Who am I?
I’m now a penetration tester and red teamer in a multi-national cyber security service provider (not really a big one, just because everyone can now work remotely).
But who was I?
I was a Psychology graduate. I had zero computer science / coding experience (actually I’m still bad in coding). My first graduate job was a finance analyst.
Why did I want to enter the cyber security field?
I had long been thinking of shifting field. Neither psychology nor finance was the industry that I enjoyed. I hadn’t heard of the role “Ethical Hacker” until one time when I was doing some financial research and came across this on a finance TV program. And suddenly, the finance company I worked decided to leave my region due to the business future and political-geographical concerns. And here I was, unemployed. That made me pause and truly think my career and future.
To me, pentesting is like playing detective games which I’m highly interested. Besides, I think the cyber security was actually one of the most appropriate fields for those who want to change their field. Despite the need of specialized knowledge, we didn’t have to enter a college which took 3 or 4 years to earn an expensive degree. Professional certificates are immensely available, if not too many, in cyber security field and we who are devoid of a technical background can still effectively proof our ability and knowledge.
So how did I get my first cyber security job?
I want to work as a red teamer, but the first job I got was in fact a SOC Tier 1. Why? Because the threshold is much lower and this position required quite a few people due to working shift. And having a blue-team work experience is easier to interview as a red teamer than a complete fresher. In case you’re interested, I was 27 year old back then.
At that time, the only cybersecurity-related certificate I had was eJPT from INE (FKA eLearnSecurity). It was a junior penetration testing certificate and the price was very much affordable (USD$100). I got the certificate after like 4 months since I started self-learning cyber security. Frankly, eJPT was not highly recognized (at least the interviewers hadn’t heard of it). But I needed it to somehow prove that I was serious in this industry and I was eager to self-learn.
The company I applied for was a large telecommunication company, which also provided SOC (Security Operation Centre) and NOC (Network Operation Centre) service. The salary was known to be low 🙁 but my goal was to step into the cyber security field first. IMO, time cost really matters when it comes to career change.
My SOC Interview
The recruitment process was composed of a written test and an interview on the same day (and I had only been informed that there’d be a written test). The written test was quite simple to me. It asked about really easy questions on popular protocols and ports (e.g. HTTP:80, DNS:53). A few questions on Windows commands and how severe an unauthorized inbound SMB traffic might be. I believed I got at least 80% on the written test.
There were 3 interviewers! Later I knew that 2 of them were Tier 3 personnel and the other one was the line manager. That said, I wasn’t nervous at that time. Working as a financial planner did make me comfortable to this kind of occasions. I thought I performed quite well in the interview and would like to share some of the questions and my answers with you.
1) Self Introduction
- My answer: I’m a psychology graduate and have been working as a financial planner for 4 years. I came across the cyber security field by accident. Once I was doing financial research for my previous job, I watched a finance TV program which talked about ethical hackers and I found that interesting. I started self-learning pentesting from youtube and HackTheBox at leisure. Then my company then was terminated a year ago due to geo-political concerns. Instead of looking for a similar financial planner job, I decided to self-learn cyber security and pursue a new career in this field. To me, the similarity between psychology, finance, and cyber security is the needs of analytical mind and puzzle-solving skills. And I really enjoy an intellectually challenging work. The difference between these fields, I think, is that there’re many moments at which I could feel a strong sense of accomplishment in the cyber security field, which has also been the driving force for my self study in the previous year.
- Reflection: As I said, my background was not related to cyber security at all. So I positioned myself as a smart, passionate, and eager-to-learn person. And I had to present that image in more of a storytelling way rather than simply claiming myself to be that kind of person. One of the major drawbacks of this self-introduction should be the lack of focus on the SOC role.
2) Imagine your client’s web application is vulnerable to SQL injection. How would you explain SQL injection to him?
- My answer: To me, looking for a machine with SQL injection vulnerability at HackTheBox to demonstrate to him should be the most effective answer. I’m not sure the background of clients in this context, but given that he doesn’t know about SQL injection, I imagine he’s not a member of the cyber security team. Perhaps he’s from the management. ThenI think the things in SQL injection that he needs to know are – what’s the impact, and how severe is the impact, rather than offering him a Cyber Security 101 course to introduce SQL command, database, and injection. When it comes to SQL injection, one significant impact that instantly comes to my mind is authentication bypass. And I believe its impact is astonishingly vivid if we can directly show him the exploitation, using no credentials but ‘ or 1=1; to authenticate in front of his bare eyes.
- Reflection: Of course the interviewers expected me to explain the theory and mechanism of SQL injection. My answer was totally unexpected! But I didn’t think I could present an impressive or organized answer only presenting what I knew about SQL injection. So instead I tried to answer it in a non-technical way but at the same time showed that I did know what SQL injection is. At least I was sure the line manager was impressed, although I heard that they simplified the question to “Explain SQL injection in your words” in the later interviews.
Conclusion
So that’s very much how I got my first cyber security job. If you’re also a non-technical person and hesitating to join the cyber security field, hopefully this article may inspire you, or at least show to you that this is totally possible. If I can do that, you can too!
After getting this SOC Tier 1 job, it took me one year to be promoted to Tier 2, and another year to find a red team job – Cyber Security Consultant & Penetration Tester. Let me share that story with you in another article. See you!