Introduction

Last year, I attended a job fair organized by the Association of Computer Science Students at ETH Zürich. It was a rewarding experience to be able to share my day-to-day work in a field I am so passionate about. We got to talk to numerous students at different stages of their studies, as well as a few individuals already in the market who were seeking to transition to different career paths. Throughout these conversations, I noticed a common denominator among people interested in pursuing a career on the offensive side of cybersecurity: nobody really knew how to become a hacker.

Where to start? What are the requirements? Which technologies do I have to master? Do I have to study computer science? What about cryptography? I don’t play CTFs, can I still work as a pentester? All these questions were constantly floating around. Now, I know it’s a job fair and these kinds of questions are expected, but in contrast to other more straightforward career paths such as software engineering or machine-learning, I have the feeling that getting into the offensive side of cybersecurity is still a mystery. So, I gave myself the task to shed some light onto this matter and help future generations of pentesters discover this exciting job.

Where to start? Soft Skills

Cybersecurity is a field that is constantly changing and adapting to new technologies, new techniques, and new attack vectors. Thus, probably the most important qualities that an individual must possess are motivation, and eagerness to constantly learn. Pentesters continuously find themselves dealing with new systems, and being able to go deep into an unknown topic in a short amount of time is an essential ability. Even though encountering these unexplored subjects can be scary and stressful, having curiosity and resilience will help and provide a rewarding experience.

Moreover, every customer’s project is a completely different universe. Not only because the technologies used are always distinct, but because the purpose of the systems also differ. Attempting to break a system or find a vulnerability first requires being able to understand it, and then figuring out how to exploit it. Being passionate about problem solving, challenges and puzzles is a must have to fulfill the job.

Programming

People often asked whether knowing how to code is essential for a position as a hacker, and what would be the best programming language to start with. The daily tasks of a pentester rarely include coding unless you like to build tools or scripts to automate boring tasks. Having said that, it is important to understand code and be able to play with it. Whether to perform some sort of code review, or simply look at JavaScript inside a web application, pentesters must understand it to be able to exploit it or point out the vulnerabilities it contains. So, as far as coding goes, programming knowledge in a scripting language such as Python, PowerShell or Bash is expected. Proficient software design and engineering skills are not necessary, but coding simple algorithms and being able to debug them is a must-have for the job.

Networking

Networking is one of the core concepts not only of computer science in general, but also of cybersecurity. So, consider putting a particular emphasis on this.

While most of the tools you’ll be using during your network assessments will probably be learnt on the go, having a solid background in the core notions is vital. Start from the general and progress to the specific. Answer questions like: How does the internet work? What is happening behind all the magic in my web browser when I load a page? How do computers communicate with each other inside the same network and in different networks? What are the devices that make up a home network, how does this differ from a corporate network? While solving those questions you will inevitably run into terms like IP address, DHCP, and DNS, amongst others. You may even go deeper and learn about TCP and UDP. Even though this is an oversimplification of the network model, it serves as a good intro and solid base for you to build on. So, try to get a clear perspective on all these protocols; how they work, and what key role do they play.

If you also feel like having a practical perspective on the networking side, try scanning your home network (or networks you explicitly got the permission to scan) with nmap, play around with the dig command to learn more about a particular domain, try to contact another computer using ping, or use Wireshark to analyze the traffic in your network. Try to understand what these commands are doing and what is happening when you press enter.

Cryptography

Cryptography is probably one of the scariest words referred to in this article. Yes, it can be a very complex topic with highly advanced mathematics that most people don’t understand, and no, you don’t need to own Bitcoin to work in cybersecurity.

Some cryptographic concepts are often used when working in our field. Encryption is a word you’ll hear a couple of times at lunch in a week, and it must be properly dissected and mastered. The two cryptography types, asymmetric and symmetric cryptography, play an essential role in the security of communications and data. If you can manage to put in simple words, the differences between them and explain their uses you’ll be pretty much on the other side. Note that it is important to understand the high-level concepts and not necessarily the specifics in detail.

Digital signatures are a big part of asymmetric cryptography. They are essential in the web and widely used throughout the digital world. They play a key role in the use of certificates to prove the identity of a user, server, computer, or device. Naturally you know what will come next, carefully study digital signatures, certificates, and certificate authorities. It is also important to properly understand the difference between a digital signature and encryption.

If you are still interested into exploring other concepts in the realm of cryptography, some topics worth considering might be hashing algorithms, key exchange protocols, and examples of commonly used ciphers.

Putting together all the parts we’ve discussed so far essentially constructs TLS. What is the purpose of TLS, and how does it play a role in web traffic? How do all the components we mentioned before come together to form TLS? Are some questions that you should be familiar with.

Web Application Security

Many pentesters start their careers by testing web applications. This is common, as lots of companies first look to test their external facing infrastructure, and web applications are naturally the first point of contact. Furthermore, it is typically also a somewhat more familiar setting for junior analysts than let’s say Active Directory, Azure, IoT or mobile apps of a company. However, even though browsing through a page is familiar, the concepts and inner workings of web applications may not be. It is important for an applicant to properly understand and be able to explain the concepts of frontend and backend, what is an HTTP request and of which parts it’s composed, which types of HTTP requests exist, what is authentication, what is authorization, how is the session handled in a web application. Knowledge in more complex topics such as CORS, Same Origin Policy, and special headers such as the CSP, or HSTS are always a plus.

After the basic components of the web are deeply understood, it is important to get familiar with common attack scenarios and threats like XSS, CSRF, XXE, SQL injection, and SSRF. What attacks are performed server-side, which ones are client-side? How do they work, and how to protect against them? Although the theory behind these attacks can be learnt by heart, it is important to get your hands dirty and practice them against different targets and in different scenarios. Practicing will help you to properly understand the inner workings of the vulnerabilities and the defenses against them. When I say, “get your hands dirty”, I’m not suggesting going on the internet and start hacking into banks. There are plenty of very good online resources with labs, which allow you to test your newly acquired hacking skills in purposefully vulnerable systems. My personal recommendations are PortSwigger Academy, TryHackMe, HackTheBox, and Hacking-Lab. Simply create an account and start practicing.

If you reach this point, you’ll probably notice that you’ll need some tools to help you on your path; say hello to the interception proxy. There are two main competitors: OWASP ZAP and PortSwigger’s Burp Suite. OWASP ZAP is free, and Burp has a community edition. Regardless of which one you choose; they will be of great help when performing the tests. Even though they are not strictly necessary, they will make your life easier.

Resources

Here is an exhaustive list of security resources compiled by Compass Security: https://github.com/CompassSecurity/security_resources.

FAQ

  • Do I have to have a degree in computer science to work in cybersecurity?

The short answer is no, you don’t have to have a degree in computer science. In fact, we have people working with us from different backgrounds (electrical engineering, mathematics, physics, …). Usually, any science/engineering degree will be enough. Having a degree signifies mastery of technical foundations, quick learning ability, problem-solving strategies, structured work, self-reflection, and project management skills. However, if you don’t have a degree but still possess those qualities, don’t be afraid to apply.

  • I don’t play CTFs, can I still work as a pentester?

Yes, you can. Generally speaking, CTF players possess many of the qualities we’re looking for in new employees, and they also have a good understanding of multiple topics we discussed here. But that’s at the same time not sufficient and not necessary. We’re looking for well-rounded people who can be good team players, talk well with our customers, and write nice reports. While, at the same time, having plenty of knowledge and problem-solving capabilities. So, if you’re a CTF player you may already be quite close to fulfilling the requirements. If you’re not, then don’t worry, there’s plenty of resources to gain the knowledge and learn the abilities that are required for this job without having to play CTFs. Having said that, try it out! It’s quite fun.