Hack Stories: Hacking Hackers EP:1

1 week ago 17
BOOK THIS SPACE FOR AD
ARTICLE AD

When cockiness backfires and put your company at risk.

c0d3x27

InfoSec Write-ups

Disclaimer: This is one of a series of articles detailing similar hacks to come.

I come from the bug bounty era when companies used to pay researchers, and not everyone was trying to replicate the next man. Now, everything has changed, to the point where Remote Code Executions (RCE) are getting paid as little as $2k, and so-called bounty hunters just collect other people’s work and replicate it. At some point, I got tired of all this tribulation and decided to leave bug bounty for good, dedicating my spare time only to finding zero-days and becoming what in the private sector is called a Cyber Security Consultant or better known as a Penetration Tester

The New Journey

Unlike Bug Bounty, becoming a Penetration Tester is not an easy task. It’s not because the job you’re required to do is fundamentally different, but rather due to the bureaucracy involved in the hiring process and roles. Not only that, but your entire way of life within this field depends on other people’s decisions, including those we call Gatekeepers. Like every other job field, this one has its problems, particularly with certifications.

It doesn’t matter how good you are at what you do — years of demonstrable experience, tasks solved, companies will overlook any of that if you aren’t packed with a plethora of fancy certifications. There’s this general idea that if you don’t hold them, you don’t know how to hack, which is funny because the world’s biggest hackers don’t hold certifications. In fact, certifications were created to teach you what those people already know. And once you are in, you’ll learn that many just hold certifications but lack experience.

Interviews

When you first start looking for this position, you will meet very interesting people. Among those people, you will find some who just like to tease others. Typically, these job interviews are split into three or more meetings. The first is just to chat and get to know you, while the Technical Interview is where your knowledge will be put to the test with cybersecurity questions by future colleagues of the same rank and/or someone higher.

Read Entire Article