27 March 2023

Introduction

Two years ago I decided I wanted to be a penetration tester. Judging by the hundreds of posts I see on subreddits and Discord servers, this is still a very popular goal for cybersecurity newbies. Searching for "How to become an ethical hacker?" yields 925+ YouTube results alone.

Initially, I was overwhelmed and frustrated by the amount of resources, education packages, certifications, and career guides on offer to aspiring pentesters. It seemed extremely unrealistic to me that I, a professional cook with no formal technical education would be able to compete with the thousands of others seeking the same positions.

Two years later,  I have the privilege of being mentored by some of the smartest people I've ever met while working as an Offensive Security Engineer here at FortyNorth. It was not an easy journey, but now I get to spend every day hacking and learning: a dream come true.

I still see loads of content geared towards people who want to become offensive security professionals and countless posts by overwhelmed newbies. I identify the keys to my own success primarily to luck, (social) networking, and refining the so-called "soft" communication skills, but I will discuss the technical resources and certifications that also helped me.

A lot of the content I see on this subject is authored by industry veterans or people trying to sell something, and often this content did not accurately reflect my own journey as a n00b. I hope that sharing my experiences here may be helpful to people who are looking to get into the field.

Some Advice

Learning cybersecurity and hacking is hard. One of the mistakes that I made when  I started on this journey was underestimating how hard it really is. This may seem discouraging, but I'll share with you the best advice anybody ever gave to me:

"If something feels hard to do, it usually means you should do it."

A mentor shared this wisdom with me when I was having a very hard time. I have never forgotten it. There will be times when you feel discouraged and defeated, but at the end of the day what matters is that you keep showing up and trying again.

The key for me was building a strong support system I could rely on for psychological motivation, career guidance, and technical help.

Building the Foundation

The first thing I did when I found out I could get paid to be a hacker was reach out to my (small) social network. At the time, I was stringing together catering gigs as a chef while working 5-10 hours a week as a python web developer. I didn't know anybody in the InfoSec industry and nobody knew me. I wrote or called everyone I could think of that had a remotely tech-oriented job and by luck I got the emails of two offensive security professionals. I wrote to them both, explained my situation, and they were nice enough to share their stories and guidance with me.

I realize now that what I was doing was building a network of people who could support my learning. They didn't explicitly offer to take me under their wings, they didn't promise me a job or an internship, but they spoke to me about their own InfoSec journeys and gave me the confidence to embark on my own.

At the time I wasn't thinking of the implications of those conversations, but I still count on these two people as mentors to this day. The majority of the specific suggestions I lay out in this blog post stem directly from these first two exchanges.

As I progressed in my InfoSec journey, I continued to network and build connections with industry professionals. If you don't have the good fortune to already have contacts in InfoSec, do not despair. The basics of connecting are easy:

1. Find people who do the job you want (A LinkedIn account is very helpful for this)

2. Start a conversation. Below is a real example I dug out of my message history (that led to a valuable mentorship opportunity):

Hey <REDACTED>! Connecting from the BHIS dischord. I'm fascinated by physical security, how did you get into this field?

3. If they are nice enough to respond: ask thoughtful questions on subjects you are curious about AND cannot answer with a google search.

4. Then, if the opportunity naturally presents itself, courteously ask them if they would be open to giving you constructive feedback about how you can achieve your goal of getting a job in InfoSec.

5. Implement their feedback

6. Repeat

Now, this may not feel easy to do. Putting myself "out there" and requesting feedback from people I respect and admire was nerve wracking. Many messages went unanswered or ignored and some people even ghosted me for no clear reason. I encourage you to remember my advice above: "If something feels hard to do, it usually means you should do it." Persistence will pay off.

Every person I spoke to when I was networking told me the same thing: that "soft" skills are in higher demand than "hard" (technical) skills. Soft skills are nebulous and hard to define, but I take the term to apply to any non-technical strengths that are generally applicable to all professional settings. No matter what kind of work you do, in whatever industry, soft skills are productive and worth cultivating. For me, the most important of these is effective communication.

Communication

As an aspiring InfoSec professional you will need to be able to engage with technical concepts in an accurate and flexible way. You will have to communicate with technical and non-technical professionals, teammates, and clients. You will have to do so over email, instant messaging, voice/video chat, and in-person. Communication skills are fundamental to the network-building I emphasize in the previous section and make you a much more valuable teammate in a professional setting.

There is no clearly-defined way to benchmark communication skills, so this is an area of improvement that will require feedback from your network or support system. Practice by finding good technical questions and asking people you respect to answer them. Seek feedback from people you trust about areas of improvement in your ability to communicate.

Effective, clear, and concise communication will pay off in both personal and professional settings.

The Hard Skills

It's All About the Fundamentals

A couple careers ago I decided I wanted to be a chef. I didn't have the opportunity or the patience to go to culinary school, so I began studying the foundational techniques I would need to cook professionally. Once a week, I would go to the grocery store and buy 5lbs of potatoes or onions. I would then spend hours dicing the vegetables into perfect cubes to practice my knife skills. Nobody wants to become a chef to dice potatoes all day, but I knew the knife control, precision, and attention to detail that task required was of fundamental to the role I was seeking.

When I set out to become a penetration tester, I approached my education in the same way. I spent a few weeks figuring out what those fundamental skills are. I (again) reached out to my industry contacts for guidance. Then, I prioritized my learning path according to my mentor's feedback as well as my own research.

I highly recommend reading Daniel Miessler's How to Build a Cybersecurity Career. I found it valuable when I was building a learning plan.

The Plan

What I came up with, in order of priority, was this:

1. Learn how computers work

2. Linux/command line fundamentals

3. Python and general programming skills

Each of these are huge topics, but they are fundamental to working with the technologies I encounter as an information security professional.

Executing the Program

A learning plan is useless without relevant and useful educational resources. I had limited funds and time, so going to school was not an option for me. Luckily, I found a resource that I will recommend for the rest of my life: Hopper's Roppers Computing Fundamentals.

This Computing Fundamentals course is completely free and is constantly being updated and refined. It is maintained by Dennis Devey, the former Training Officer for the U.S. Naval Academy's CTF (competitive hacking) team. The material is delivered in short, easy to consume lessons in a self-guided, self-paced format. It assumes no prior knowledge in technical fields, but by the end of the course you will have built a Linux lab, created a personal website, be comfortable using the command line, and gain an understanding of how computers work from the application layer down to the hardware.

To summarize: it's a completely free, rigorous, self-paced computing fundamentals course. I can't thank Dennis enough for this gem of a resource. If you are beginning your self-paced learning journey, do not skip over this opportunity.

The Ropper's course finishes with a strong recommendation that students learn to code, and recommended Automate the Boring Stuff with Python by Al Sweigart as a starting point. It's a free-to-read beginner's guide to coding in Python that assumes no prior knowledge of programming concepts and is filled with relevant practical challenges that I found fun and useful.

I still use the knowledge I acquired in the 4-5 months I spent working through Ropper's and Automate the Boring Stuff every day. With these resources, I was able to build a solid technical foundation.

Certifications

At this point in my journey I had acquired technical knowledge and practiced my soft skills, but anybody can write that they "completed coursework" on their resume. I needed to be able to prove to a potential employer that I was a worthy hire and able to meet their professional and technical standards. A mentor I reached out to recommended I get the CompTIA Security+ certification, which is an entry-level cybersecurity-focused multiple choice exam with a small practical component.

To study for the exam, I spent a month watching Professor Messer's free Security+ YouTube course, which covers every aspect of the exam in 177 videos. Watching the videos was not enough practical learning for me, so I also used technical and cybersecurity flashcard decks with Anki. The Anki desktop application includes access to hundreds of user-created flashcard decks and is completely free. I found Anki's memorization algorithm to be extremely helpful and I was amazed by how much I could learn purely through optimized repetition. Using flashcards to memorize important concepts and technologies was crucial to my success in passing the exam.

Additionally, I purchased Professor Messer's Security+ practice exams for $25. This was the first resource I spent any money on in my cybersecurity journey (except a voluntary donation to Hopper's Roppers for being awesome). The package provides three exams, which I took periodically during my studies to benchmark my performance under time constraints. Once I completed a practice test with a score of 90%, I scheduled the CompTIA Security+ exam and passed!

Final Thoughts

Shortly after becoming Security+ certified, my first two mentors independently reached out to me about an internship opportunity at FortyNorth Security.  The company was advertising for a Web Development/Security internship that I ended up interviewing for and getting! I was finally "in". That internship led to my current position as a full time Offensive Security Engineer. My day-to-day job duties include conducting penetration testing assessments, supporting our trainings, and working on internal tooling and research projects.

Your journey might be totally different, but I hope by sharing mine you find some value or resource that's helpful for yours. Feel free to drop me a line on twitter, I may be slow to respond but I'll happily answer your (thoughtful) questions.

Good luck!