Quick blurb so I can remember this. A bubble chart can make a handy display for pentest findings – and prioritize them. It’s a simple way to identify and display high-impact, low-cost issues. Here’s an example of a bubble chart with some findings pre-populated. If you’re interested in using this, just create a copy and go to work.

I recently had a college student ask about getting into Information Security. Here’s his question:

My biggest issue with my current education is the broad scale and lack of clear direction on how to achieve my goals. I know that I am very interested in penetration testing. Ethical hacking in general is a very big interest of mine. But as for what area of security, I’m not even sure what the options are.

Cool – sounds like the biggest thing is to explore, and decide on a first direction knowing full well this may will change as you learn more. You may want to try writing your current goals down, and working toward them (or, better yet, working backward from where you’d like to be).

Penetration testing – or as you call it – ethical hacking, is still a very… tradecraft career. Fundamentally though, it’s a form of testing. The best thing you can do is dive in and start learning about the systems you’ll be coming up against. If i had to choose a tester that had a bunch of certificates and lab experience vs a tester that knew and had been an  administrator of systems he’d be testing, i’d choose the latter.

Penetration testing has split into some broad specializations – though it’d be best to sample amongst them

• Mobile & IoT
• Web Application
• Network
• Embedded

OWASP is good for learning web and mobile attack methodologies.

Carnalownage, Metasploit, Offensive security are good for learning network attacks.

Re: certifications – there are some really really good courses certifications – PWK/OSCP/OSCE. You should focus here first and foremost if you’re going to do a certification.

You’ll want to check out netsec’s career thread – this happens quarterly. This will give you a great sample of existing careers, and you can start to research on the things you’ll need to learn.

There are many [other] threads on the net about how to get started in infosec.

Here’s another one i wrote about 10 years back, specific to penetration testing. It’s amazing how much of this is still relevant.

Reddit’s /r/netsec is a great resource for staying on top of what’s happening in the technical security field

Stack Exchange is another one with a bit more of a question/answer focus – good for researching when getting started.

As far as building a reputation while you’re in school, the best things you can do:

• Get on twitter and start contributing – there’s a strong contingent of security folks on twitter
• Jump on Github and start publishing tools / code
• Jump on Bugcrowd and HackerOne start reporting bugs, building a profile.
• Publish papers, blogs, code, anything that you can point to as a resume builder.
• Go to conferences, meet folks. Find positive folks that will help you, and find ways to help them.
• Learn everything you possibly can.

You’re looking for a job in a field that has massive unemployment, so you’re in the right place at the right time. But be warned, it’s a fast-moving field and requires you to be motivated if you want to be good.

It’s worth noting that the penetration testing / consultant career path generally requires a significant amount of travel, and can be disruptive to a family lifestyle. This isn’t always true, and there are certainly ways to make it work, but worth thinking about. Thoughts on work / life balance are for another post.

The one piece of advice i give everyone interested in getting into the field: Provide value without asking for anything in return. If you find someone you want to work with, just ask… how can i help? … Guaranteed, they don’t get asked that enough.

Handy reference list of links, storing in a single place for future use.

A Regional Internet Registry (RIR) is an organization that manages the allocation and registration of Internet number resources within a particular region of the world. Internet number resources include IP addresses and autonomous system (AS) numbers. Map of Regional Internet Registries.

ARIN

• API: https://www.arin.net/resources/whoisrws/
• Request full data here: https://www.arin.net/resources/request/bulkwhois.html
• Become a mirror: https://www.arin.net/resources/request/bulkwhois.html
• Stats: https://www.arin.net/knowledge/statistics/

RIPE

• API: http://rest.db.ripe.net
• Downloadable version (redacted): ftp://ftp.ripe.net/ripe/dbase/ripe.db.gz
• Request full data here: https://www.ripe.net/manage-ips-and-asns/db/faq/faq-db/can-i-download-the-ripe-database
• Become a mirror: https://www.ripe.net/manage-ips-and-asns/db/nrtm-mirroring
• WHOIS service code: https://github.com/RIPE-NCC/whois
• Stats: https://stat.ripe.net/

AFRINIC

• API: https://www.afrinic.net/services/whois-query
• Request full data here: http://www.afrinic.net/library/corporate-documents/207-bulk-whois-access-form-
• Stats: https://www.afrinic.net/en/services/statistics

APNIC

• API: https://wq.apnic.net/whois-search/static/search.html
• Request full data here: https://www.apnic.net/apnic-info/whois_search/using-whois/bulk-access/copyright
• Stats: https://www.apnic.net/publications/research-and-insights/stats

LACNIC

• API: http://labs.lacnic.net/site/restful-whois
• Request full data here: http://www.lacnic.net/en/web/lacnic/manual-8
• Stats: http://www.labs.lacnic.net/stats/

This was originally written in early 2017 for a friend of mine that asked for advice about how to avoid being hacked when traveling abroad.  It mirrors much of the DHS Travel Safety advice, but is meant to be a little more practical. I’m re-posting it here for the benefit of others. Note that this checklist applies for pretty much any hostile cyber environment – but was written with China in mind.

If you have reason to think that you’ll be targeted – particularly if you have access to data valuable to the country you’ll be traveling to – seriously – don’t take your PC into the country. Set up a burner device and use it only in combination with a VPN service. Otherwise… proceed with caution:

Pre-Flight

• Set a lock and PIN on your phone.
• Turn on your phone’s auto-lock.
• Add a privacy screen to each device.
• Ensure you’ve configured full-disk encryption on the device.
• Configure two-factor authentication whenever possible.
• Configure Android or Apple’s Device Finder so you can remote wipe.
• Ensure you are running the latest software versions.
• Sign up for DHS’s Travel Alerts.
• Completely power-down the device before you arrive at your destination. Attackers can easily siphon data off a locked PC.

After Arriving

• Keep devices close to you and within sight at all times.
• Do NOT let authorities take the device from you during entrance / exit.
• Do NOT leave systems in your hotel room.
• Do NOT plug any media – USB stick, SD card, etc – into the system.
• Do NOT use the internet without a secure VPN connection. Many VPN services won’t work, but Express VPN seems the safest and most likely to work in China.
• Turn off Wi-Fi and avoid any public / hotel / café Wi-Fi connections unless you are automatically connecting to a VPN at time of login.
• Avoid logging into any account on any shared computer.
• Assume all HTTP/S traffic outside of a VPN will be inspected and is thus compromised.
• Keep Bluetooth off – I’m not aware of any exploitable vulnerabilities bluetooth, but no sense in exposing the attack surface if it’s not needed.

Upon Return 

• Wipe the burner machine and re-image.
• Rotate any used passwords upon return. Use something like 1Password or Lastpass to make this easy.
• If any services share the password you used while abroad, assume it’s compromised.

Each person’s situation is unique and this advice is specifically designed for the business-person headed to China, but if you follow this advice, you’ll be a difficult target.

Further Reading:

• NSA TAO capabilities