So what is threat? Emulation? I've said that a couple of times. Now I've said Emulate a threat actor. What does that mean? Well, so taking it out of the world of cybersecurity for a second. Let's imagine you're gonna rob a bank now. Please don't rob a bank. And if you do rob a bank, please don't tell Fairy told me to, but let's imagine, you know, sort of philosophically that we're gonna rob a bank.
We have some considerations that we're gonna have to make. You know, We're gonna have to think about security guards.
How many are there? Are they armed? You know, what's their response time look like? Figure out where all the cameras are in the bank so we can keep our face off of them or shut them down. We find out what kind of cameras they are. Are they? Are they hard wired? Are they over WiFi? What sort of connection is being used for these cameras? Are there dia packs hidden and the money are their GPS tags In the money
are the vault door's closed. If they are closed, how do we get through those? You know what alarms we're gonna go off.
You have to consider all of these things is you're planning your heist of a bank and your job as a pen tester is basically to take all of those considerations but for cybersecurity. So you basically pretend you're going to be robbing this organization. You look for all of their weaknesses, be the policy weaknesses, physical weaknesses, technological weaknesses.
And then you go through the motions of attacking that system.
What's important to understand there is that when you're going through the motions of attacking the system, you are doing it as part of the team. You may not actually, you know, there are a lot of cases most cases even where their entire security staff may not be aware of a pen test. But you're still contributing to their security posture.
So you know your day job, and I say that in a slide a little bit. Your day job is violating federal and international laws,
but you're doing it in a one. You're doing it in a way that is exempt from those laws. You're doing it at the request of the business, and you're doing it to help that business. So like I said, before. You really have to be able to understand what threat actors were doing and sort of what threats exists in this space, so that you can emulate those, perform the attacks and then identify the weaknesses that you were able to take advantage of.
So here's where I mentioned there's there's a lot of paperwork. Cover your C Y A. Maybe means something different to you, depending on your background, but cover your assets. Like I said, your day job is violating a lot of laws. Now you have. You have authorisation, you have documentation. But the thing is that if you don't keep that up, if you are, you know very clearly documented what you're supposed to be doing.
If you don't have the correct authorisation, you can get in a ton of trouble
for performing these operations. Even if notionally you are supposed to be doing it at the company's request or on their behalf. If you don't have it properly documented. If you don't have the proper authorization, you can get in a ton of trouble. And you know we've just seen in the news hackers getting you know,
20 year sentence is life sentences for some of the data compromises we're seeing. So it's very, very important
that you have the documentation you need. Before any operations begin, you're gonna establish a scope of work, usually some kind of service level agreement gonna sign some N. D. A's. You're probably gonna sign some agreements for their I. P you're gonna you know, you've got a bunch of paper, you're gonna sign a bunch of other authorizations and signatures. You're going to get them during up during operations,
you're gonna document every single step you take. So
if you get into a specific folder, a specific server or whatever, you're gonna document what server you got into, how you got into it. If you changed anything, what you changed, your gonna save back information, you're gonna make it so that everything you do can be undone. You're never gonna take a step
that's going to endanger the work or in danger, sort of the livelihood of the organization you're testing against.
In order to make sure you're doing that safely, you're just gonna document basically every step, every command you run. There are tools that will do that for you so you can just pull the history out after the fact. But however you go about it, documentation is key of every step you've taken. And then after operations are gonna pull all of that together your scope of work,
your findings, all the steps you took all of your documentation
and you're gonna provide a thorough report. These reports can range. I've seen them anywhere from, you know, a one hour briefing to an entire 300 page book that included all of the vulnerabilities that were attacked. All of the suggested mitigations on then all of the like, the run commands and operations.
It depends depending on sort of your agreement with the company and how you personally approached the problem.
But you're gonna provide a thorough report one way or another, and it's gonna have all the information they need to correct the flaws that you helped to uncover. So, Joe, I ever have a quick question, Joe.
If I wanna hack my girlfriend's Facebook account, should I do that?
Not only should you not do that, the odds were actually pretty good. You're gonna go to jail for going on interesting fact that cyber for the 1st 2 years, our company existed, it may still be the case. Our number one most requested video or class was howto hack my girlfriend's Facebook
for April Fool's a couple years ago. We put out a block post about that, but the short answer is, don't if you're in a relationship and I'm not. I'm not qualified to give relationship advice. But if you're at a point in your relationship where you feel the need to bring cybersecurity and hacking into the mix,
you have probably reached the end of that relationship, and it's better just to let it go.
So, yes, if you ask the hacked Facebook, the answer is probably gonna be Don't and I forwarded this to the appropriate law enforcement authorities. That said, As long as you avoid hacking your girlfriend's Facebook and going to federal prison for the rest of your life, what are your job prospects gonna look like? Well, in general, a median salary for a pen tester is around 80,000.
Pen Testing is one of those jobs that can vary ridiculously widely,
and experience is a major major component of that. So you're gonna find your zero that your first day on the job you might be making 40 $50,000 a year and then five years down the road, you're making $120,000. It's one of those were experiences really key and finding the right market and finding the right sort of
building your reputation of finding the right customers.
It's gonna be key to your your salary prospects near your compensation prospects. It is worth noting that a lot of pen testing gigs are contract basis. Not a lot of companies really feel the need to keep pen testers on staff at all times. So your actual you know, your salary on paper might be a little bit higher,
but you're gonna have to be ableto you know, you've got to be the kind of person who could manage their own finances. Who can
you figure out your insurance situation? You're gonna be doing all your own taxes. Being a contract worker can be very lucrative, but part of that is that a lot more of the onus of sort of what you'd think of HR responsibilities falls upon you. So there are great salaries in pen testing. Absolutely, there are, but it's definitely when you're talking about how you can sort of manage those salaries.
It's very important to understand what you are and aren't getting on your contract
in terms of job availability. Pen testing is excellent. It's one of the absolute best job fields in the world to be in or to be trying to get into. Right now, we're looking between 18 and 28% year over year growth. That's from the B L s. That's that's that squares with a few of the other cyber security jobs we talked about. They're just they're growing
incredibly rapidly. We talked about on Cyber Ariel the time, and I've written articles and talk to people talking about.
We're currently looking at about 3.5 million open cyber security jobs by the end of 2020 and that number is absolutely atrocious, absolutely insane. And a big chunk of that is in the Red team offensive security world because there just aren't enough people with the skill set, and they desperately, desperately needed.
When you're working is a pen tester, you might be on site, you know, wherever you're doing the actual pen test,
you might be working remotely. This is one of those job fields where there is a lot of remote work available. Once you've built up your reputation, you have your experience. You might work from an office. You may have a firm that you work out of. You may be going into, You know, if it's for a company that does has storefronts, you would be actually physically going into their stories. You may be going into their offices,
you know, trying to convince people to give you stuff that they're not supposed to give you.
You know, when you're doing pen tests against bank against banks, it's very common. People actually go into the bank and you see what they can get access to with just talking their way in. You'll see a lot of videos about people who are dressed as a CZ maintenance staff or as delivery people or whatever where they're just All they're trying to do is get physical access to the building.
So part of being a pen tester involves that physical access, which means that your workplace
is anywhere of vulnerability might exist, which could be a lot of fun. It was, it's been one of my absolute favorite parts of doing pen testing is getting to travel on getting to kind of go places I otherwise probably wouldn't have