Greetings, Cyber Mavericks!
You’re on the path to becoming an ethical hacker (penetration tester), eager to pass the certification xyz and “accelerate” your journey to land a penetration tester role or become a h4x0r as soon as possible.
However, cutting corners now may lead to shaky foundations later, compromising your success and progression. You have effectively created your future weaknesses and blind spots.
Common Misconceptions
- You can pass an ethical hacking exam without much prior Linux knowledge. “Just learn a little bit of Linux and you’ll be fine!”.
- You don’t need to dive into networking, operating systems, databases, or web apps to be a pentester. “Just focus on those leet hacking courses!”.
- And finally, “Just study the material in your course and you are good to go!”.
While certain certifications may be attainable without a firm grasp of foundational concepts, skimming through them early in your learning journey can harm your career in the long run. Pentesters must cover vast areas, all rooted in solid foundational knowledge.
I have been in the IT and cybersecurity field for several years in different roles and responsibilities before I recently switched my career to become a Penetration Tester, so believe me when I say I am very familiar with the journey you are embarking on and all the conflicting advice you are confronted with very often.
So, what am I giving you as an advice instead? Read on and I will share with you my sincerest advice to avoid making those mistakes early in your career.
Assuming you are in ethical hacking for the right reasons, you are passionate about breaking things, figuring out how they work, and then help fixing them to improve your employer’s security posture.
It is an exciting journey but surely not a quick one. Taking the time to build your foundations will pay dividends and make you a good pentester.
Here are the minimum foundations you must get intimately familiar with at the start of your ethical hacking journey:
- Learn Linux: This is your vessel, your main tool, and your companion all at once. Be very proficient in Linux and in particular, your distro of choice such as Kali Linux or Parrot OS.
- Learn Operating Systems: How are you going to exploit or secure them otherwise without understanding how they work and their nuances? Windows and Linux are the most widely used, followed by macOS.
- Learn Networking and TCP/IP: You are meant to attack interconnected systems, and network protocols as well as interact with them after all.
- Learn Basic Scripting or Programming: Be familiar with fundamental programming principles and be able to read and understand code. Being able to write a script is a bonus. I would recommend Python, Bash, and PowerShell to begin with.
- Learn Web Fundamentals: HTTP protocol, Web servers, and Web technologies are everywhere. Web applications are one of the most public and common attack surfaces. Most applications are moving to the web or mobile, so you must get familiar with the web.
- Learn Security Basics: Sure you can skip ahead to the sexy ethical hacking studies without having done some basic and general cybersecurity training. You wouldn’t be able to communicate your findings and recommendations if you lack understanding of areas such as risk assessment, mitigations, security controls, data protection, etc.
Google Cyber Security Professional and CompTIA Security+ certifications are excellent starting points. - Learn supplementary domain knowledge: Once you have learned the above, it’s time to start exploring your areas of interest. The earlier you expose yourself to your chosen niche the better. Some of the popular niches include Network Security, IoT devices, Web apps, Mobile apps, Cloud, etc.
While it’s crucial to grasp the fundamentals of scripting/programming and supplementary domain knowledge, it’s equally important to prioritize your efforts.
Instead, focus initially on mastering Linux and networking, along with basic security concepts. These will form the foundation and act as a launchpad for deeper learning. Understanding how operating systems and the web function comes next, followed by understanding programming concepts and specific domain knowledge.
A solid understanding of Linux can significantly benefit your career in cybersecurity, particularly as an aspiring penetration tester.
Moreover, it can help greatly with passing your certification exams without unnecessary struggle.
For more reasons as to why Linux, check out my article on ‘Why You Should Learn Linux Well Early In Your Ethical Hacking Career’
As a penetration tester, you are expected to always stay up to date with the latest Tactics, Techniques, and Procedures (TTPs). The threat landscape is changing continuously, and so should we.
As you have chosen penetration testing, you should not be surprised to learn that this is a highly dynamic and ever-changing field. Not only do you need to keep up with the latest ethical hacking tools and techniques, but you need to also keep up with the latest emerging cyber threats and security best practices which will form the basis for solid mitigation recommendations to your client or employer.
A serious commitment to continuous learning and professional development is a must:
- Keep up with cybersecurity news and the latest emerging threats.
- Continuously learn new techniques and keep honing existing ones.
- Keep practising with your chosen tools while keeping an eye open for new or improved tools that may be more suited to your current needs.
- Keep solidifying your foundational knowledge as new concepts or technologies emerge (Linux, operating systems, networking, web, databases, etc.).
It is also expected of you to keep honing your skills and developing your ethical hacking techniques and methodology.
This essential self-development and upskilling effort can take many forms:
- Participate in Capture The Flag (CTF) competitions or exercises.
- Study for a practical hands-on ethical hacking certification (e.g. OSCP).
- Read books on cybersecurity and hacking. Yes, old-school but effective!
- Practice on platforms such as HackTheBox and TryHackme.
- Online training and webinars from platforms such as Cybrary.
- Listening to podcasts such as SecurityNow and Darknet Diaries.
- Build a home lab using VMs to practice attack and mitigation scenarios.
The most underrated skill that aspiring and new penetration testers ignore is the “soft skills”. Let me tell you this now. Soft skills do matter.
As a pentester you are not testing in the dark and only interacting with machines, at the other end of the table, a client or an employer sits across from you paying for your expertise to guide them, communicate your findings with them, and advise them on remediations.
Soft skills facilitate effective communications with your employer, clients, team members, and stakeholders.
The Essential Non-Technical Skills Pentesters need to possess:
- Verbal and written communication throughout the engagement
- Documentation & reporting of your engagement and findings
- Presentation skills
- Time Management skills
- Project Management skills
As a new or aspiring pentester, you’ve likely heard this repeatedly: your pentest is only as good as your report. The client can’t witness the impressive hacks you executed to gain access or your mastery of pentesting tools and Linux wizardry. They can only assess your engagement’s quality through your primary deliverable: your pentest report.
That’s what they’re truly paying for — to identify their security gaps and receive recommendations for enhancing their security posture. Therefore, it’s crucial to develop both your soft skills and technical expertise.
Communication skills are crucial to scope out, update your stakeholders during the engagement, and present your findings at the end of the engagement.
This is what will set you apart from those hoodie-wearing nerds who lurk in the basement, shying away from direct sunlight and isolating themselves from the rest of the company (ever been mistaken for a zombie?). 😏
Equally essential is the capacity to manage your time efficiently and treat each engagement as a project, ensuring you meet deadlines and objectives effectively.
Building a successful career in ethical hacking requires dedication, patience, and a commitment to continuous learning. By avoiding shortcuts, staying updated on industry trends, and honing both technical and soft skills, you’ll be well-equipped to build a robust career in ethical hacking and thrive in your chosen field.
I repeat, strong foundations are the key to unlocking your full potential as a penetration tester.
I hope this article has provided valuable insights and guidance for your journey. I wish you the best of luck in your amazing career that lies ahead.
I am eager to hear your views whether you agree or disagree with some or all of the points I have discussed here.
Please feel free to comment or reach out if you have any queries.