I do want to address one sort of caveat for that. When you're talking about, you know, incident response. You're working for companies. Forensics investigator usually work with the government. A CZ you can kind of alluded to when he was talking about sort of a day in the life on dhe busted, you know, like a child *** sort of situation. Being a forensic investigator, especially for law enforcement, The government is not for the faint of heart.
You're gonna you're gonna see, and you're gonna interact with a lot of really, really unfortunate and terrible things.
That's that's, you know, it's law enforcement in general is gonna have that. But as president, investigator whose job is to find evidence of digital crime, you're gonna, you know, go into that with the awareness that this is not always going to be sort of a mentally easy job to do. Ah, lot of programs. A lot of, for example, the FBI
sets up rotations for their for their investigators so that they don't work
no specific subjects for too long or, you know, for a period of time that becomes too damaging.
That's something that, especially when you start to pursue that career and you're making the decision of public or private sector. One of the major considerations is gonna need to be, you know, how willing are you to handle very intense contact? Yes. And Joe had mentioned it's not just a child *** aspect. There's a lot of
things that that you may be exposed to. So, yeah, definitely prepare yourself, you know, and talk and talk to, you know, like, a lot of federal agents were willing to talk to you, you know? So if you mentioned like and kind of interested in this reach out to, like your local office of wherever you want to work, just say I'm kind of interested in this, but I'd like to talk to some of your agents that work for that
particular department. And I just want to kind of pink some things off them
s so I could prepare, prepare myself better and see if this really for me. So yeah, going with Joe said, you kind of want to make sure that it's really something you're able to commit to enable the handle from that aspect. So if you don't, if you don't find and what kind of get somewhat philosophical here against, but if you don't find that you're kind of
sort of mentally strong right now, you may want to kinda, you know, cut your teeth in private sector like incident response, stock analyst and stuff. And then from there, if you like, I really still wanna be a forensic investigator with law enforcement. Then from there, start talking to individuals working in that capacity and just kind of bounce the information off them. See that? Things
that they see. You see, What if I say half
on DSI if it's really, really something you want to do because you don't have to be committed, it's a lifestyle. It's not just a job
I know I talked for for a long time. There's what kind of lead and cut into Joe's pen testing stuff too much. I realize you were, as you were doing that, that we structured these slides poorly. You have the whole middle of the class, and I got really easy taking that in the middle of that wasn't on camera or even if I am, it's my eyes open. All right, so
on that slightly silvery note, we're gonna jump back into this. Get a little bit more upbeat.
Offensive security and pen testing. Now, this is this is the part of the course that I know a lot of people showed up for on Guy.
I don't want to disappoint you on it, but I need to tell you that
pen testing is not you. No offense of security is not the sort of hacking you see in a way. You know that sort of. Wait a minute, Joe. So you're telling me that there's no like when I started hacking my computer? There's no, like flashy lights and, like flashing neon lights or anything. Not unless you listen to a lot of Cape Man.
Yeah, yeah, it's very disappointing. And a lot of people know that intellectual. A lot of people are kind of listening. It's like, Yeah, I know it's not like what it is in the movies, but it is very not like what it looks like in the movies. The best. I mean, I often compared. I've done a lot of penthouse you working after compared offensive security to MME. Or like
if you really like crossword puzzles, it's probably a great field for you. to get into
where late looking for one piece of relevant information in a giant stack of data, trying to figure out how things fit together without all of the information or with someone being intentionally, willfully up to it. Could be It's a fun field and it can be very rewarding. And at times you do get to do kind of a really cool, you know, breaking into systems. But
the job is much more sort of
puzzling Brewer X Cube style sort of operation than it is, you know,
sneakers or black hat black hat. Personally, I'm gonna take just a second. Black hat. Upsets me because Black Hat has conditioned the public to think that hackers look like Chris Hemsworth,
don't they? Which means that when they meet me, it is a very disappointing day.
coming for you. You got a problem
anyway, back to the back. Of course. That was just a little ranch of mine offenses. Security in pen testing. So what do you actually do? What are you responsible for your? You're responsible for identifying gaps and vulnerabilities by pretending by emulating, pretending to be the bad guy
you hear often about like red teams. And that's kind of what we're talking about is the idea is that you learned the methodologies, the tools, techniques and procedures of threat actors be they every range from from nation state to script kiddie. But you learn how they operate and you learn how to use their tools. And then you emulate their behaviors against your own systems or against systems that you're hired or
tasked with. Analyzing the gold here
is to find the gaps of security gaps and vulnerabilities that threat actors would find, but in a comparatively safe way, right. If you get into the system, you're not going to dump all the client data. You're just going to write a note about it, send up a report and hopefully be able to implement some protection against that.
So you're gonna be performing security analysis against anything, depending on where you are in your career and sort of what kind of industry you are. It could be anything from small nonprofits to multinational corporations, one of the things that one of the pieces of advice I give to a lot of people, I have a lot of people kind of like, how do I get in the field? How do I become a hacker? One of the best pieces of advice I can give you
is to volunteer your time with nonprofits and help them set up secure systems were talking about, you know,
whether it's some specific charity, like whether to church, whether it's some weird sort of niche, like if you're if you really love underwater basket weaving and you want to help the underwater Basket Weavers Association of America make sure that their client data is not gonna be stolen. What's great about that is it's gonna give you the experience in a relatively low stakes environment,
and you're gonna get the chance to work with the system, which, first of all, for a nonprofit
usually is an absolute mess. Second isn't generally gonna be well documented isn't gonna follow lots of procedures. So you're going to get the opportunity to see a lot of the things you're going to see is a pen tester. And it's not sort of the trait sort of
fake lab example you're going to get. You know, we have excellent practice laps here on cyber, and we have real world emulation Sze. But there's just a certain element of realism toe working with an organization that is not trying to help you succeed and often doesn't really understand what you're doing.
That's a great you know. It's a great way to start in the field is a piece of ice and giving everybody to start small. Find somebody, find a nonprofit, find some small organization that could use your help
on. Then, when we're actually doing it. When you're performing these security analyses, you're not just going to be using technical. It's a combination of technical and social approaches. So you know, you know, you always hear about sort of the social engineers people who talk their way into the building When you're a pen tester, that's a component of your job being ableto talk smooth or being able to. If you know,
use whatever your personal social style is
to gain access to the information you want. You may not be, you know
Aaron Eckert or you may not be Will Smith. What matters is your ability to use your own personality and to make that an effective way of gaining access to a system which I think might be why hackers are depicted as looking like Chris. Chris Hemsworth. Everyone feels a little bit better saying I gave all my data. You know that. That guy
anyway, uh, really I'm stuck on that today. Yes. Yes. You're going to use a combination of technical and social approaches to try and achieve the school.
So what do you What do you need to know? What you need to be able to do? Well, we switched it up a little bit this time, instead of reporting communication, it's communication and trick you guys. Yeah, Bam messed with your head, but the point stands, you have to be able to communicate as always as we've hammered into you. If there's one thing you take away from this this entire course, that should be communication and reporting
from there. You also want to be a familiar with operating systems, network protocols, engineering the way systems are set up the way people construct networks.
You want to know about vulnerabilities that exist as well as how to develop new vulnerabilities. You want to know how to identify a potential vulnerability even if a CVI doesn't already exist for it, even if it's not already documented somewhere. If you look at a system you want to be able to say, Oh, this is what that vulnerability it looks like this is how I develop it into something substantial.
It was very important to do that. And then again, social engineering, like it talked about
whether your style is, you know, dressing up in a suit and pretending to be an executive or whether it's meeting somebody in the smoke pit just following them back in the building, which, by the way, works like 90% of the time. It's all about your own personal style, but it's about getting the information from people without resorting to technical solutions.
And, of course, because you're testing against security standards, you want to know what they are. You want to be able to help people remediated
and fix the problems that you identify.