS for short.
Vamosi: CTFs are something else I’ve talked about on The Hacker Mind. Basically it is a series of computer challenges in topics like reverse engineering or cryptography, either in Jeopardy style, where the topics get harder, or in attack and defend style, where you’re solving challenges while attacking others and defending your own server. They’re fun and a great way to gain experience and learn infosec
Crawley: Pretty much every major cybersecurity event has a CTF with it. Maybe not 100% but the vast majority do. And the great thing about capture flag competitions, is I have never seen one that was free to enter. So, free of charge and free in the sense of anyone who wants to join may join. So, with bug bounty programs you are looking for real refer bugs in real software, but with a capture the flag. It's more of a fictionalized scenario. They a virtualized network might be set up or virtual machine of some sort.And it's a competition, and usually a flag of some form is hidden somewhere in the application in the virtualized network in the virtual machine, and your job is to find it. It might be a line of code, the script, it might be a. txt file, but you have to hunt for it. And that's the kind of thinking that malicious cyber attackers have to engage in. And that's also a transferable skill to penetration testing, because you're looking for ways to break into a system. If you find it really difficult to enter the field. Sometimes pen testers have been hired. After winning Capture the Flag competitions. It's something that frequently happens in our industry. If you don't win. Definitely, enter more competitions and don't give up. Remember what you learn from your experience in previous competitions and apply them to future competitions. And you can also put that on your resume it's very common on a pen testers resume to see a list of CTF competitions that they've been in whether they've won or not. So, it's all progress. Every CTF that you participate in is progress whether you win or not.
Vamosi: So, maybe I've learned some skills. I've done some bug bounties. Maybe even done some CTF and now ranked on CTFtime. Is that enough on its own to get hired? Or is it through the networking process in these engagements, where I have met enough people along the way to have one of them say “Hey, I've got an opportunity you want to come over and pen test?” Is that's how you get your foot in the door
Crawley: Both. I and Phil Wily, we both heard so many people say, I got the job from a CTF. And even if you, if you didn't win the competition. Very often, Bobby obviously these days are CTF, we're all going to be doing it from home.But there's usually a chat application, there might be video meetings with the people in the competition. People are human. Humans are social creatures. Right. People don't make hiring decisions necessarily based on rationality, they've made, they might make hiring decisions based on. I like that guy. So, um, we're not having security events in person so much anymore obviously because pandemic. But yeah, definitely hit as many online cybersecurity events as you can see some of them are free. Some of them might charge a few $100 to get in the CTF so they're always free though.
Vamosi: Is this is a good time to consider becoming a pen tester?
Crawley: Yeah. Um, this is a really growing field. I have spoken to pen testers, who were doing penetration testing in the 90s. And back then it was the Wild West. There were mentioned the web standards. In the early 90s, there weren't specific network vulnerability scanning applications yet. As a pen tester, a lot of your jobs abided by policies and procedures. Most of those policies and procedures and guidelines and recommendations did not exist in the 90s, the vast majority of companies, either didn't know what security testing was, or if they realized it would be a good idea. They invented everything on the spot. So, these days, everything is a lot more formalized we have, I think the most useful organization. In our particular segment of the industry is Offensive Security and offensive security has been so incredibly useful. They've developed certifications like the OSCP and the more advanced certifications. They developed Kali, which started as BackTrack many years ago, they created a lot, a lot of the philosophy, and the guidelines and the recommendations and the penetration testing field. They developed, they invented, and they feel they feel good me they feel that they filled a void that existed in the 90s in the early 2000s. So if you're interested in becoming a pen tester. So, and and for people who have been pentesting since the 90s, there's a lot that they had to unlearn because they were, they were inventing everything, and they were given a lot more in the way the 90s. Now if they try to reinvent the wheel. Right now, they'll find that they run into a lot of like Fatal Error problems for instance or violating the company's policies and procedures. So, yeah, the world of offensive security is a lot more formal than it used to be. We need a lot more younger people because they don't have old habits.
Vamosi: If you’re still on the fence, definitely interested but unsure if pentesting is right for you. Kim has this advice.
Crawley: I would recommend that if you're interested in pentesting in general, especially if you don't know where you're going to specialize yet, go to Offensive Security's website, even if you can't afford to pay for a certification course right now. There's a lot of useful information there about recommendations and the philosophy of the penetration test trade. And also, that's the source for Kali and Kali documentation.
Vamosi: And, if you didn’t already know, there’s a lot of security folks on Twitter, like me. You can follow us and find out about what’s happening infosec.
Crawley: And I would strongly recommend other ways of getting into the industry. My friend, Tanya Janka as a hashtag that she's popularized on Twitter, mentoring Monday. Follow her account, she hacks purple have followed the venturing Monday hashtag. Follow the infosec hashtag. Another person in our industry who was really good at helping people with networking is Marcus Carey. Marcus Carey is a really selfless guy, and he spends a lot of his time trying to get people into our industry, not just penetration testers and other offensive security roles, but also on the defensive side on the regulatory side all areas of cybersecurity. So, I would recommend following Marcus carry on Twitter especially.
Vamosi: I’d really like to thank Kim Crawley for taking the time to be on the show. If pen testing is something you’ve been curious about, check out The Pentester BluePrint by Kim Crawly and Philip Wily, available wherever you find books, both physical and digital. It’s well worth the read as it’s full of valuable and practical steps as well as valuable insights from various pen testers on their particular journeys. Because learning info security is a journey.
For The Hacker Mind, I remain your infosec journeyman, Robert Vamosi.