From IT To "I'm IN"

so yeah uh the talk is titled from it to I'm in um which is a well-known hacker phrase obviously um so uh who am I um I'm Johnny Gil I am a penetration tester at uh bamfi technology Labs so I've been doing this job now for uh about two and a half years um my the sort of um things I've got a masters in distributed systems and networks which I did by distance learning um I have the ocp um I'm also an animal lover a tabletop role playing game and board game player uh musician and a runner of silly long distances um my most recent event took me 33 and a half hours to finish um uh it wasn't a 5k although

there's nothing wrong with taking 33 and a half hours to do a 5K um but yes it was a silly Long Way um so again if anybody wants to talk to me about any of those things afterwards then uh please do there are things that I have a great interest in um so um history growing up uh in my house um so I'm 35 years old so 1989 I was born um and uh the computer that we had in the house was my dad's amstrad word processor uh which he used to catalog all of the um things that we had taped off the Telly onto VHS um so uh yeah and then we'd print out on the um basically dot matrix

printer very noisy um but I was always enamored by the green and black screen and I still am to this day um I don't have one sat in the corner that I switch on every now and then or anything like that um but yeah then we went to a Windows 95 home PC um and my uh sort of main memory of that other than it having a DVD drive um so we had DVDs in the house long before a lot of other people um but it could only play American region DVDs um but uh yeah my main other memory was um I think I was about eight and I had a Tomb Raider demo um and basically it would

crash and then the uh the PC would be stuck in a different um screen resolution so uh it was basically a quarter of the size of normal and you would have to scroll to get to the the different areas of the screen every time it did that uh my dad would reformat the PC and reinstall Windows 95 um so what I did was start learning how to use the computer better than my dad did and it's probably the first thing that I was ever aware that I had got better at than my dad um then I started uh a college course where um I I did a a national diploma in um software development um so then I got

my own PC um which was Windows XP Media Center so I had a remote control which was all very fun um and then I bought myself a Macbook because I wanted to see uh what that was all about and the most recent thing that I have for myself is a gaming PC that I put together myself I have a picture of the Anarchist Cookbook here because when I was uh in my early teens somebody at school mentioned it to me so I downloaded a copy uh PDF probably um and I was just immediately drawn to the stuff about like tnet um and everything like that that made it seem possible to connect to things that you weren't supposed to

connect to I didn't do anything with that at the time but it's always just stuck in my head that that was kind of you know there were ways to do things that you kind of weren't supposed to do um so that was probably um apart from uh war games which was a film that my dad would put on um reasonably frequently probably my first sort of uh yeah um bit of knowledge about the world of hacking I guess um so uh here are things I have learned through so I this is just to point out to people that sometimes um you can be better than something says to you so I only got a C in my it

GCSE um admittedly it was you know this is 20 years ago nearly now so it was basically um using Microsoft Access to create a database with a program built on top of it um and I still have a theory that my teacher lost some of my work but that aside I only got a C in my it GCSE um but I then went on to get um very high marks in my national diploma in software development um I then went straight into a foundation degree in applied Computing which was kind of the follow on so I stayed at the college that I went to um and they offered that um you know it was sort of

um uh what's the word I'm thinking of um it was given out by um a university so you ended up with you know an actual University Foundation degree via the college then um around that time so this is 2009 uh I got made redundant from the shop that I was kind of working part-time and at the same time as I finished my Foundation degree so I just started looking for any full-time job um and I ended up working uh admin in a law firm um uh I'll go into this stuff a little bit later but basically I didn't do the top up for a few years until I actually ended up working in it um then uh I

realized that if I ever applied for an IT job everybody applying would have uh a degree probably um whether or not that's correct uh is is a different thing but that was my idea so I did a masters to try and set myself apart from um other people's CVS because that's kind of the the first step isn't it once you can talk to people great but you need something on your CV that will push you past potentially HR who don't really know necessarily unless they've been given you know strict terms on what's required um having something to get you past that initial barrier is great um then um the place that I worked at the time which

was not a pentesting firm uh kindly paid for me to do the ocp uh so I got that in 2019 um and since working at bramford um I've used our training budget to to great um a great extent um so um yeah I've now got to Crest registered penetration tester um lots of certifications through altered security who I re I really like their sort of ethos and their courses um they're all I think pretty reasonably priced and um yeah you can pick up a lot of tools and techniques from them um I also did the uh Zero Point Security red team Ops which was really good and and um I have the Sans gmob for mobile testing as well

um so now you know I have some certifications and you should listen to what I'm saying um and sarcasm probably um so uh practice list yeah so here's my career um so I worked in admin at a law firm uh then a legal secretary left at the head of a Department's legal secretary and because I had taught myself to type really fast um I offered to do some of that work and then ended up um getting promoted um just as an aside my desk that I had at home had a pull out keyboard draw and I never bothered pulling it out I would just always type under there because I was lazy um so T myself touch typing by

um laziness and applied laziness is a dangerous thing um then I got made redundant from there um and uh went to work admin at another Law Firm um and then was promoted to legal secretary again um and then the uh it manager left um and an IT Tech got promoted to that position so um a role came up to be an IT technician um which I I'd say applied for but that's probably a strong use of words mentioned that I would like and they gave to me um you know I'd proven that I was willing to to work hard and and put the effort in there so hopefully they they saw that and um and offered me that role um so I

did that for a couple of years and that's when I topped up my um Foundation degree to a degree um and then um yeah the the it manager left and I took his role and got to hire my own it technician um which was nice um and then at the back end of 2021 um a recruiter contacted me on LinkedIn um and said that he was uh looking for somebody for a particular role um and uh yeah I ended up uh chatting with him and then with the team at uh bramford and um started there in January 2022 um and it's been the best job move that I've ever done I think um I had

previously uh I think at the beginning of 2020 um I've been offered another pentesting role but the time wasn't quite right and it was when Co was starting to kick in and I was kind of thinking about needing to tr you know I'd have to get a train for it and that kind of thing and um yeah it kind of didn't feel like the right time to take that at that time as much as I was very excited at the prospect um so yeah that's something um for people to think about if they are looking at a changing role um so my current role um when I started I did um a lot of web applications and

apis um for anybody who isn't a pentester and is looking to get into pentesting um it's a lot of fun but sometimes you will get um an API test with three get requests that each have one uh one item in them and um you know you do sometimes get this kind of tick boox exercises from companies where they just need to say it's been pent tested and really um there there probably nothing to be found there especially if it's you know something that's just been added to or something like that but um still Chuck everything at it um and hope that you do find something um sometimes something weird will crop up but yeah you do sometimes get those and then um

it doesn't always help with the Imposter syndrome which is uh which is rif in this industry I think I know that I constantly have imposter syndrome um but yeah web applications and apis um I found some fun things through there server side request forgery um lots of cross-site scripting still in this in this day and age um so yeah um that's fun and then as I said I have been working on mobile applications so Android and iOS um they're a lot of fun uh if anybody wants a recommendation for a cheap course to learn uh Android app hacking um the uh andro and Roid black belt course on udemy it's very good um learned a lot through there and

the the guy who runs it is great and always responds to queries on the um the udemy Forum as well which is good um and it's not super expensive especially if you can get it on a sale um infrastructure testing um before about six months ago I hadn't done loads of infrastructure testing just because of the type of work that we were getting in um but did manage to get a couple of tests in um didn't manage to get that domain admin that everybody wants on those couple of tests unfortunately but still a lot of good findings um typically as you as you know people might expect people leaving passwords in files on open shares and that kind of

thing that can uh really cause you some trouble um some Cloud testing so um as you're an AWS um and then for the last six months um I've been doing a lot of purple teaming um so if anybody who doesn't know um because I don't know what everybody's background is who's who's listening um you've got um red and blue team which I think is taken from the US Army so um red is sort of attack and blue is defense so blue is your security operations center Etc and then red is kind of your offensive security people pentesters um so then purple teaming is bringing those two things together um so in a in a company that we do work for uh

there's somebody who's kind of the blue side and I do the red side stuff um and I we have a a joint console um called Vector where I can put in what I'm doing and then um the the other guy can um look through the logs see if stuff's picked up see if stuff's alerted make a note on whether rules need to be changed Etc and as a result of um you know us doing that for the last six months as well as the vulnerabilities that I've found that uh have been remediated um you get a lot of new rules being added to the uh monitoring and alerting software um and I I kind of

think it's the future for an organization that's reached the level of um you know maturity where they have that stuff set up and want to improve on it um I've really found that it's seems to me like it's very beneficial for the company to add that stuff in um so yeah that's the the kind of stuff that I do I know some people um or some sort of bigger pen testing companies might have people who are a dedicated you know web app or um infrastructure person um but we tend to do a bit of everything um there are people who are better at some stuff than others um and you know everybody's always willing to bounce

ideas off each other so if I ever spot something that I don't know necessarily how to do but I think there might be something there there's a guy that I'll check with for kind of each um each option um so that's good um okay uh future things that I will be doing um I'm currently working my way through the offensive security experience penetration tester um course it is much harder than the ocp well the beginning of it at least you because you teaches you C code and doing stuff like that so um and working with lowlevel Windows apis um but I'm hoping that's the first step on the osc 3 um our company's currently working on

um Czech so I'm hoping to be check team members soon and eventually look at uh being check team leader um also uh with doing the purple teaming stuff um and looking at more kind of bypasses and that kind of thing um hoping to create some custom tooling that we can use and you know bring some more value to the clients by you know maybe being able to get them to um use more Behavioral analysis and that kind of thing rather than just looking at file hashes or whatever that you know that sort of um that sort of difference and hopefully get better at everything that I do um so for my final tips and takeaways uh

keep learning and do things for yourself um so whether that's setting up a home lab um or you know uh if you're not in a pentesting role then looking at doing things like pentester lab or hack the box or if you can afford um to get any certifications yourself then that's great just to get your foot in the door like I said earlier about me thinking that I needed to get the Masters to get myself the uh just past the HR Shield um anything that you can put on your CV that shows you additional um that shows that you have you know a good um sort of passion and interest in the field um and

anything that you think can set you apart from somebody else um um on that CV before you get the chance to speak to somebody um also uh if you are in the role or if you have somebody that you can speak to um about it seek feedback um so I try and seek feedback at work whenever I can um it's difficult because it sometimes feels like you're maybe looking for praise but that's that's not necessarily what it is um you know if I if I haven't been doing something well or if I can do something better then I want to be told that so that I can improve on it um again especially if you're not in a role um

explore different areas see what you're good at what interests you and what you enjoy maybe you know that you want to be in cyber security but aren't sure kind of which bit you want to be in um I feel like at least for me uh pen testing was very much the thing that I wanted to do um I do think that maybe it can kind of look cool and flashy and maybe people think that they want to get into it and and won't necessarily but there's there's so many different areas in cyber security um that you know it's good to look at a bunch of different things and and see yeah which things you enjoy the

most um make a note of any new discoveries or techniques that you find um you know whether it's in a in a one note for yourself or whether you set up a blog or a GitHub again going back to the CV thing if you can point to a blog or a GitHub where you've uh you've written down things that you found and that kind of thing um I started writing stuff on a Blog and that's on my CV um I don't know whether anybody that I've applied to a job for has ever looked at it but it's there um and at least I know that I've done that work um you know to try and set myself apart a little

bit um practice soft skills like the communication um you know as an idea solve the Box on H hack the Box um and write a report on it as if it was um to a customer um you know obviously this is if you're if you're not in the role but um I know that things like the ocp and the um the alter security courses you have to write a report on those but um you know if you can't afford to to to do one of those certifications then there are options for you to get that practi in um you know if if you want to write a report for a for a hack the box box and

and I'm happy for you to send it to me and for me to have a look at I'm not going to claim that I'm um 100% the best report writer in the world but I think I'm could have a look at a report and you know give you some pointers if that's useful um similarly you know post it to the blog or GitHub um use LinkedIn um like I said I got my job through Linkedin so I know that some people struggle with it or whatever but if you're if you're writing those blogs or have that GitHub and you post them to link in it might catch somebody's attention um and might get you through

the door um and my final thing is remember the Dunning Krueger effect when dealing with impostor syndrome like I said I do have a bit of imposter syndrome but imposter syndrome tends to come when you know enough to know that you don't know everything um and that is the point where you can grow if you think you know everything you won't have imposter syndrome um so yeah that's probably one of my main takeaway if you are in a cyber security role is if you know that you don't know stuff that's good especially if you're willing to um put the effort in to try to know that thing in the future um a final thing which I haven't

put on these uh uh bullet points is um any if you're if you want to get into you know pen testing for example um and uh you aren't there yet then as well as this stuff um think about the things the other things that you enjoy doing and uh think about if you can spin those things to um to sort of point you in a direction of where you might want to go or things that could be beneficial to an employer so for example like I said I enjoy running silly long distances um but that means that I can take um a 24-hour exam and know that I have the ability to push on through when I'm tired and still be

able to do um you know a decent job at that so that that kind of thing those parallels between other things that you do or enjoy doing and um where you want to end up um and I think that is everything um thank you everybody for listening I hope that everybody got something from that