|
|----------------------------- HACKERS GO CORPORATE -------------------------| |-----------------------------------------------------------------------------| |------------------ van Hauser / THC <vh@reptile.rug.ac.be> ------------------| ----| Preface The following article has been discussed controversially in the rows of the THC members. Some of Van Hauser's statements reflect his personal opinion and are inconsistent with other THC members opinions. As the webmaster of the THC site, I would like to give *YOU* the chance to judge. - Plasmoid ----| Introduction Young hackers usually dream about becoming a well-known security expert, whose job is about executing high profile penetration tests on fortune 100 companies. Why? Cool and interesting projects, bleeding edge hard and software to work with, new areas to learn and gain knowledge, earning money, creating (another) high profile - this time with the real name - most hackers dream of that - few actually achieve that. This article is meant to change this. It is mostly about the pitfalls a hacker has to overcome, especially when a company doesn't like "evil" hackers for the job. Therefore a sound and seemingly logical explanation, where he did get this security knowledge is very important. Some people might say "hey, nice article, but it is not really about hacking" - well, I say it is. It is about hacking coporate minds. You want to achieve your goal - working for that fortune 10 bank as an IT security expert, but f*ck, they don't like hackers. Hackers are evil, criminals, they say. So you have to hack their brains to get what you want! First, it should be clear what a "security job" is about - or being a whitehead. The world, work and views are different. The section "Hacker World vs. Security World" is describing this. Then you might need additional knowledge to impress your hope-fully new employer - also the ways for that are pretty clear, you can find some hints at "Getting a Background". After you know what will await you, you actually have to apply for a job. There are some do's and some don'ts you should keep in mind for writing your application documents and when you've got your job interview. The sections "Truthful or not", "How to find a job", "Getting your CV right" and "The Job Interview" will keep you on the right track. And finally: "Things you should not do after getting the job". This might be more important than you think. Last thing you should keep in mind when reading this text: it is especially meant for people who have a hard time to get employed because the company they are interested in have got a "no-hacker" policy, or the country they are living in are seeing hackers not as an enrichment to the security business. If you are trying to get into a company which welcomes hackers with open arms - which is rarely the case - this text can still be important to you. About me: as a former hacker and phreaker, I'm working for 7 years in the security field now and had to struggle several times with this topic. I also helped several friends and peers to their security jobs so far. The contents here is my own vast ;-) experience - with input from friends and colleagues. Enjoy. ----| Hacker World vs. Security World What is the hacker's view of the world? Wardialing modems, attacking web servers, writing exploits, driving around in the city to find vulnerable wavelan networks, exploring bleeding edge hardware, programming a new tool for weeks until it is perfect, meeting with hacker friends for weekend sessions and drinking jolt - well and having a good time. Is a security job like that? Well, of course not - but what is it actually about? In the security field, there are different positions. a) The Programmer - he deals with programming operating systems or applications. The job might be just that of a programmer (e.g. programmer for the Sun Solaris kernel), or a development of security components (e.g. part of the development team of Checkpoint's Firewall-1), or part of the security audit team of a software package (e.g. AIX security team from IBM in Austin/Texas). b) The Administrator - he is responsible for running special equipment or whole infrastructures. An administrator can be responsible for all servers of a special operating system (e.g. Windows admin), the network (LAN/WAN admin), applications (SAP, Oracle, Lotus Notes, etc.), firewalls, etc. The smaller the company, the broader and more general is usually the scope of work for an administrator. c) The Operator - sitting in front of a monitor (or several) all days and evaluating output of logs and system messages. Boring. But usually you get a good overall salary through additional holiday, weekend bonus etc. Hackers rarely do that - but it's an option. d) The Security Officer - he is writing the security policies and procedures for the company. If a security incident is happening, he has to decide what to do. Usually, he is also part for defining security and access roles for important. A very important job, but that of a paper tiger - and attending many boring meetings and eventually reviewing some audit files. e) The IT Auditor - an independent organ within the organization which ensures the adequateness of IT controls. A job where you not make many friends, but usually can travel around the world, if you are working for a big company. Most audit work is about organisational procedures and if they are followed, interviews and reviewing logs. However in some positions, you can also things like penetration tests - but also if that's the case, it's just a small part of the job description. An IT auditor usually can not build up deep knowledge, however get a very broad knowledge and a very good overview of the company. f) The Consultant - he works for a consultant company (whew!). From a hacker's point of view, there are 3 types: general consultant companies (e.g. McKinsey, KPMG, Ernst & Young), IT consultant companies (e.g. IBM Consulting, Accenture) or IT security companies (e.g. @stake, secunet, etc.). What is the difference? Well, specialization of the company and size of the company. It should be noted that most big audit companies (e.g. PWC, KPMG, etc.) also have got IT security auditors, which do a mix of e) and f). g) The "Hacker" - employed by the company to check the security of networks, review source code, etc. In some companies, they are hired to show to customers or press they employ cool people (hi to Ken William ;-) This job type is actually very rare ... In some companies - especially security consultant companies who also develop software, some people can actually be programmer and consultant. This is the case for @stake, Razor, eEye, etc. - but of course also there just for some special guys. So that you have got a picture now what type of work there is to do, how is the work done? What is the view on the work? 1) A hacker's "job" is actually very easy - viewed from a whiteheads side. "They try to break into some company, and if they find a hole - great, if not - well they try another company. They only have to find one hole, that's enough." Also this is exaggerated, there is much truth in it, if you see it as a game between "black" and "white". A "whitehead" has to find all holes, and close them. That's a completely different view - and many will say more challenging as well. 2) When you changed the side - you also have to change your work habits. You will normally get a description what is your scope of work - and that's what your job is about. You can't to just what you think would be fun to do. Doing a fast penetration test on your companies mail server? Might bring you to jail if you were not authorized. Every job brings limits with them - and if you want to keep yours, you have to follow them. 3) Then you have to follow procedures (e.g. the company's security policies, working hours, dress code). In some companies these are very strict, in others it's very relaxed. 4) You can not just work how you want to. If you are a database administrator or you got a job in a security consultant company to do penetration tests: you must either follow a methodology how you have to do your work - to ensure the quality, or you have got to document everything you did - if someone else has to pick-up your work later, he knows what you did and why. 5) A security job does not mean that you can implement all security you want. Everything will be focused on business needs. Want to install new firewalls, tighten down the filter lists in the firewall, install a new reverse proxy for the eCommerce system? Your boss will ask you why this is needed, what the cost will be, and the impact. The new firewall might add security, but be too expensive. Or the tightened filter lists would make administration, content updates etc. more difficult. Or the reverse proxy might downgrade performance, which would frustrate customers. 6) Ever heard about the famous "soft skills"? Yeah, you might be technically an expert, but within a company, you are not alone, and you don't act and work alone. This is why good communication skills (being friendly, helpful, open, respectful, truthfully etc. blabla) are very important. In fact you should even consider this for your private life anyway - it enhances your friendship with hackers (and girls as well! ;-) ... So why going corporate anyway? It doesn't sound like fun. Well - it can be fun. It depends on the company's culture and how much freedom you get. And the work can be very rewarding from what you can learn, expand your knowledge, environments and companies you see and working professionally the first time in your life. So brighten up - it can be fun and rewarding. Just remember: corporate life is not a piece of cake and to take too easy. You'll have to adapt. ----| Getting a Background Now that you know what a corporate life is about, you can qualify yourself better if you've got security background - not hacker background - already. Helpful are e.g. Cisco configuration know-how, solaris/aix/win2k administrator know-how, knowledge about security policies, hands-on experience about firewall setups and server hardening, programming skills, etc. What skills are especially helpful for the job you would like to do? Take a look at the job descriptions from the previous paragraph and then imagine what kind of knowledge is needed. Then try to acquire somehow the knowledge. E.g. buy books, read online articles about the topics, buy some old and cheap cisco/sun/rs6000/etc. hardware and get some experience. www.securityfocus.com is a good starting point for finding related articles and books, ebay.com is a good place to find hardware, etc. However the best is to get an internship or part-time job at an ISP or security division of a big company. ----| Truthful or not? There are companies out there which have got a "no hacker" policy. There are countries where it is common thinking that hackers do "hacking" and therefore not adequate for "security" jobs - for ethical, philosophical or technical reasons. If you think that a company has got a "no hacker" policy - don't tell them. If you don't know if they have got such a policy - don't tell them either. You can still do that later if you get the strong feeling in the interview they think positively about hackers. Otherwise: don't. ----| How to find a job For some people it's easy: the job offers are made to them. For this you've got to become famous or well-known in the security/hacker community. Good examples for this are the l0pht team or ADM, or single individuals like rain forrest puppy and Fyodor. If the job doesn't come to you, you have to look for a job yourself. There are three ways: 1) Go to security conferences (or hacker conferences) - Usenix Security Symposium and Blackhat Briefings are usually very good for this, hold a good presentation, talk to some people ... and there you are. 2) You search for security jobs on Internet job search engines (keywords like "firewall", "security" even maybe "hacker" will bring you further), additionally www.securityfocus.com has got the SecurityJobs mailing list (and archive). 3) You directly send your resume to the companies you want to work for. This is actually very effective. Job ads on the Internet, computer magazines or newspapers are expensive and usually don't bring much results for the companies as the market for security specialists is empty most of the time. So if you just send the IT security departments your resume - you will get at least a job interview 90% of the time. Or if you know someone within a company, he might propose you as a new team member :-) that would be the easiest way ... ----| Getting your CV right CV stands for Curriculum Vitae and means resume or application documents. Before you start writing yours, get on the internet and read tips about writing one. Specifically for hackers going corporate, you should take of the following: 1) Your CV should contain no holes. If you spent 3 month burping and farting in your room, put in your CV: "January 2000 - March 2000: private software development project on secure web applications. I experimented with various blabla, and developed blablabla which enhanced security blabla ..." I guess you get the picture. 2) Whatever you did - high school, internship, university, part-time jobs - mention everything from a light what you did there in the security field - and a bit more ... e.g. if you administrated a webserver for an ISP as an part-time job, you write: "I was responsible for the security of the webserver, had to review the system and apache log files, review the source code of the CGIs, blablabla" 3) If you did internships, part-time jobs or security related courses at high school or university (even about cryptography and system management) try to get a internship certification, signed resume, whatever. Try to influence the contents so it focuses on security. In many companies you usually write them yourself and let them sign by the boss - this is the easiest way of course. ----| The Job Interview Show that you are ethical - give them the feeling that you would never ever hack the company - without proper authorization by management. If they think you are a shady character, no way they will hire you. Even if they think positively about hackers. Don't tell them you are a hacker, unless you really get the feeling during the interview that this would help you! If the company has got a "no hacker" policy, you'll have to face questions like "Are you a hacker", "have you been a hacker before", "could you get into the system you once administrated?", etc. Sometimes even challenging you like "Are you skilled enough to still get into the firewall at the university you built up?". If you don't want to lie (like me), you can answer them like: "What do you mean by 'if I am a hacker', if you mean 'someone who is vandalizing web pages' - no, never, if you mean 'someone curious about security and paranoid enough to tighten down everything and programming until 4 o'clock in the morning' - yes, then I'm a hacker". If you don't want to appear like a hacker - don't dress like one. Dress Like the company expects the proper person to be. This might be a business suit or casual. If in doubt: business suit, especially if it's a consultant/auditor job. And of course the usual tips for job interviews apply here as well. Buy a book about that or read them on the internet. ----| Things you should not do after getting the job Remember the following things: Do NOT hack the company you are working for! If you are working for an external audit or consultancy company, this includes your customers! Do NOT hack other companies from the company you are working for or it's customers! NEVER tell anyone from the hacker scene about the security (or insecurity) of your company (and customers)! NEVER tell your company (or your customers) secrets from the hacker scene - otherwise you'll not have got much friends anymore ... It might not be wise to tell people in the company, that you are (or have been) a hacker. People usually can't keep their mouths shut. It is wise not to do any illegal things after becoming corporate - if you are caught hacking into some systems - do you think your company will believe that you never hacked them .... ?! So better become a greyhat, and have fun researching and still do the same stuff like before. But either authorized or passive watching ... ----| Closing Remarks Several companies which fear hackers will think after reading this - "f*ck, we have to tighten the "new employee" process". But I will tell you something: Too late ... we are already everywhere. In all major consultant, audit and software development, banks and IT security companies are former hackers. And guess what? The world is not crumbling down in despair. Most hackers have ethics. You might not like their ethical code, but most of them have a code of honour, and would never hack the company they are working for. You might say - "but the others, not all are good" - yes, that's true, but so is the rest of the world - same is true about people who are not hackers. If you fight us you will loose - valuable team-members, with strong skills and experiences. Think about it. And to the hacker scene: having a cool security job and still doing greyhat stuff - this is the best thing which can happen to us. Having fun - and getting paid for it. r0qz! ----| Greets Greets to Doc Holiday, Mindmaniac, Tick, Stealth, Vax, SevenUp, Escher and Rookie who all went corporate successfully - and these are just some of the German guys. Ken Williams, Fyodor, L0pht, some of ADM and many, many, many more as well. Have fun and kick ass! Greets to my group THC (visit our 31337 HACKER QUIZ at http://www.thehackerschoice.com/quiz), TESO, ADM, LAM3RZ and L0pht. 2001, van Hauser / THC <vh@reptile.rug.ac.be>