Articles

Thinking about a career in Cyber Security

Author: Crescent Consulting

Categorised as: IT, Job profile

Image of Glenn Sparrow

Here at Crescent Consulting, we are passionate about helping individuals start or progress their career in tech. Often we hear from candidates who are seeking direction on how to break into a specific field, interested in knowing what key skills they will need, and where they can train and develop these skills.

The Cyber Security industry has seen significant growth in the last decade with many different avenues for someone in the industry to take. People in cyber security tend to have a variety of different backgrounds with the common factor being a passion for learning, and for penetration testing a love of puzzle solving. A good penetration tester should be competent with their chosen technologies, be able to provide great reports, and have the people skills to communicate with clients in a manner they understand.

We recently interviewed Karl Barrett & Glenn Sparrow, two of the three co-founders of Pākiki Security an IT Security company with over 25 years of experience in Cyber Security split across their 3 founders.

Pākiki Security love to sit down with people that are thinking about getting into different areas of IT Security. Thank you both Glenn and Karl for taking the time to sit down with us and have a chat, you can see them at CHCon a local hacker conference in November.

Image of Karl Barrett

How did you get into Cyber security and where are you now?

Karl studied electrical engineering and went straight into a career focusing on software development out of university. There were software elements in his study that he enjoyed so it made sense for him. Karl has always liked to break things and began to participate in cyber security activities outside of his job. It wasn’t uncommon for him to be competing in wargames, capture the flag, or bug bounties so when the opportunity arose he made the switch to penetration testing and hasn’t looked back.

Glenn left high school early as he was not sure what he wanted to focus on. During his career he has worked at several notable IT companies helping them with customer management. Around 6 years ago he began working in cyber security and the constant learning has helped him realise his passion for improving the security of New Zealand.

At Pākiki Security Karl and Glenn wear many different hats due to the company being newly created. On a normal day they find themselves liaising with clients to understand the requirements of work and then sorting access into the client environment so that they do not damage any fragile networks. Karl would then do his best to hack into the environment followed by writing a detailed report on any of his findings and the severity of impact these may have to the client.

What excites you most about the work?

Glenn is most excited when they conduct a follow up check on a client and it is clear they took the advice onboard and have a more secure system.

Karl however loves to solve a puzzle and approach a problem from an angle that the client may not have considered. The thrill of breaking systems legally is what keeps Karl passionate about his work.

What’s the best project you’ve worked on and why?

Due to the industry they work in, and for respect of their clients they could not give any specific projects. However there are many that they have enjoyed, the best projects are where they are able to find a unique security issue and see that the client fixes this upon review.

How do you help clients understand the importance of the report you have provided them?

The reports that Karl generates after finding security issues for a client is factual and focuses on this. It details what was found, how to replicate the issue, and then categorises the level of severity this system being compromised could have for the client. If the client reviews the report and decides not to act on a known security issue this is their business decision.

What have your biggest roadblocks been?

In Karl’s career the only notable roadblock he had was needing to relocate to the North Island for work at one stage. Last year when Glenn and Karl were looking for their next opportunity they wanted to work for a company like Pākiki, a boutique security firm in the South Island, but couldn’t find one. This was the motivation to start Pākiki.

What advice would you give to someone trying to get into the Cyber Security space?

  1. Stay on the right side of the law. Never be tempted to play around with Cyber Security practices outside of approved clients, or cyber ranges.
  2. Know the fundamentals of both sides. Understanding how attackers may try to exploit a weakness so you can check this potential weakness yourself.
  3. Know your wheelhouse. There are many different avenues you can go down in Cyber Security, if you try to learn master all of them you will stretch yourself too thin. If you are passionate and want to learn everything in the field you can work yourself into a generalist position, you will just have to refer specialist work to the correct people in the field.

What do you love most about living here in Christchurch?

The ability to be able to ski, surf, go ice-skating and much more all in the same day is a thing not many cities can offer. Christchurch also punches well above its weight in terms of IT companies with many huge success stories originating from Christchurch. The community here is great and supportive.

What books/ training/websites would you recommend for anyone aspiring to work in Cyber Security?

Books:
The Web Application Hacker’s Handbook
The Hacker Playbook

Websites:
https://owasp.org/ – provides resources, tools, and community support to improve the security of software and protect against web application vulnerabilities.
https://book.hacktricks.xyz/ – a comprehensive repository offering guides and techniques for penetration testing, ethical hacking, and cybersecurity.

Training:
Wargames / Capture the Flag
* https://overthewire.org/wargames/
* https://portswigger.net/web-security
* https://github.com/Sharishth/ctf-practice
* https://ctftime.org/

Paid platforms with free content
* https://pentesterlab.com/
* https://www.hackthebox.com/

Stay tuned for next month’s blog on another discipline within the tech arena!