THE CU
  • Home
  • Blogs
  • Offense
    • Pen Tester Training Program
    • Offensive Cheat Sheets >
      • Bash Commands
      • Network Enumeration
      • Web Enumeration
      • Windows Post Ex
      • Metasploit
      • Shells
      • PowerShell
    • Offensive Links
  • Defense
    • Junior SOC Analyst Roadmap
    • Intermediate SOC Analyst Training Program
    • Defense Links
  • Land A Job
    • Improve Resume
    • Find a Job
    • Interview Prep
    • Grow as a Practitioner
    • Get Experience
  • FAQS
  • Other
    • Finance Resources
    • CTFs and Cons
    • Training
    • Twitter People to Follow
    • Podcasts
    • Books
    • Twitch Streamers

 

The dangers of Pen Testing for the pen tester's mental health

10/21/2021

0 Comments

 
Maybe it was just me, but when I first started pen testing, I thought my goal was to do cool hacks and show the client how awesome I could be. Seriously I couldn’t be the only one that thought this. It could just be that we work so hard and learn so many things that we believe that our job is to show off our skills.
​
To some degree, that’s true. But I think that problems arise when we hold on to that belief too rigidly. When we hit a lull in our career, fail to compromise multiple clients in a row, or feel that we aren’t growing fast enough compared to our peers, it can lead to many negative emotions; imposture syndrome, depression, feeling like a failure. 
Based on LinkedIn and Twitter posts, burnout and imposture syndrome are spreading amongst practitioners of all skill levels with no signs of slowing down. Some of my favorite influencers are working to shed light on these problems, such as STÖK (@stokfredrik), who often mentions mental health.

This post is really a mix of mental health awareness and understanding your true purpose as a pen tester. If you think your job is to be an elite hacker every time, you are wrong. And you could be harming yourself over time by maintaining this belief.

For example, let’s take a look at a typical pen test. You are given five days to break into a network with millions of dollars for a budget, defenders watching your every move, and rules of engagement that restrict the types of attacks you can do. The odds are stacked against you every time you get up to bat in the game called infosec.

Now compared to the real adversaries who have all the time in the world and no rules of engagement, your job seems nigh impossible. Good. It should.

As a pentester, your job is to look for impactful issues given constraints on time, consultant's skills, and scope of work. These are three significant things to remember: time, skills and scope. We are extremely limited in these two resources. 

You may only have forty hours to test an environment with thousands of computers. Or forty hours to test a handful of devices that are fully patched with no services running. Time can mean the difference or nothing in some cases.

In terms of skills, a pen test is meant to test an environment against currently known adversarial techniques from a perspective chosen by the client and using the skillset of the assigned consultant. Yes, you are a part of that equation.

Although we use computers well, we are not computers ourselves. There is no way to know every attack ever created. And an environment may not lend itself to the skills we do know. This is the cold hard reality. Mature businesses know this as well. One of their requirements is to use a different pen tester every year to take advantage of practitioners’ varying skills.

Some businesses even design the scope of the pen test so that the consultant finds minimal issues. When jobs are on the line, people will do anything to save their own skin. For example, I had one client who placed my testing appliance on an isolated network. All internet-facing systems were out of scope, and phishing was off-limits. What could I do? Nothing. I confirmed that I shouldn’t see anything and produced a report with minimal information.

My point is that as ethical hackers, we are at a disadvantage contrary to what the blue team says. Pen testing is hard and especially difficult for junior-level roles with less developed skills. I just wanted to bring awareness to the issue we all face and let people know they aren’t alone.

Take vacation days. Find a hobby outside of computers. Stay positive and keep growing. Infosec is a marathon, not a sprint.

-Happy Hacking
Silverbits
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Silverbits
    - Infosec Enthusiast
    - Traveler
    - Future AT Thru-Hiker
    - CTFer
    - Red and Blue Teamer

      signup!

    Subscribe to Newsletter

    Categories

    All
    Book Review
    Certifications
    Coding
    Conferences
    Course Review
    Cracking
    Defense
    Finance
    Fire
    Forensics
    Hacking
    Hashes
    Incident Response
    Job Hunting
    Malware
    Mindset
    OSCP
    Pen Testing
    Tools
    Travel
    Updates
    Web Hacking

    Archives

    January 2023
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    May 2018
    April 2018

    RSS Feed

Home      Blogs    Disclaimers    Copyright Notice   Cookie Policy ​
  • Home
  • Blogs
  • Offense
    • Pen Tester Training Program
    • Offensive Cheat Sheets >
      • Bash Commands
      • Network Enumeration
      • Web Enumeration
      • Windows Post Ex
      • Metasploit
      • Shells
      • PowerShell
    • Offensive Links
  • Defense
    • Junior SOC Analyst Roadmap
    • Intermediate SOC Analyst Training Program
    • Defense Links
  • Land A Job
    • Improve Resume
    • Find a Job
    • Interview Prep
    • Grow as a Practitioner
    • Get Experience
  • FAQS
  • Other
    • Finance Resources
    • CTFs and Cons
    • Training
    • Twitter People to Follow
    • Podcasts
    • Books
    • Twitch Streamers