BSides LV 2022 - Wednesday - Proving Ground

[Music] do [Music] foreign [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] you [Music] [Music] [Music] [Music] [Music] so [Music] so [Music] [Music] do [Music] so [Music] [Music] do [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] so [Music] [Music] so [Music] [Music] [Music] [Music] do [Music] [Music] [Music] [Music] [Music] do [Music] [Music] [Music] [Music] [Music] [Music] do [Music] [Music] [Music] so [Music] [Music] [Music] uh [Music] [Music] [Music] do [Music] so [Music] so [Music] [Music] do [Music] [Music] [Music] [Music] [Music] do [Music] [Music] [Music] do so [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] so [Music] [Music] [Music] [Music] [Music] [Music] do [Music] [Music] [Music] do [Music] so [Music] [Music] [Music] so [Music] so do [Music] [Music] [Music] do [Music] [Music] [Music] [Music] [Music] so do [Music] [Music] [Music] [Music] [Music] [Music] [Music] do [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] you [Music] [Music] [Music] do [Music] [Music] [Music] [Music] [Music] do [Music] do [Music] [Music] [Music] do [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] you [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] so [Music] [Music] [Music] [Music] do [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] do [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] uh [Music] [Music] [Music] [Music] [Music] so [Music] so [Music] [Music] do [Music] [Music] [Music] [Music] [Music] do [Music] [Music] so [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] do [Music] [Music] all right good morning everybody and welcome to the las vegas b-sides proving ground track a few announcements before we get started i'd like to take an opportunity first to thank our sponsors uh first of all our diamond sponsors last pass and palo alto as long as well as our gold sponsors intel invisium and blue cat without their support and the support of all the volunteers and sponsors and other donors we wouldn't be able to have these amazing talks come see all these amazing people and uh get together like this and have this awesome conference so a huge thank you to all those people uh a reminder right now if you have a cell phone to please take it out from wherever it is and put it on silent uh this is out of a respect for the speaker and then also we will be recording this so we don't want to get any of those cell phone sounds on the recording in addition to recording this will be live streamed and so a quick reminder our photography policy is you are you should not be taking any photographs unless you have the consent of everybody in the room that includes slides unless the speaker specifically says that that's okay questions will be if you don't mind hold your questions until the end i will come around with the microphone so that you can talk it uh speak into the microphone that way we can get the question your question on the stream and on the recording and then lastly we are requiring masks you need to take it off to have a sip of a drink or eat something real quick that's fine but otherwise please keep your masks on at all times and so without further ado like to introduce mike lisey and his presentation on how to succeed as a freelance pen tester [Applause] good morning how's everybody doing uh thanks for coming it's a really good turnout i'm i'm pleasantly surprised i'm here to talk today about freelance pen testing a quick note about me mike lisey at mike hacks things on twitter i do penetration testing i have a couple certifications oscp gwa pt uh ceh i am the founder of mel tech solutions which is the company that i established for my freelance pen testing i also work as the ctf design lead for the ncae cybergames which is a collegiate cyber security competition and i am the co-organizer of a security meetup group called ithacasec and that's in upstate new york so quick note before we begin i'm going to be covering a lot of different aspects on creating the business and talking about freelance pen testing but it's important to know i'm not a lawyer this isn't legal advice this isn't financial advice uh you're responsible to do your own due diligence and understand what works for you in your individual individual circumstances so just take that into mind as we move forward so if you're interested in pursuing the freelance work there's a few important questions that you need to answer and these are to kind of make sure that you're ready to jump into freelancing so first off why do you want to do it why do you want to become a freelance pen tester your answer is going to be unique to yourself for me i had the opportunity to work on the ncaa cyber games but i was a full-time consultant at the same time and there wasn't enough time for me to do full-time job for that the part-time job for the education and then still have time for family friends hobbies things like that so freelancing was an opportunity for me to pursue all those things while making it under my terms but for you i mean there's obvious benefits if you're interested in freelancing uh some of those benefits are you know you get to decide when you work how much you work who you're working for what you're doing um big benefits but there's downsides to consider too you're gonna have to make sure that you can uh get through the times when there's not enough work available uh how are you gonna handle those situations uh you may be working with clients that you don't necessarily like or get along with but they provide a lot of work things like that you have to be ready for those things and you have to find the work it's not going to be provided to you you know unlike with a regular job you have tasking that gets presented to you have you uh to have you do not not the case with freelancing you got to do a lot of work to get that work so if you've decided okay that's all fine i still want to do it let's talk about you know preparation if you have experience as a pen tester you probably have an idea of what your strengths are you know what kind of tests that you can do what kind of work you can do um so identify those make sure you know that you've established what you're able to offer you know are you an app tester do you work in cloud environments uh do you like breaking medical devices this helps you establish you know your client base who you're going to go after to get some of that work for me i mainly do web app pen testing i do external pen testing there's a lot of work available in those areas so depending on where your expertise is you have to identify how much work there is to pursue outside of you know the specific technical strengths there's a lot of soft skill type things that you need to be aware of too um are you able to talk to clients can you establish relationships can you define you know how to approach testing how to uh get all the documentation in place do you know what your clients need can you identify those by having discussions with the client you know what are their goals what are their concerns you know are they worried about user data breaches are they worried about pii health information credit cards you know all these are very specific to the customer and you need to have an understanding of what those are when you approach them to get work on the non-technical side are you ready are you financially prepared you know how long can you go until the invoices start rolling in you know you may not have work day one when you start on this path uh you have to be prepared for that work isn't consistent there's going to be especially in the pen testing world there's going to be ebbs and flows when there's a lot of work and when there's not a lot how are you going to approach things like benefits retirement time off you know all these things that are established and coordinated with a typical job when you're freelancing it's all kind of falling back on you there's legal aspects to consider too a lot of contracts a lot of legal documentation agreements things like that with the clients you have to be ready to approach those situations and to be able to handle them you know initially i didn't know what i needed to do in this regard i went to my uh employer and i basically said hey i have this other opportunity i kind of want to pursue it i can't do both can i be a contractor and my manager at the time said oh sure you know what's your rate what are your terms uh you know how long are we establishing this relationship for what what are we doing and uh i was complete blank no idea no idea what i had to do but thankfully they were able to help me identify these things get everything established i learned a lot in that process so it's one of these things that you need to uh to make sure that you can do when you're setting up these relationships so the last thing you got to consider is how are you going to find the work right the work doesn't just come to you you have to go after it so as a pen tester there's times when there's not consistent work this is kind of a graph of my workload throughout the year you know q1 q4 tons of work available q2 kind of gets a little bare you know i gotta make some changes in order to keep going uh things start ramping up again so you got to take that into account with your budgeting you know how are you going to get through that q2 slump to make it successful and the other thing to keep in mind is that when you're a freelancer you're taking on all these other roles and responsibilities that are typically handled by other people in an organization you know you have hr you have legal sales marketing freelancing that all becomes you so outside the technical technical knowledge that you need to know you need to start uh getting acquainted with these other concepts but okay you know you want to do this none of that stuff scares you that's fine you're ready to learn all that or you know it great you're ready for the change so what do you do next you got to get set i'm going to go over a few things here that are basically required but they take time they take effort they take money but they're all required to get started you've heard the saying there's no such thing as a free lunch that's how it is in business it all these things cost money but they're really necessary and you'll understand why so first up uh you want to create a company not a dba uh do business as that's just basically hey i i can do this work you want to have a legal entity something like an llc an s corp why uh cya you know you know what that is you know cover your ass right uh having a company protects you as an individual it gives the company the legal responsibility for the work that you're doing so if during a penetration test you know something catastrophic happens you take down a whole data center clients pissed they're going to sue you if you don't have a legal company in place then you are personally liable for that stuff so if you have a house if you have other assets you know all those are on the line you don't want to take that risk if you want to go into the into the freelance world so creating a company kind of helps protect you in that regard a company does some other things too it it legitimizes what you're doing right if you're just saying hey i'm a pen tester okay that's great but now you say hey i'm a pen tester i have a company set up all this other stuff the companies the clients that you go after they're going to be like okay yeah i get it you have you know you've you've gone through the legwork of establishing a company and everything so that you know i'm more willing to work with you on that uh doing so really kind of varies by where you establish the company right uh different states have different requirements uh there's paperwork involved there's renewal fees you know the research that i've said that i've done uh has ranges between like 120 bucks and a thousand dollars to establish the company and maintain it throughout you know year to year so depending on where you're looking to establish it there's going to be a cost associated with it next you want to get business insurance some companies won't even work with you if you're if you're not insured right they want to make sure that they're covered too if your company you know isn't worth anything and you screw up and they sue you you know having insurance means that they they have some comfort in knowing that you know something goes wrong they'll be compensated in some way uh so it's on you to make sure that you have the insurance established the other thing that does is it um it has extra protections in place where contracts don't cover right so you're going to have legal contracts that you know absolve you of different things and they dictate the terms but in areas where there's aren't where there isn't coverage on that insurance really helps so it's basically layered protection right we talk about defense and depth in infosec this is like protection depth so you have the company that's one you know way of covering yourself business insurance is another way um the types of policies to look into you know that's uh you're looking at like commercial general liability it's protecting you against you know bottling injury property damage uh liable advertising mistakes things like that um policies on that you're looking into like one to two million dollars worth of coverage um it's relatively cheap though it's about 350 bucks a year the next one probably one of the most important ones the arizona missions again you're looking at one to two million dollars worth of coverage maybe more depending on the clients uh about 750 a year but what that one does is if a client claims that you were negligent in some way or your work was inadequate um then this insurance kind of policy helps cover that so you know in a pen testing world uh you missed a no day something got released after you did a test client got breached now they come after you because you didn't find it right uh the insurance policy helps cover in those situations finally you have like professional liability again you know million dollars two million dollars uh that covers against misrepresentations inaccurate advice things like that there's a lot of things that cover on the insurance side so one way to approach this is looking into insurance agents right i use his cox that's a really big player in that they know you know the type of insurance that is ideal for these types of things other agencies may be beneficial to look into too you need a lawyer uh specifically you want a lawyer that understands business and contract law somebody understands penetration testing all the legal aspects and requirements associated with that you know you want a lawyer that works for you right they're going to watch out for your best interests so why you know we're cya right we're there's a kind of a theme going here um they're going to be able to review all the legal documents that you're getting established when you're setting up a relationship with a business you know everything's done over these legal contracts msas scopes of work uh ndas all these things all this legal uh verbiage in there your lawyer will review that but make sure that you're being represented correctly and in your best interests and it helps to make sure that both sides are in agreement as to how to move forward so i've had agreements in place that were provided to me from clients and they had provisions of things like hey any any tools any scripts anything that you create while you're doing any work for us belongs to us we get a royalty free license forever and i was like no that's you can have ownership over the reports anything like that that makes sense but anything that i create is mine uh so my lawyer caught that in the contract review they amended it the company was totally fine with it too they said yeah that's not really what we were going for but you know they're a lawyer put it in so you know having a lawyer on your side is is really beneficial but the cost on the lawyer it can vary so you know i mentioned before creating the company uh there's lawyers that will set that up for you i had my lawyer create my company and everything for me they handled all the paperwork all the uh documentation for it um so there's a fees you know fees associated with that maybe a few thousand dollars and then you have an ongoing retainer with your lawyer basically you give them a pot of money and anytime you need their services they withdraw from that pool uh to work for you and then you know whatever the agreement that you have with them you refresh that as needed so a lawyer's a big help it saves you a lot of time a lot of money on understanding all the legal implications that you're agreeing to when you're looking to do freelance testing you also want an accountant not a tax guy not somebody that'll just file your taxes for you somebody that really understands all the tax laws because they're insanely complicated right so when you're working for a company and you're a full-time employee there's things like payroll taxes right you pay half of them as employee the employer pays half when you go into freelancing you're responsible for that total amount so there's extra taxes that you end up having to account for a cpa really helps you with that um you're going to have payments that you have to make right you're getting paid directly from the client there's no withholdings so every quarter you're going to have to make payments based on the income and your cpa will help you define what that needs to be there's benefits to take advantage of two when you're self-employed there's a lot of write-offs things like the equipment that you use the software you use if you have cloud hosting mileage for uh meeting with clients all those things can be taken into into consideration and the cpa helps you identify those things and make sure they're accounted for so that you know you know what you can uh you can claim what you can't claim making sure you're playing by the rules because you know at the end of the day the government wants their cut they don't care having somebody that actually understands it is the best way to go and they're relatively cheap you know mine is about 500 a year for all the services they provide for my personal my business taxes my wife's taxes it's it's really not a huge expense and it's a huge like burden to be absolved of so um you know summarizing that there's a couple things here we have the business creation you know hundred to a thousand bucks legal side one to five thousand dollars counting insurance you know all your startup fees essentially for the for the freelancing could be in the area five to ten thousand depending on your unique situation okay so we talked about why you want to do a got some things established on you know how to get ready for it uh the last thing before you take the leap is work right how do you get the work where do you get the customers as a pen tester one of the best ways to go about it is subcontracting right a lot of consultancies they have uh ebbs and flows in the work that they have available or that they need to get done uh similarly according to the chart like i showed before that you know q4 uh craziness and work a lot of companies face that so they typically don't always have enough work to hire a full-time person so they'll subcontract it out uh basically the nice part about this is you don't have to go find clients to do the work the companies already have it ready they