THC-Archive/Papers/hackers_go_corporate.txt

|----------------------------- HACKERS GO CORPORATE  -------------------------|
|-----------------------------------------------------------------------------|
|------------------ van Hauser / THC <vh@reptile.rug.ac.be> ------------------|


----|  Preface

The following article has been discussed controversially in the rows of the
THC members. Some of Van Hauser's statements reflect his personal opinion
and are inconsistent with other THC members opinions. As the webmaster of
the THC site, I would like to give *YOU* the chance to judge. 

                                                              - Plasmoid



----|  Introduction

Young hackers usually dream about becoming a well-known security expert,
whose job is about executing high profile penetration tests on fortune
100 companies. Why? Cool and interesting projects, bleeding edge hard and
software to work with, new areas to learn and gain knowledge, earning money,
creating (another) high profile - this time with the real name -
most hackers dream of that - few actually achieve that.

This article is meant to change this.

It is mostly about the pitfalls a hacker has to overcome, especially when
a company doesn't like "evil" hackers for the job. Therefore a sound and
seemingly logical explanation, where he did get this security knowledge is
very important. Some people might say "hey, nice article, but it is not
really about hacking" - well, I say it is. It is about hacking coporate
minds. You want to achieve your goal - working for that fortune 10 bank as
an IT security expert, but f*ck, they don't like hackers. Hackers are evil,
criminals, they say. So you have to hack their brains to get what you want!

First, it should be clear what a "security job" is about - or being
a whitehead. The world, work and views are different. The section
"Hacker World vs. Security World" is describing this.

Then you might need additional knowledge to impress your hope-fully new
employer - also the ways for that are pretty clear, you can find some hints
at "Getting a Background".

After you know what will await you, you actually have to apply for a job.
There are some do's and some don'ts you should keep in mind for writing
your application documents and when you've got your job interview. The
sections "Truthful or not", "How to find a job", "Getting your CV right"
and "The Job Interview" will keep you on the right track.

And finally: "Things you should not do after getting the job". This might
be more important than you think.

Last thing you should keep in mind when reading this text: it is
especially meant for people who have a hard time to get employed because
the company they are interested in have got a "no-hacker" policy, or the
country they are living in are seeing hackers not as an enrichment to the
security business. If you are trying to get into a company which welcomes
hackers with open arms - which is rarely the case - this text can still be
important to you.

About me: as a former hacker and phreaker, I'm working for 7 years in the
security field now and had to struggle several times with this topic. I
also helped several friends and peers to their security jobs so far. The
contents here is my own vast ;-) experience - with input from friends and
colleagues.

Enjoy.



----|  Hacker World vs. Security World

What is the hacker's view of the world? Wardialing modems, attacking web
servers, writing exploits, driving around in the city to find vulnerable
wavelan networks, exploring bleeding edge hardware, programming a new tool
for weeks until it is perfect, meeting with hacker friends for weekend
sessions and drinking jolt - well and having a good time.
Is a security job like that? Well, of course not - but what is it actually
about?
In the security field, there are different positions.
 a) The Programmer - he deals with programming operating systems or
    applications. The job might be just that of a programmer (e.g.
    programmer for the Sun Solaris kernel), or a development of security
    components (e.g. part of the development team of Checkpoint's
    Firewall-1), or part of the security audit team of a software package
    (e.g. AIX security team from IBM in Austin/Texas).
 b) The Administrator - he is responsible for running special equipment or
    whole infrastructures. An administrator can be responsible for
    all servers of a special operating system (e.g. Windows admin), the
    network (LAN/WAN admin), applications (SAP, Oracle, Lotus Notes, etc.),
    firewalls, etc.
    The smaller the company, the broader and more general is usually the
    scope of work for an administrator.
 c) The Operator - sitting in front of a monitor (or several) all days and
    evaluating output of logs and system messages. Boring. But usually you
    get a good overall salary through additional holiday, weekend bonus
    etc. Hackers rarely do that - but it's an option.
 d) The Security Officer - he is writing the security policies and
    procedures for the company. If a security incident is happening, he
    has to decide what to do. Usually, he is also part for defining
    security and access roles for important. A very important job, but
    that of a paper tiger - and attending many boring meetings and
    eventually reviewing some audit files.
 e) The IT Auditor - an independent organ within the organization which
    ensures the adequateness of IT controls. A job where you not make many
    friends, but usually can travel around the world, if you are working
    for a big company. Most audit work is about organisational procedures
    and if they are followed, interviews and reviewing logs. However in
    some positions, you can also things like penetration tests - but also
    if that's the case, it's just a small part of the job description.
    An IT auditor usually can not build up deep knowledge, however get a
    very broad knowledge and a very good overview of the company.
 f) The Consultant - he works for a consultant company (whew!). From a
    hacker's point of view, there are 3 types: general consultant
    companies (e.g. McKinsey, KPMG, Ernst & Young), IT consultant
    companies (e.g. IBM Consulting, Accenture) or IT security companies
    (e.g. @stake, secunet, etc.). What is the difference? Well,
    specialization of the company and size of the company.
    It should be noted that most big audit companies (e.g. PWC, KPMG,
    etc.) also have got IT security auditors, which do a mix of e) and f).
 g) The "Hacker" - employed by the company to check the security of
    networks, review source code, etc. In some companies, they are hired to
    show to customers or press they employ cool people (hi to Ken William
    ;-) This job type is actually very rare ...

In some companies - especially security consultant companies who also
develop software, some people can actually be programmer and consultant.
This is the case for @stake, Razor, eEye, etc. - but of course also there
just for some special guys.

So that you have got a picture now what type of work there is to do, how
is the work done? What is the view on the work?

1) A hacker's "job" is actually very easy - viewed from a whiteheads side.
   "They try to break into some company, and if they find a hole - great, if
   not - well they try another company. They only have to find one hole,
   that's enough." Also this is exaggerated, there is much truth in it, if
   you see it as a game between "black" and "white".
   A "whitehead" has to find all holes, and close them. That's a completely
   different view - and many will say more challenging as well.
2) When you changed the side - you also have to change your work habits.
   You will normally get a description what is your scope of work - and
   that's what your job is about. You can't to just what you think would
   be fun to do. Doing a fast penetration test on your companies mail
   server? Might bring you to jail if you were not authorized. 
   Every job brings limits with them - and if you want to keep yours, you
   have to follow them.
3) Then you have to follow procedures (e.g. the company's security
   policies, working hours, dress code). In some companies these are very
   strict, in others it's very relaxed.
4) You can not just work how you want to. If you are a database
   administrator or you got a job in a security consultant company to do
   penetration tests: you must either follow a methodology how you have to
   do your work - to ensure the quality, or you have got to document
   everything you did - if someone else has to pick-up your work later, he
   knows what you did and why.
5) A security job does not mean that you can implement all security you
   want. Everything will be focused on business needs. Want to install new
   firewalls, tighten down the filter lists in the firewall, install a new
   reverse proxy for the eCommerce system? Your boss will ask you why this
   is needed, what the cost will be, and the impact. The new firewall might
   add security, but be too expensive. Or the tightened filter lists would
   make administration, content updates etc. more difficult. Or the reverse
   proxy might downgrade performance, which would frustrate customers. 
6) Ever heard about the famous "soft skills"? Yeah, you might be
   technically an expert, but within a company, you are not alone, and you
   don't act and work alone. This is why good communication skills (being
   friendly, helpful, open, respectful, truthfully etc. blabla) are very
   important. In fact you should even consider this for your private life
   anyway - it enhances your friendship with hackers (and girls as well!
   ;-) ...

So why going corporate anyway? It doesn't sound like fun. Well - it can be
fun. It depends on the company's culture and how much freedom you get.
And the work can be very rewarding from what you can learn, expand your
knowledge, environments and companies you see and working professionally
the first time in your life.

So brighten up - it can be fun and rewarding. Just remember: corporate
life is not a piece of cake and to take too easy. You'll have to adapt.



----|  Getting a Background

Now that you know what a corporate life is about, you can qualify yourself
better if you've got security background - not hacker background - already.
Helpful are e.g. Cisco configuration know-how, solaris/aix/win2k
administrator know-how, knowledge about security policies, hands-on
experience about firewall setups and server hardening, programming skills,
etc.
What skills are especially helpful for the job you would like to do?
Take a look at the job descriptions from the previous paragraph and then
imagine what kind of knowledge is needed.
Then try to acquire somehow the knowledge. E.g. buy books, read online
articles about the topics, buy some old and cheap cisco/sun/rs6000/etc.
hardware and get some experience.
www.securityfocus.com is a good starting point for finding related
articles and books, ebay.com is a good place to find hardware, etc.

However the best is to get an internship or part-time job at an ISP or
security division of a big company.



----|  Truthful or not?

There are companies out there which have got a "no hacker" policy.
There are countries where it is common thinking that hackers do "hacking"
and therefore not adequate for "security" jobs - for ethical,
philosophical or technical reasons.
If you think that a company has got a "no hacker" policy - don't tell them.
If you don't know if they have got such a policy - don't tell them either.
You can still do that later if you get the strong feeling in the interview
they think positively about hackers. Otherwise: don't.



----|  How to find a job

For some people it's easy: the job offers are made to them. For this you've
got to become famous or well-known in the security/hacker community. Good
examples for this are the l0pht team or ADM, or single individuals like
rain forrest puppy and Fyodor.
If the job doesn't come to you, you have to look for a job yourself. There
are three ways:
1) Go to security conferences (or hacker conferences) - Usenix
   Security Symposium and Blackhat Briefings are usually very good for
   this, hold a good presentation, talk to some people ... and there you
   are.
2) You search for security jobs on Internet job search engines (keywords
   like "firewall", "security" even maybe "hacker" will bring you further),
   additionally www.securityfocus.com has got the SecurityJobs mailing
   list (and archive).
3) You directly send your resume to the companies you want to work for.
   This is actually very effective. Job ads on the Internet, computer
   magazines or newspapers are expensive and usually don't bring much
   results for the companies as the market for security specialists is
   empty most of the time. So if you just send the IT security departments
   your resume - you will get at least a job interview 90% of the time.

Or if you know someone within a company, he might propose you as a new
team member :-) that would be the easiest way ...



----|  Getting your CV right

CV stands for Curriculum Vitae and means resume or application documents.
Before you start writing yours, get on the internet and read tips about
writing one.
Specifically for hackers going corporate, you should take of the following:
1) Your CV should contain no holes. If you spent 3 month burping and
   farting in your room, put in your CV:
      "January 2000 - March 2000: private software development project on
       secure web applications. I experimented with various blabla, and
       developed blablabla which enhanced security blabla ..."
   I guess you get the picture.
2) Whatever you did - high school, internship, university, part-time jobs -
   mention everything from a light what you did there in the security
   field - and a bit more ... e.g. if you administrated a webserver for an
   ISP as an part-time job, you write:
      "I was responsible for the security of the webserver, had to review
       the system and apache log files, review the source code of the CGIs,
       blablabla"
3) If you did internships, part-time jobs or security related courses at
   high school or university (even about cryptography and system
   management) try to get a internship certification, signed resume,
   whatever. Try to influence the contents so it focuses on security.
   In many companies you usually write them yourself and let them sign by
   the boss - this is the easiest way of course.



----|  The Job Interview

Show that you are ethical - give them the feeling that you would never
ever hack the company - without proper authorization by management. If
they think you are a shady character, no way they will hire you. Even if
they think positively about hackers.

Don't tell them you are a hacker, unless you really get the feeling during
the interview that this would help you!

If the company has got a "no hacker" policy, you'll have to face questions
like "Are you a hacker", "have you been a hacker before", "could you get
into the system you once administrated?", etc.  Sometimes even challenging
you like "Are you skilled enough to still get into the firewall at the
university you built up?".
If you don't want to lie (like me), you can answer them like: "What do you
mean by 'if I am a hacker', if you mean 'someone who is vandalizing web
pages' - no, never, if you mean 'someone curious about security and
paranoid enough to tighten down everything and programming until 4 o'clock
in the morning' - yes, then I'm a hacker".

If you don't want to appear like a hacker - don't dress like one. Dress
Like the company expects the proper person to be. This might be a business
suit or casual. If in doubt: business suit, especially if it's a
consultant/auditor job.

And of course the usual tips for job interviews apply here as well. Buy a
book about that or read them on the internet.



----|  Things you should not do after getting the job

Remember the following things:

Do NOT hack the company you are working for! If you are working for an
external audit or consultancy company, this includes your customers!
Do NOT hack other companies from the company you are working for or it's
customers!
NEVER tell anyone from the hacker scene about the security (or insecurity)
of your company (and customers)!
NEVER tell your company (or your customers) secrets from the hacker scene -
otherwise you'll not have got much friends anymore ...
It might not be wise to tell people in the company, that you are (or have
been) a hacker. People usually can't keep their mouths shut.
It is wise not to do any illegal things after becoming corporate - if you
are caught hacking into some systems - do you think your company will
believe that you never hacked them .... ?! So better become a greyhat, and
have fun researching and still do the same stuff like before. But either
authorized or passive watching ...



----|  Closing Remarks

Several companies which fear hackers will think after reading this -
"f*ck, we have to tighten the "new employee" process".
But I will tell you something: Too late ... we are already everywhere.
In all major consultant, audit and software development, banks and IT
security companies are former hackers. And guess what?
The world is not crumbling down in despair. Most hackers have ethics.
You might not like their ethical code, but most of them have a code of
honour, and would never hack the company they are working for.
You might say - "but the others, not all are good" - yes, that's true,
but so is the rest of the world - same is true about people who are not
hackers. If you fight us you will loose - valuable team-members, with
strong skills and experiences. Think about it.

And to the hacker scene: having a cool security job and still doing
greyhat stuff - this is the best thing which can happen to us. Having fun -
and getting paid for it. r0qz!



----|  Greets

Greets to Doc Holiday, Mindmaniac, Tick, Stealth, Vax, SevenUp,
Escher and Rookie who all went corporate successfully - and these are
just some of the German guys. Ken Williams, Fyodor, L0pht, some of ADM
and many, many, many more as well. Have fun and kick ass!

Greets to my group THC (visit our 31337 HACKER QUIZ at
http://www.thc.org/quiz), TESO, ADM, LAM3RZ and L0pht.

2001, van Hauser / THC <vh@reptile.rug.ac.be>