2 |----------------------------- HACKERS GO CORPORATE -------------------------|
3 |-----------------------------------------------------------------------------|
4 |------------------ van Hauser / THC <vh@reptile.rug.ac.be> ------------------|
9 The following article has been discussed controversially in the rows of the
10 THC members. Some of Van Hauser's statements reflect his personal opinion
11 and are inconsistent with other THC members opinions. As the webmaster of
12 the THC site, I would like to give *YOU* the chance to judge.
20 Young hackers usually dream about becoming a well-known security expert,
21 whose job is about executing high profile penetration tests on fortune
22 100 companies. Why? Cool and interesting projects, bleeding edge hard and
23 software to work with, new areas to learn and gain knowledge, earning money,
24 creating (another) high profile - this time with the real name -
25 most hackers dream of that - few actually achieve that.
27 This article is meant to change this.
29 It is mostly about the pitfalls a hacker has to overcome, especially when
30 a company doesn't like "evil" hackers for the job. Therefore a sound and
31 seemingly logical explanation, where he did get this security knowledge is
32 very important. Some people might say "hey, nice article, but it is not
33 really about hacking" - well, I say it is. It is about hacking coporate
34 minds. You want to achieve your goal - working for that fortune 10 bank as
35 an IT security expert, but f*ck, they don't like hackers. Hackers are evil,
36 criminals, they say. So you have to hack their brains to get what you want!
38 First, it should be clear what a "security job" is about - or being
39 a whitehead. The world, work and views are different. The section
40 "Hacker World vs. Security World" is describing this.
42 Then you might need additional knowledge to impress your hope-fully new
43 employer - also the ways for that are pretty clear, you can find some hints
44 at "Getting a Background".
46 After you know what will await you, you actually have to apply for a job.
47 There are some do's and some don'ts you should keep in mind for writing
48 your application documents and when you've got your job interview. The
49 sections "Truthful or not", "How to find a job", "Getting your CV right"
50 and "The Job Interview" will keep you on the right track.
52 And finally: "Things you should not do after getting the job". This might
53 be more important than you think.
55 Last thing you should keep in mind when reading this text: it is
56 especially meant for people who have a hard time to get employed because
57 the company they are interested in have got a "no-hacker" policy, or the
58 country they are living in are seeing hackers not as an enrichment to the
59 security business. If you are trying to get into a company which welcomes
60 hackers with open arms - which is rarely the case - this text can still be
63 About me: as a former hacker and phreaker, I'm working for 7 years in the
64 security field now and had to struggle several times with this topic. I
65 also helped several friends and peers to their security jobs so far. The
66 contents here is my own vast ;-) experience - with input from friends and
73 ----| Hacker World vs. Security World
75 What is the hacker's view of the world? Wardialing modems, attacking web
76 servers, writing exploits, driving around in the city to find vulnerable
77 wavelan networks, exploring bleeding edge hardware, programming a new tool
78 for weeks until it is perfect, meeting with hacker friends for weekend
79 sessions and drinking jolt - well and having a good time.
80 Is a security job like that? Well, of course not - but what is it actually
82 In the security field, there are different positions.
83 a) The Programmer - he deals with programming operating systems or
84 applications. The job might be just that of a programmer (e.g.
85 programmer for the Sun Solaris kernel), or a development of security
86 components (e.g. part of the development team of Checkpoint's
87 Firewall-1), or part of the security audit team of a software package
88 (e.g. AIX security team from IBM in Austin/Texas).
89 b) The Administrator - he is responsible for running special equipment or
90 whole infrastructures. An administrator can be responsible for
91 all servers of a special operating system (e.g. Windows admin), the
92 network (LAN/WAN admin), applications (SAP, Oracle, Lotus Notes, etc.),
94 The smaller the company, the broader and more general is usually the
95 scope of work for an administrator.
96 c) The Operator - sitting in front of a monitor (or several) all days and
97 evaluating output of logs and system messages. Boring. But usually you
98 get a good overall salary through additional holiday, weekend bonus
99 etc. Hackers rarely do that - but it's an option.
100 d) The Security Officer - he is writing the security policies and
101 procedures for the company. If a security incident is happening, he
102 has to decide what to do. Usually, he is also part for defining
103 security and access roles for important. A very important job, but
104 that of a paper tiger - and attending many boring meetings and
105 eventually reviewing some audit files.
106 e) The IT Auditor - an independent organ within the organization which
107 ensures the adequateness of IT controls. A job where you not make many
108 friends, but usually can travel around the world, if you are working
109 for a big company. Most audit work is about organisational procedures
110 and if they are followed, interviews and reviewing logs. However in
111 some positions, you can also things like penetration tests - but also
112 if that's the case, it's just a small part of the job description.
113 An IT auditor usually can not build up deep knowledge, however get a
114 very broad knowledge and a very good overview of the company.
115 f) The Consultant - he works for a consultant company (whew!). From a
116 hacker's point of view, there are 3 types: general consultant
117 companies (e.g. McKinsey, KPMG, Ernst & Young), IT consultant
118 companies (e.g. IBM Consulting, Accenture) or IT security companies
119 (e.g. @stake, secunet, etc.). What is the difference? Well,
120 specialization of the company and size of the company.
121 It should be noted that most big audit companies (e.g. PWC, KPMG,
122 etc.) also have got IT security auditors, which do a mix of e) and f).
123 g) The "Hacker" - employed by the company to check the security of
124 networks, review source code, etc. In some companies, they are hired to
125 show to customers or press they employ cool people (hi to Ken William
126 ;-) This job type is actually very rare ...
128 In some companies - especially security consultant companies who also
129 develop software, some people can actually be programmer and consultant.
130 This is the case for @stake, Razor, eEye, etc. - but of course also there
131 just for some special guys.
133 So that you have got a picture now what type of work there is to do, how
134 is the work done? What is the view on the work?
136 1) A hacker's "job" is actually very easy - viewed from a whiteheads side.
137 "They try to break into some company, and if they find a hole - great, if
138 not - well they try another company. They only have to find one hole,
139 that's enough." Also this is exaggerated, there is much truth in it, if
140 you see it as a game between "black" and "white".
141 A "whitehead" has to find all holes, and close them. That's a completely
142 different view - and many will say more challenging as well.
143 2) When you changed the side - you also have to change your work habits.
144 You will normally get a description what is your scope of work - and
145 that's what your job is about. You can't to just what you think would
146 be fun to do. Doing a fast penetration test on your companies mail
147 server? Might bring you to jail if you were not authorized.
148 Every job brings limits with them - and if you want to keep yours, you
150 3) Then you have to follow procedures (e.g. the company's security
151 policies, working hours, dress code). In some companies these are very
152 strict, in others it's very relaxed.
153 4) You can not just work how you want to. If you are a database
154 administrator or you got a job in a security consultant company to do
155 penetration tests: you must either follow a methodology how you have to
156 do your work - to ensure the quality, or you have got to document
157 everything you did - if someone else has to pick-up your work later, he
158 knows what you did and why.
159 5) A security job does not mean that you can implement all security you
160 want. Everything will be focused on business needs. Want to install new
161 firewalls, tighten down the filter lists in the firewall, install a new
162 reverse proxy for the eCommerce system? Your boss will ask you why this
163 is needed, what the cost will be, and the impact. The new firewall might
164 add security, but be too expensive. Or the tightened filter lists would
165 make administration, content updates etc. more difficult. Or the reverse
166 proxy might downgrade performance, which would frustrate customers.
167 6) Ever heard about the famous "soft skills"? Yeah, you might be
168 technically an expert, but within a company, you are not alone, and you
169 don't act and work alone. This is why good communication skills (being
170 friendly, helpful, open, respectful, truthfully etc. blabla) are very
171 important. In fact you should even consider this for your private life
172 anyway - it enhances your friendship with hackers (and girls as well!
175 So why going corporate anyway? It doesn't sound like fun. Well - it can be
176 fun. It depends on the company's culture and how much freedom you get.
177 And the work can be very rewarding from what you can learn, expand your
178 knowledge, environments and companies you see and working professionally
179 the first time in your life.
181 So brighten up - it can be fun and rewarding. Just remember: corporate
182 life is not a piece of cake and to take too easy. You'll have to adapt.
186 ----| Getting a Background
188 Now that you know what a corporate life is about, you can qualify yourself
189 better if you've got security background - not hacker background - already.
190 Helpful are e.g. Cisco configuration know-how, solaris/aix/win2k
191 administrator know-how, knowledge about security policies, hands-on
192 experience about firewall setups and server hardening, programming skills,
194 What skills are especially helpful for the job you would like to do?
195 Take a look at the job descriptions from the previous paragraph and then
196 imagine what kind of knowledge is needed.
197 Then try to acquire somehow the knowledge. E.g. buy books, read online
198 articles about the topics, buy some old and cheap cisco/sun/rs6000/etc.
199 hardware and get some experience.
200 www.securityfocus.com is a good starting point for finding related
201 articles and books, ebay.com is a good place to find hardware, etc.
203 However the best is to get an internship or part-time job at an ISP or
204 security division of a big company.
208 ----| Truthful or not?
210 There are companies out there which have got a "no hacker" policy.
211 There are countries where it is common thinking that hackers do "hacking"
212 and therefore not adequate for "security" jobs - for ethical,
213 philosophical or technical reasons.
214 If you think that a company has got a "no hacker" policy - don't tell them.
215 If you don't know if they have got such a policy - don't tell them either.
216 You can still do that later if you get the strong feeling in the interview
217 they think positively about hackers. Otherwise: don't.
221 ----| How to find a job
223 For some people it's easy: the job offers are made to them. For this you've
224 got to become famous or well-known in the security/hacker community. Good
225 examples for this are the l0pht team or ADM, or single individuals like
226 rain forrest puppy and Fyodor.
227 If the job doesn't come to you, you have to look for a job yourself. There
229 1) Go to security conferences (or hacker conferences) - Usenix
230 Security Symposium and Blackhat Briefings are usually very good for
231 this, hold a good presentation, talk to some people ... and there you
233 2) You search for security jobs on Internet job search engines (keywords
234 like "firewall", "security" even maybe "hacker" will bring you further),
235 additionally www.securityfocus.com has got the SecurityJobs mailing
237 3) You directly send your resume to the companies you want to work for.
238 This is actually very effective. Job ads on the Internet, computer
239 magazines or newspapers are expensive and usually don't bring much
240 results for the companies as the market for security specialists is
241 empty most of the time. So if you just send the IT security departments
242 your resume - you will get at least a job interview 90% of the time.
244 Or if you know someone within a company, he might propose you as a new
245 team member :-) that would be the easiest way ...
249 ----| Getting your CV right
251 CV stands for Curriculum Vitae and means resume or application documents.
252 Before you start writing yours, get on the internet and read tips about
254 Specifically for hackers going corporate, you should take of the following:
255 1) Your CV should contain no holes. If you spent 3 month burping and
256 farting in your room, put in your CV:
257 "January 2000 - March 2000: private software development project on
258 secure web applications. I experimented with various blabla, and
259 developed blablabla which enhanced security blabla ..."
260 I guess you get the picture.
261 2) Whatever you did - high school, internship, university, part-time jobs -
262 mention everything from a light what you did there in the security
263 field - and a bit more ... e.g. if you administrated a webserver for an
264 ISP as an part-time job, you write:
265 "I was responsible for the security of the webserver, had to review
266 the system and apache log files, review the source code of the CGIs,
268 3) If you did internships, part-time jobs or security related courses at
269 high school or university (even about cryptography and system
270 management) try to get a internship certification, signed resume,
271 whatever. Try to influence the contents so it focuses on security.
272 In many companies you usually write them yourself and let them sign by
273 the boss - this is the easiest way of course.
277 ----| The Job Interview
279 Show that you are ethical - give them the feeling that you would never
280 ever hack the company - without proper authorization by management. If
281 they think you are a shady character, no way they will hire you. Even if
282 they think positively about hackers.
284 Don't tell them you are a hacker, unless you really get the feeling during
285 the interview that this would help you!
287 If the company has got a "no hacker" policy, you'll have to face questions
288 like "Are you a hacker", "have you been a hacker before", "could you get
289 into the system you once administrated?", etc. Sometimes even challenging
290 you like "Are you skilled enough to still get into the firewall at the
291 university you built up?".
292 If you don't want to lie (like me), you can answer them like: "What do you
293 mean by 'if I am a hacker', if you mean 'someone who is vandalizing web
294 pages' - no, never, if you mean 'someone curious about security and
295 paranoid enough to tighten down everything and programming until 4 o'clock
296 in the morning' - yes, then I'm a hacker".
298 If you don't want to appear like a hacker - don't dress like one. Dress
299 Like the company expects the proper person to be. This might be a business
300 suit or casual. If in doubt: business suit, especially if it's a
301 consultant/auditor job.
303 And of course the usual tips for job interviews apply here as well. Buy a
304 book about that or read them on the internet.
308 ----| Things you should not do after getting the job
310 Remember the following things:
312 Do NOT hack the company you are working for! If you are working for an
313 external audit or consultancy company, this includes your customers!
314 Do NOT hack other companies from the company you are working for or it's
316 NEVER tell anyone from the hacker scene about the security (or insecurity)
317 of your company (and customers)!
318 NEVER tell your company (or your customers) secrets from the hacker scene -
319 otherwise you'll not have got much friends anymore ...
320 It might not be wise to tell people in the company, that you are (or have
321 been) a hacker. People usually can't keep their mouths shut.
322 It is wise not to do any illegal things after becoming corporate - if you
323 are caught hacking into some systems - do you think your company will
324 believe that you never hacked them .... ?! So better become a greyhat, and
325 have fun researching and still do the same stuff like before. But either
326 authorized or passive watching ...
330 ----| Closing Remarks
332 Several companies which fear hackers will think after reading this -
333 "f*ck, we have to tighten the "new employee" process".
334 But I will tell you something: Too late ... we are already everywhere.
335 In all major consultant, audit and software development, banks and IT
336 security companies are former hackers. And guess what?
337 The world is not crumbling down in despair. Most hackers have ethics.
338 You might not like their ethical code, but most of them have a code of
339 honour, and would never hack the company they are working for.
340 You might say - "but the others, not all are good" - yes, that's true,
341 but so is the rest of the world - same is true about people who are not
342 hackers. If you fight us you will loose - valuable team-members, with
343 strong skills and experiences. Think about it.
345 And to the hacker scene: having a cool security job and still doing
346 greyhat stuff - this is the best thing which can happen to us. Having fun -
347 and getting paid for it. r0qz!
353 Greets to Doc Holiday, Mindmaniac, Tick, Stealth, Vax, SevenUp,
354 Escher and Rookie who all went corporate successfully - and these are
355 just some of the German guys. Ken Williams, Fyodor, L0pht, some of ADM
356 and many, many, many more as well. Have fun and kick ass!
358 Greets to my group THC (visit our 31337 HACKER QUIZ at
359 http://www.thc.org/quiz), TESO, ADM, LAM3RZ and L0pht.
361 2001, van Hauser / THC <vh@reptile.rug.ac.be>