As a young boy I was the curious type wanting to know how things worked and why my toys could not do the stuff I wanted them to. I always found time to take my toys apart then try and put them back together again which didn’t go as well as I expected. There was always something about me that wanted to know everything about anything I could. At first this started with toys but as I got older this moved onto computers. When I was about nine we got our first computer, which was at the time a PC and came with games like Theme Hospital. I was never really good at the hardware side of things so I focused mainly on software, learning how to do most things from the keyboard. As I went to secondary school I learned more and more about different software and this was where I made my first hack with some friends, we noticed it was possible to use excel macros to install software that we should not really be able to have, like virtual pool and football manager. At the same time films like ‘Hackers’ were coming out and I remember watching that film and thinking “wow that is so cool, how does that work” this was the turning point in my life where I just wanted to know about hacking and how I could learn more about it. However at this time security and hacking was not the focal point that it is today so trying to learn hacking was near impossible. From this point on hacking became my hobby I would read about stores in the news and try find out as much about hacking as I could in my own spare time. I was still really unsure what I wanted to do with my life but knew I didn’t really enjoy school that much, I only really liked doing IT which was really hands on, so I decide to leave school and being young and naïve I felt I would walk into an amazing job with great pay and my life would be complete. During the years after I left school, I found myself doing many different jobs, some which included working for a film company, courier, and a printer shop. Whilst I was doing all these jobs I carried on trying to learn about security and hacking buying items off E-bay that were described as hacking courses to try and teach myself and learn more. I finally came to the decision that the only want to go forward would be to do a computer course so I applied for a course at my local collage. I was still unsure what I wanted to do so I tried to pick a course that covered a wide range of subjects, maybe this would give me a better indication of what I really wanted to do. I ended up doing HND in Information Technology and was given the chance to do a top up degree with the University of Kent to get a degree in Information Technology. While doing my degree I started a part time job as Sales Advisor at PC World, within a few months I had worked my way up to becoming a Tech Guy. It was also around this time that security became well known to people through the news. I spent most of my student loan on computer security books but was frustrated that I never had time to read them. I finally finished the degree and achieved a 2.2 grade this was not the best outcome but I had some personal problems during the last year which affected my grade. So I left University and was still unsure of what I wanted to do, I was still following my hobby of security and was reading about recent hacks in the news and trying to find out what I needed to know in order to become a security professional. I carried on working part time at PC World whilst I figured out what my next move would be. At first I started to apply for web development jobs just to have full time work but didn’t feel like my heart was really in it, I found web development easy and I didn’t want that, I wanted it to be a challenge. I wanted a job that was exciting and was always demanding.
I finally got a bit of a break when browsing the BCS website, I saw an advent that went something like “Do you want a career in computer security get in contact”. This caught my attention and I wanted to know more, I never really used the BCS at all before so I decided to send them an email and find out what the advent was all about. I later got a reply from Mike Westmacott who had recently joined IRM (Information Risk Management) as a pen tester. He wanted to set up a group, which would help young professionals get into security. This would be the start of my eight-month journey to land my dream job as a pen tester. I joined the group and started to get involved a lot more with security. I found online forums like ethicalhacker.net where I could get advice on courses and books, I wanted to give me the best chance to get a job. I already knew how hard this was going to be as most companies would see my 2.2 grade and usually decide that I was not capable of doing this job. However I didn’t let that stop me I knew I wanted this more than anything in the world, a job that was well paid challenging and was always demanding.
I started to realise what a challenge it was going to be with so much information to learn, so many courses to do and realising how expensive it would be. I didn’t really know where to start I thought the best thing would be to try and get some security experience, so I tried to find some courses and came across the HackingDojo run by Tom Whilem. I knew Tom as I had read a few of his books and this course was aimed at taking someone with no experience and building them up, this course was a pay monthly course, so it was affordable on my part time wages. The only problem I had was this course was run once a week so I had a lot time on my hands so I tried looking for another course that I could afford but also would give me something to add to my CV, the only other course I could really afford was the OCWP (Offensive Security Wireless Professional) I knew about Offensive because of the wonderful work they did with Backtrack also loads of people recommended it to me on ethicalhacker.net. Once I passed the course I tried to get my name out into the industry as best I could I attended security events, creating a linkedin page and adding contacts as well as security groups and created my this webpage to have something to show employees as well as helping others who were like me and didn’t really know where to start. I also got cheap business cards printed with my website on that I could hand out to places like InfoSec. After around five months of doing this, making contacts and working hard to try to improve my skills as well as being involved with the ypisg.bcs.org and running events I started to apply for Junior Penetration jobs. I was happy when I started to get requests to go for interviews I felt that I was getting somewhere after all my hard work was starting to pay off and it should have not been long before I was working for a company doing something I was really interested in and had a lot of passion for. How wrong I was, I was getting interviews but was having problems with the questions they asked me, this was because the range of questions were so broad and different from one company to another. A lot of the time I would learn the basic stuff and then they would want me to explain advanced stuff that I could just not remember. I was trying to remember too much and remembering it inside out was even harder. When I did learn the more advanced stuff I would get asked the really basic stuff, it was really frustrating it felt like I was going backwards and not getting anywhere and despite the fact I knew once I was given a change I could learn anything and would be a good pen tester, getting a break was proving extremely difficult. Just when I felt things could not get any worse, they did. I had the worst interview of my life where nothing went well and the person who interviewed me made me feel extremely stupid and like no matter how much I tried I would never get a job doing what I wanted I left the interview felling demoralised and really down and just felt like giving up. It took me a few days and some really good advice to pick myself up and get ready for another interview I had lined up. In my next interview I picked myself up and took everything that went wrong in other interviews and built on it spending the four days before the interview going over the CEH study guide and other notes as well as looking at the company website trying to take in as much information as I could, this was make or break for me I gave it everything I could, I turned up at the company not knowing what to expect. Were they going to ask me basic questions? or were they going to ask me about WEP cracking? I always turn up early for interviews and ended up sitting in the reception for around fifteen minutes before I had my interview and straight away I could tell I was going to like this company the staff were friendly, they were working hard but having a joke at the same time I felt at home and felt really relaxed. I was then called for the interview where I got a mixture of questions some was basic but some were more advanced. I had question after question, some I just didn’t know, and from experience knew it was best to be honest the people who held the interviews as they knew their stuff inside out it’s not worth trying to blag it. It felt like I was in the interview a lifetime, two and half hour to be precise, another thing I had found with interviews is you can never really tell how it went, there are some cases where you can tell like the really bad experience I had, I knew that went bad and knew once I left I had more chance of winning the lottery than getting that job. But some you just cannot tell, I felt this interview went okay but some questions I just didn’t know or in some cases didn’t answer, I felt let me down, which made it even worse was the interview was on a Thursday and I had to wait over the weekend to find out how it went. I finally got the good news that they wanted to take me on as a Junior Security Consultant, I can’t really describe how this felt I was over the moon at the news and at a total loss for words. I just couldn’t wait to start my new job.
So what did I learn from all this? What was the point of this article? Well I wanted to share my journey and give some advice to anyone who is trying to get into security especially Pen Testing. The first bit of advice is it’s not going to be easy so you need to want this so bad and never accept no as a answer if you really want this it does not matter what background you have or what grades you got at University, if you want this you can get it but be prepared to work hard and realise you may have bad interviews but if you build on them you will finally reach your goal. You should also do as much as you can to get involved within the security field going to events and making contacts could give you the vital break you need, I got some of my interviews from contacts I had met at places like InfoSec and the BCS. Try and pay for your own course if you can, this shows you are truly interested in the subject and are willing to spend your own money for something you’ll enjoy and believe in. If you can afford it doing something like Tiger scheme AST and QSTM course, which will get your CV, noticed by companies or the CREST CRT course will improves your chances of landing a job. I also recommend going thought CEH to understand the basic as well as leaning stuff like common port number, how TCP/IP works, How Nmap uses TCP|UDP to determine whether a host is open close or filtered, and knowing some web hacking basic like what is SQL injection and XSS. Also know your CV inside out, you’ll usually be interviewed by technical directors if you have on your CV that you passed a Cisco course, be expected for them to ask you a Cisco question like what is the default password for Cisco router? The last bit of advice is just chase the dream, never give up it will be hard to land a job but once you do it will be worth it.