Zero To Pentester: My 'root' Into Cyber

Um, my name is Ross and I'm a cyber security consultant and this today is my talk on my route into cyber with a little pun there for the hackers. Um, so at a high level um essentially I started out in oil and gas and I'm now a pen tester. Um, and today the talk's just essentially just about how I went from doing that and to doing what I do now. Um, traveled quite a while to get here all the way from Scotland as you can probably tell my accent. Um, I am glad to be doing it face to face because doing it on Teams does not work. Uh, I work for a company um down in Chelham

and I can tell you that on Teams when you use the transcribe and I speak it is a disaster. So yeah, you always get a laugh when you look at the notes after afterwards and the transcribe watching me talk. So yeah, I'm happy to do it face to face. Any questions afterwards, feel free to shout out. Um glad this is working now. Um so just a quick introduction. So like I said, I started in oil and gas as a process technician. So that kind of involved um just making sure that the plant was running smoothly. Um so things like I used to jump up and down distillation columns turning valves and preventing leaks. Um and I transitioned a pen

tester a few years ago. Um so I'm now an ethical hacker cyber security consultant now specializing in web application security. So this presentation um today is predominantly the purpose of this is just it's not to be like you know look at what I've done. Um the reason for it is because I think there's a big misconception um out there about a lot of people who think that maybe you know it's maybe too much of a jump to jump into a new industry regardless of whether it's from another industry side or another industry in something completely different. Um the the point of this presentation is really to show that there's a lot of you know um overlap between soft skills from what

I was doing previously and what I do now and how the the 9 years I spent oiling gas wasn't a waste of time. Um so just a kind of a rundown from the start really. Um so I was into engineering as a youngster. Um school I you know I was right into I wanted to be a mechanical engineer. Um and I think it's kind of drilled into a young age that you know university is the way to go. Um and there is truth in that. But I've seen the uni fees and when I was looking at into it, I applied for an apprenticeship with BP was offered and I was successful. Um, and I decided to pursue that. Now there's

quite there's a there's a story that's quite funny. Um and to kind of elaborate on that a bit and it was because um when I was in high school in my final year I got um I got put forward for an art engineering scholarship through Herit University and uh I I got the scholarship and when I was pres presented with it at Harry W they came up and asked oh you know what what what would you like to do and this point I'd already been uh sort of offered my BP apprenticeship and I said look I'm uh I'm I'm going to do a a process test technician apprentichip with BP and they oh great and then when

they presented me with it they said this is Ross and he's a way to do a a master's degree in mechanical engineering at Harry University I was like so that's not good enough then clearly um so yeah that was a bit of a funny one and that was kind of set set the stage for going forward so um like I say my early career was focused on through college it was industrial systems and troubleshooting um and I led various projects through years um through AEX tablet implement limitations from secure zones um through to uh basically decommissioning the plants and recommissioning uh through shutdowns. Um this kind of leads on the kind of starting of um how the soft skills

really kind of helps me and my my dayto-day life now and I'll talk about going forward. So when I was sort of working in oil and gas the company that I was working with um the ATEX rated tablet project that I was working on uh during during a seconment with the the engineering team I was working with uh the sort of head management in order to implement um updating technologies and this was really I felt really passionate about this having been jumping up and down columns and a pair of overalls to working with tech for the first time I really loved it. I thought it was great and uh I really wanted to pursue that but funny enough I couldn't

pursue the engineering thing without a degree for it. Um so I then say well I quite fancy doing a degree looked at part time and then seen more inside I was like well why not just completely change it. Um once you sort of get into the mindset of you know you want to change things you start looking at things in a different light. So I started seeing like a lot of the the IT processes at the company that I was working for that weren't necessarily I never really looked at before and things like the processes and the way that things were done started to frustrate me a bit. Um and I think when when you when

when you sort of start um you start looking at things and you maybe start doubting yourself going well I absolutely know nothing about this. And there was one time that uh so I started studying and I phoned up the IT help desk at the work because I couldn't access I needed to issue a permit and I couldn't issue a permit because there was no internet troubleshoot and found that the DNS server hadn't been configured and I phoned them up and said listen the DNS server's not been configured and the guy in the help desk went that I was like maybe I'm not a bot after all. Um, so I think those little, you know, those little things really

reinforce like, oh, actually, you know, I kind of know a little thing. Maybe not a lot, but it kind of pushes you to sort of move forward and to really um to really believe in yourself. So, this is where when I started moving out, I thought, right, I want to make a change here, and I want to do something that I really enjoy in my life. Life's too short. Um, and I really want to to to to sort of make a difference here. So, I started building well I started looking at loads of YouTube videos. So, things like um the cyber mentor, John Hammond, EPSC 12-hour ethical hacking courses, try hack me, hide the box, that

kind of stuff. Um, and got really obsessed with it and started building essentially a wiki on like my own notes. And the thought process with that was me sort of even starting to go well in a couple years time if I was in the same situation how like what would benefit me? Um there's a lot of people around about me that were kind of sort of that I would lean on and ask questions and that would support me and I wanted that if if I did sort of do well in this industry that I could sort of give back. And I was thinking about that sort of the really early stages. Um so sort of fast forward um the I was

studying a part-time degree alongside um doing sort of hack the box labs try hacky labs in my spare time. Thankfully all that paid off and I got an interview with Cyberus who I'm currently with now. Um I started in the academy program in May 2022 as a junior consultant. spent a few months sort of solidifying knowledge that I'd already built through the labs, through my degree and stuff like that as well. Um, and then in the December I got promote or sorry, November I got promoted to consultant and started actually working on engagements and delivering jobs for clients. Um, and a couple months later I passed the CSTM, the cyber scheme team member exam um, in January 2023. So that

been about 7 months after I just started in the industry. Um, and I think this was this was a big turning point for me because when I passed that, it was kind of like I put so much effort in over the last few years that that was like the sort of rubber stamp to say, well, actually, again, you do know something. So, it's just those little things through time that sort of give you those little bumps over the imposter syndrome, which I still get every day, but you know, move. Um so since then I've started I I continue to try and develop myself um and get better at my job and different aspects um become a better

consultant become a better technical consultant and also um like client facing consultancy skills. Uh I've been promoted to senior consultant where I mentor um a couple of juniors. Um I'm on the QA panel and I'm a service line leader for Google cloud and training and development. and specializ in web application pen testing having passed the scheme team leader web application exam uh January this year exactly to the day two years after I passed my CSTM um which was pretty cool um so again so I'm just going to sort of like recap on everything so the soft skills that I've learned in my pre previous role I spent 9 years in it's kind of like well why

why wait 9 years to to make that transition and the soft skills are really everything and I think um Deb earlier on in the um in our presentation was a really th point about how cyber is really moving not necessarily away from technical but really sort of trying to hit home that the soft skills and everything that goes along with communication professional skills are really pertinent to what makes a good consultant these days and a cyber professional. Um so all these things like the process logic for like for example understanding how a pump was started um and the methodology that goes behind that is really similar to the methodology that I built around hacking web applications. So those things are

transferable. It's the same for like managing projects. It's the same as managing like um client engagements and stuff like that. So everything's transferable. Yes. Okay. I wasn't necessarily hacking web applications in an oil refinery. However, it's building those skills that you can sort of move into a different career and take that with you rather than just say, "Well, that's that's a right off. That's a waste of time. I've just wasted 9 years." It's not like that at all. And it took me a few years to understand that cuz I think a lot of the imposter syndrome kicks in when you've got a lot of people that have got more technical experience than you. It's just about

trying to overcome that and say, "Well, do you know what? I can bring something to the table as well." This is true. Um, you know, I get this every day. Um, I'm getting this now because I'm sitting thinking, well, you know, what gives me a right to stand up and talk to you guys about, you know, what how how I've done it. Um, but the truth is is that I'm doing this because I want if there's a if there's a chance that someone here takes something away from this and goes, well, you know what, this is something that I can do and this is something that I can develop on and end up landing a role in cyber, that's

excellent. Um, I've I've mentored an individual over the last year or so who has just recently he started I worked beside him. Um, and he started studying for the CBTS and OCP and he's passed it 12 months later which is absolutely phenomenal. Um, and you know hearing these stories about people like you read an article that I wrote um and that I can influence that change in people's is great and and that's really what I'm here to do. Um so again I'll touch on that. So he's kind of part of a group of individuals that I mentor that um that are sort of transitioning into cyber security professionalism. Um and like I say it's just about there's a lot of people that

were around trying to support me and that I could lean on and ask for advice and ask for support. Um and I think I think it's just about me trying to give back. And that's really what I'm trying to do here. So I think looking at the future I'm just going to continue to keep doing that. uh I'd continue to improve on being a well-rounded consultant. So looking at things like um the CRTO uh different you know uh exam exams as well to become dual certified potentially uh CSTL infrastructure with more exposure to red team operations as well. So this is uh my socials. This is not this is not malware. I promise you I can

assure you. um you're probably going to be really disappointed when you look at it because it's just a picture of me with some LinkedIn profiles. Um so yeah uh the next slide is just asking any questions. So I just wanted to say thanks to um Bides for having me today. Big thanks to um PRPR and Cyers for supporting me as well. And yeah, do we have any questions at all?

me first. >> We'll go we'll go we'll go front back um on your slide about how you got into things YouTube all that sort of stuff. >> Yeah. >> Um all good things and you you mentioned jump. >> Is there anything you would say that wasn't as good as these things? Is there anything you would say ABC but this is a good question. Um, I think it depends on what stage that you're at, right? Because I think it depends on like there's loads of people that come in from, for example, a software development background who know a lot about web applications. Um, you've got people that come in and absolutely know nothing about Linux, for example, the

stage I was at. Um, you know, I've mentored people who have come in from both aspects and depending on where they come in at, you know, I've even had cyber security graduates come up and ask me questions not knowing how Kali Linux works, which is incredible. Um, and sort of I think it really depends on where where you sort of you are in your your career at that point and sort of each of those different things are going to benefit you differently. So for someone starting out I would look at you know like try hackme you know complete beginner pathway which introduces you to web proxies uh basics of Linux basics of Windows command line things like that.

Um you know for someone who's you know got a really good software development background it might be worth looking at more sort of understanding how their software development background web applications can be used to look at the different exploits for example secure coding to understand how to mitigate against crosscripting attacks SQL injection attacks that sort of thing. So um I think for like a complete beginner try hackme is ideal. I think once you sort of progress through that um hack the box labs is great. The hack the box academy is great. Um and you you know looking at bots walkthroughs from like and the 12-hour cyber mentor ethical hacking course which teaches you basics of Python. Again like a video

demonstration the basic web proxies and how to set them up and stuff like that is really good as well. So, it just depends on your learning um style and what stage that you're at in your career. I would say does that >> you're not tempted to um try to get the industrial control systems and sort of combine the skills of >> Yes, very much so. Um but it's niche. It's very niche. Um it's something that I've looked at doing quite a lot. Uh, but you know, it's one of them that I'm trying to sort of walk before I can run. Um, it's something that I'd really like to to narrow down on. We've we've got a

couple of clients who potentially would be interested in that kind of thing. And it's just about sort of making myself available for that kind of work. Um, there are sans courses on that, but they're, you know, upwards of 10 grand. So, you know, investment sort of thing. But, um, yeah, it definitely is answers to your question. That's something I've I've looked at quite a few times actually. >> You you did answer a lot of stuff I was going to ask anyway, but um you know, we hear a lot about the skills gap there being that gap between academic and theoretical knowledge and then all the practical stuff that you were saying. What would be the best piece of advice

if you've got someone in front of you who has got all that theoretical knowledge, they've just graduated, but they're still asking those quite basic questions about what I is. What apart from just, you know, the technical programs, that person as an individual, what would you say to them to go out and do learn? >> Um, again, a good question. Um, from a from a a content perspective, I think try hackne is a really good place to start. Um, I know that the cyber scheme do a foundational exam and I think that that's a really sort of um a good benchmark I would say to look for. Um, you don't want to aim too high and sort

of like discourage yourself I think cuz that's you know once you look at one thing and you realize how much you don't know that can be quite offputting. So I think just sort of looking at your goals realistically and understanding where you want to be and just taking it one step at a time. I think that that that's a really good um place to start. I think again I know it's not necessarily content related but you know get a mentor like you know get someone who is in the industry that that knows something that um that can really sort of that you can lean on that you can ask you know my proxy is not working. Why is

it why is it not working? And it could be something as stupid as um you know cuz you've not set the sport correctly and it you know that could set you back hours and hours and hours of you know learning. Obviously it's it's different like you know you want to really try and um you know do do what you can and figure out yourself. But um yeah if you can find a mentor that's really willing to help and you can lean on and they can share their experience and and really help you along the way. I think that that's really beneficial to people starting out. Um, and it can really shape sort of the way that you want to

go forward. [Music] In regards to your soft skills, did you just trust that they'd come into play or did you find a way to push them forward before your technical skills caught up? Is that >> Yeah. The thing is that the technical skills was what causes imposter syndrome, right? Um and I think that you know when I landed in that role it was kind of like the imposter syndrome stem from the degree of you know I don't know this about this. Um once you sort of got that under control to a degree you can then start start trusting what you already know and start going well actually you know the questions of I'm not capable of doing this or I'm not

capable of doing that. Once you sort of overcome those goals you can start giving yourself credit for stuff that you've done in the past rather than looking at oh I've wasted all this time. Um it's just a complete mindset set shift really. Um it's difficult but I think it's sort of the confidence versus imposter syndrome bars that's really sort of it takes time to overcome but it's only through time and sort of confidence in your ability that you can really sort of trust that. Awesome. Thank you.