October 18, 2011 at 7:17 pm #6925
So most of you have seen me on this forum a while now and some might know that about a month ago I landed my dream job as junior security consultant.
I decided to write a small bit about how I got the job in a hope some people who trying to break into the industry might find it useful.
Also for any of you who dont know me that well, writing is not something I really enjoy that much and this still in draft so any feedback is more than welcome.
Its a bit long but I hope it will be useful to newbi trying break into security. I hope to also get this on my website and the YPISG website once it has been read a few more times. So you could say this EH exclusive lol
How I went from PC Technician to Junior Security Consultant at the longest running computer security company in the UK.
As a young boy I was also the curious type wanting to know how things worked and why my toys could not do stuff I wanted them to. I always found time to take my toys apart then try and put them back together again which didn’t go as well as I expected. There was always something about me that wanted to know everything about anything I could. At first this started with toys but as I got older this moved onto computers. When I was about nine we got our first computer, which was a Time PC and came with games like Theme Hospital. I was never really good at the hardware side of things so I focused mainly on software, learning how to do most things from the keyboard. As I went to secondary school I learned more and more about different software and this was where I made my first hack with some friend, we noticed it was possible to use excel macros to install software we should not really be able to have like virtual pool and football manager. At the same time films like Hackers was coming out and I remember watching that film thinking ‘wow that is so cool how does that work’ this was the turning point in my life where I just wanted to know about hacking and how I could learn more about it.
However at this time security and hacking was not the focal point that it is today so trying to learn hacking was near impossible. From this point on hacking became my hobby I would read about stores in the news and try find out as much about hacking as I could in my own spare time. I was still really unsure what I wanted to do with my life but knew I didn’t really enjoy school that much I only really liked doing IT which was really hands on, so I decide to leave school and being young felt I would walk into an amazing job with great pay and my life would be complete.
After leaving school, through the years I had many jobs including working for a Film Company, courier, and a Printer. Whilst I was doing all these jobs I carried on trying to learn about security and hacking buying items off ebay that were described as hacking courses to try and teach myself and learn more. I finally came to the decision that the only want to go forward would be to do a computer course so I applied for a course at my local collage I was still unsure what I wanted to do so I tried to pick a course that covered a wide range of subjects, maybe this would give me a better indication of what I really wanted to do. I ended up doing HND in Information Technology and was given the chance to do a top up degree with the University of Kent to get a degree in Information Technology. While doing my degree I started a part time job as Sales Advisor at PC World, within a few months I had worked my way up to becoming a Tech Guy.
It was also around this time that security became well known to people through the news. I spent most of my student loan on computer security books but was frustrated that I never had time to read them. I finally finished the degree and achieved a 2.2 grade this was not the best outcome but I had some personal problems during the last year which affected my grade. So I left University and was still unsure of what I wanted to do at the time, I was still following my hobby of security reading about recent hacks in the news and trying to find out what I needed to know in order to become a security professional. I carried on working part time at PC World why I figured out what my next move was. At first I started to apply for web development jobs just to have full time work but didn’t feel like my heart was really in it and didn’t want a job where I could learn everything, I wanted it to be a challenge. I wanted a job that was exciting and was always demanding.
I finally got a bit of a break when browsing the BCS website I saw an advent that went something like ‘do you want a career in computer security get on contact’. This caught my attention and I wanted to know more, I never really used the BCS at all before so I decided to send them an email and find out what the advent was all about. I later got a reply and was told they were setting up a group, which would help young professionals get into security. This would be the start of my eight-month journey to land my dream job as a pen tester. I joined the group and started to get involved a lot more with security. I found online forums like ethicalhacker.net where I could get advice on course and books, I wanted to give me the best chance to get a job I already knew how hard this was going to be as most companies would see my 2.2 grade and usually decide that I was not capable of doing this job.
However I didn’t let that stop me I knew I wanted this more than anything in the world, a job that was well paid challenging and was always demanding.I started to realise what a challenge it was going to be with so much information to learn, so many courses to do and realising how expensive it would be. I didn’t really know where to start I thought the best thing would be to try get some security experience so I tried to find some courses and came across the Hackingdojo run by Tom Whilem. I knew Tom as I had read a few of his books and this course was aimed at taking someone with no experience and building them up, this course was a pay monthly course, so it was affordable on my part time wages. The only problem I had was this course was run once a week so I had a lot time on my hands so I tried looking for another course that I could afford but also would give me something to add to my CV, the only other course I could really afford was the OCWP (Offensive Security Wireless Professional) I knew about Offensive because of the wonderful work they did with Backtrack also lots of people recommended it to me on ethicalhacker.net.
Once I passed the course I tried to get my name out into the industry as best I could I attended security events, creating a linkin page and adding contact as well as security groups and created my own webpage http://www.jamierougive.co.uk to have something to show employees as well as help others who were like me and didn’t really know where to start. I also got cheap business cards printed with my website on that I could hand out to places like InfoSec. After around five months of doing this, making contacts and working hard to try to improve my skills as well as being involved with the ypisg.bcs.org and running events I started to apply for Junior Penetration jobs. I was happy when I started to get requests to go for interviews I felt that I was getting somewhere after all my hard work was starting to pay off and it should have not been long before I was working for a company doing something I was really interested in and had a lot of passion for.
How wrong I was, I was getting interviews but was having problems with the questions they asked me this was because the range of question were so broad and different from one company to another a lot of the time I would learn the basic stuff and then they would want me to explain advanced stuff that I could just not remember. I was trying to remember too much and remembering it inside out was even harder. When I did learn the more advanced stuff I would get asked the really basic stuff it was really frustrating it felt like I was going backwards and not getting anywhere and despite the fact I knew once I was given a change I could learn anything and would be a good pen tester getting a break was proving extremely difficult. Just when I felt things could not get any worse, they did I had the worst interview of my life where nothing went well and the person who interviewed me made me feel extremely stupid and like no matter how much I tried I would never get a job doing what I wanted I left the interview felling demoralised and really down and just felt like giving up.
It took me a few days and some really good advice to pick myself up and get ready for another interview I had lined up. The final interview I picked myself up and took everything that went wrong in other interview and built on it spending the four days before the interview going over the CEH study guide and other notes as well as looking at the company website trying take in as much information as I could this was make or break for me I gave it everything I could, I turned up at the company not knowing what to expect were they going to ask me basic questions or were they going to ask me about WEP cracking.
I always turn up early for interviews and ended up sitting in the reception for around fifteen minutes before I had my interview and straight away I could tell I was going to like this company the staff were friendly, they were working hard but having a joke at the same time I felt at home and felt really relaxed. I was then called for the interview where I got mixture of questions some was basic but some were more advanced. I had question after question, some I just didn’t know, and from experience knew it was best to be honest the people who held the interviews knew their stuff inside out it’s not worth trying to blag it.
It felt like I was in the interview a lifetime two and half hour to be precise, another thing I had found with interviews is you can never really tell how it went, there are some cases where you can tell like the really bad experience I had, I knew that went bad and knew once I left I had more chance of winning the lottery than getting that job. But some you just cannot tell, I felt this interview went okay but some questions I didn’t know or didn’t answer I felt let me down, which made it even worse was the interview was on a Thursday and I had to wait over the weekend to find out how it went. I finally got the good news that they wanted to take me on as a Junior security consultant, I can’t really describe how this felt I was over the moon at the news and at a total loss for words. I just couldn’t wait to start my new job.
So what did I learn from all this? What was the point of this article? Well I wanted to share my journey and give some advice to anyone who is trying to get into security especially Pen Testing. The first bit of advice is it’s not going to be easy so you need to want this so bad and never accept no as a answer if you really want this it does not matter what background you have what grades you got at University, if you want this you can get it but be prepared to work hard and realise you may have bad interviews but if you build on them you will finally reach your goal. You should also do as much as you can to get involved within the security field going to events and making contacts could give you the vital break you need I got some of my interviews from contacts I had met at places like InfoSec and the BCS.
Try and pay for your own course if you can, this shows you are truly interested in the subject and are willing to spend your own money for something you’ll enjoy and believe in. If you can afford it doing something like Tiger scheme AST and QSTM course, which will get your CV, noticed by companies or the CREST CRT course will improves your chances of landing a job. I also recommend going thought CEH to understand the basic as well as leaning stuff like common port number, how TCP/IP works, How Nmap uses TCP|UDP to determine whether a host is open close or filtered, and knowing some web hacking basic like what is SQL injection and XSS. Also know your CV inside out, you’ll usually be interviewed by technical directors if you have on your CV that you passed Cisco course, be expected for them to ask you a Cisco question like what is the default password for Cisco router. The last bit advice is just chase the dream never give up it will be hard to land a job but once you do it will be worth it.
October 18, 2011 at 7:32 pm #42991eth3realParticipant
Jamie.R, this is a fantastic post, thank you for sharing!
My history is very similar. As a child, I took apart everything I could get my hands on, and eventually I could even put most of it back together. My parents rarely discouraged me from taking things apart, which I think was helpful.
My first step in software reverse engineering was with video games. I would open game files in notepad and try to make small changes to see what part of the game it affected. A friend of the family recognized what I was doing, and installed a hex editor. That made things so much easier. I eventually got to the point where I recognized that if I saved a game, made a backup of the save file, and then make a minor change and save it again, that I could compare the two files and see where the differences where.
Much later, I still haven’t completed a college degree, I got a Microsoft certification and my CEH in 2008, I’ve been a Systems Administrator at a small company since 2006, and now trying to get my foot in the door in a security position. My next step is CISSP, and I’ve been networking like crazy in my local community (Linux Users Group, ISSA, InfraGard, 2600 and Defcon meetings), trying to make as many connections as possible. Networking is extremely valuable, and also gives me the ability to bounce ideas off of somebody else, where I previously had not (being the only tech guy in a small company). My 5 years as the sole administrator has proven to be a great asset, as I do networking, help desk, programming, internal applications, etc., even though only a small amount of security related work. It shows a great deal of self-motivation, and ability to solve problems quickly, with little outside influence.
While I haven’t found anything, yet, I have a lot of good leads, and many people looking out for me.
(If you have any leads for a Jr. Security Analyst position, or something similar, PM me! ;D)
Thanks again for sharing, this information is invaluable!
October 18, 2011 at 10:42 pm #42992impelseParticipant
Great experiences guys, I was thinking the other day that when I begin to look for a penentration position is going to be HARD, any way, TRY HARDER
October 19, 2011 at 1:59 am #42993
Nice overview JamieR. How long were you working as a PC engineer before you landed the junior pentesting job?
October 19, 2011 at 7:54 am #42994TheXeroParticipant
Nice one Jamie.R 🙂
In terms of my childhood, I was pretty much exactly the same as you except I got my first computer at age 4 but didn’t really get interested in it until I was about 15.
I enjoyed building things (built myself a home made crystal radio at 9) but never really enjoyed school not because it was learning as I loved that, but it was the lack of experience and always the correct answers are spoon fed rather than actually trying to achieve something.
I’m currently attending interview for my first pentest job and so far my OSCP has been extremely helpful so just waiting to hear the results xD
See if there is some way you can try and break up that wall of text as it can be a little hard to read, but great post 🙂
October 19, 2011 at 8:39 am #42995
I was working for 3 years as pc engineer working mainly at weekends why I done my degree. I will try break the text up later tonight. i just hope it useful for anyone new and when people are unsure if they picked the right degree or anything this will reassure them as long as you have passion for it you can do anything.
October 19, 2011 at 1:21 pm #42996
Wow only 3 years as a PC engineer before your first pentest gig..great job
October 19, 2011 at 1:21 pm #42997
Do you have any tips on networking in the security/ pentesting field?
October 19, 2011 at 2:16 pm #42998SephStormParticipant
Linkedin, ISSA, Infragard, ect.
Jamie, thank you for the info!
October 19, 2011 at 2:28 pm #42999
Sorry Jamie..one more question. Do you think it would of been same story if you didnt have your degree?
October 19, 2011 at 2:50 pm #43000lorddicraniusParticipant
Thanks for sharing your story. I’d second the “wall of text” comment hehe. Just breaking it up with an extra line between paragraphs would help, I think.
October 19, 2011 at 2:54 pm #43001tturnerParticipant
Yeah I could not bring myself to read it. Need paragraphs. Thanks for sharing though!
October 19, 2011 at 4:23 pm #43002
I have tried to break it up a bit more.
I don’t know I mean my degree did teach me a lot of things so it did help a bit If I didn’t have my degree i would have just had more to learn.
My degree didn’t really teach me about security they happy teach you how to build a website but very little mention about security in fact I think it was 10 mins on sql injection that’s all the security I done at uni.
But it did teach me things like HTML,CSS,MYSQL,PHP,JAVA stuff like that..
October 20, 2011 at 5:50 am #43003
I meant did employers mention anything about your degree, was it required?
October 20, 2011 at 6:46 am #43004n3rParticipant
Thanks for sharing your experience Jamie ! I’m at university for a degree in newtork administration and i would like to work in security.
I have an apprenticeship contract with my company.
As i learn for school i spend my free times to learn as much as possible about security.
Hope one day i could work in pentesting !
October 20, 2011 at 8:09 am #43005
No they didn’t mention it at all some would not accept my cv as they required a 2.1 tho.
October 20, 2011 at 1:16 pm #43006
whats a 2.1?
October 20, 2011 at 3:54 pm #43007
in the UK our grades go
a 1 is the best grade 3rd is the worst hope this answer the question.
October 21, 2011 at 4:38 am #43008
I just google’d “UK grading system” and its pretty interesting how other countries have different grading systems.
- You must be logged in to reply to this topic.