Introduction to Technology and Hacking
As we're diving deeper into this fascinating well of technology, it is very possible for us to be naive and forget about the security risks that we might face. The deeper we go, the darker it gets. With this, the need for securing the web grows.
Because it is kinda impossible to certify anything as 100% secure (unless the system is turned off, of course) there will always be some security risks and that's why large companies nowadays have their own set of hackers, i.e., Red Team. These guys run a long term attack on their own company, trying not to be detected by the Blue Team, which is responsible for the defense. Other security concerned companies hire Penetration testers to find out their vulnerabilities. And the rest, you ask? Well, they just get hacked.
Every new product, every new piece of code written in pressure to meet the deadline, when pushed to production, it becomes a lip-biting attack vector for an attacker. Mainly because it is not tested and is very likely to vulnerable. As we go on with technology, the most powerful people, I believe will be hackers. As we cannot control how people use this invaluable skill, with this great power comes great responsibility. This is why we need more people here in this field. And maybe this article will encourage you to join in on the battle.
The Hacker Mentality
Having been a developer before jumping into this crazy and intimidating field of cybersecurity, I can confirm that the two viewpoints are completely different. As a developer, you'd assume that users interact with your application only in a certain way such that it helps them carry out their tasks. However, as an attacker, you see every input as a potential gateway. The main takeaway from this is anything that the user controls, cannot be trusted. Your thought process should be like; "What could be a potential vulnerability?", "How can I trick this app into doing something that it isn't supposed to do?", "Is there a flaw in their entire business logic?". To some, this comes naturally, while for others it can take some time.
Can I be a hacker as well?
Yes, I do believe that anyone can. Its gonna take some time, and it is not easy.
Hacking is basically, breaking an app so that it functions in a way that it is not intended to. Now, to be able to break stuff, you need to know how its made and how it works. By that, I don't mean that you need to be an absolute master of it but, you can't know nothing about a system and try to hack it.
Where can I start?
Now, this is a tough question to answer. This field of cybersecurity is so huge that its difficult to point out an exact starting point. You'd need a different approach for say, network and systems pen test than, web application hacking. However, the path that I'd recommend is the one that I've taken.
Start as a developer. Learn to code and how your code interacts with the system. Then you can move on to learning about networks. You don't need to know everything but here are a few good to knows: different HTTP methods, different protocols, understanding of IP addresses and subnets, knowing how browsers interact with systems, the TCP 3 way handshake and similar basic stuff. By this time you'll probably already have a basic knowledge about Linux and its terminal. Now, learn how sysadmins think. Try configuring a simple apache web server and deploying your website. If you don't already know, learn about the Linux file system and a few basic commands. By now, your base should be pretty strong to jump into this field. Even with all this prior knowledge, there's a fair share of chance that you'll find this field to be very intimidating and feel like giving up. Now that's normal but your drive should be strong enough to persist through it.
Now, its time, start studying a few books. There are a lot of really amazing books out there to guide you.
For web application hacking:
Web Hacking 101 - Peter Yaworski
The Web Application Hacker's Handbook, 2nd Edition - Dafydd Stuttard and Marcus Pinto
Also, check out, Portswigger's Web Security Academy and Bugcrowd University.
For system and network pen tests:
Stealing the Network - Ryan Russell, Timothy Mullen, Johnny Long
Red Team Field Manual - Ben Clark
And, if you can afford it, try the course, Offensive Security Certified Professional course - Penetration Testing with Kali (PWK).
Now to test out your skills, here are some playgrounds:
There are many more, but these are the ones that I prefer.
Don't be a "script-kiddie"
By this, what I mean is, don't just always rely on the scripts that are prewritten by somebody else. Try to understand what the script is doing so that you learn something. Using Metasploit is okay, and I do believe in not reinventing the wheel, however, its important to know what's happening and not be limited to scripts. While you're trying a Box in HackTheBox, its more about the journey to the root flag and not just about achieving it. Try and keep a note of everything you did, so that sometime in future you can look back at it.
Why do I hack?
For me, hacking is a getaway from my regular life. Its what I enjoy doing when I'm free. The fascinating thing about it is the intellectual challenge that it presents. Every box, every target is different in a way and you need to mold your knowledge in a way that fits the situation. You always walk away with something new. And the adrenaline rush when you're finally in, is something that I live for.
Infosec in the context of Nepal
In the context of Nepal, I think that most of the companies here are pretty ignorant about their cybersecurity. The focus mainly lies on the development of the product and then gathering consumers so that you earn from it. Also, legally, I think that we are pretty weak here. Come to think of it, fast internet along with not so strong legal cybersecurity departments and ignorant companies, Nepal seems almost like a dream destination for potentially Black Hat hackers. If we do not strengthen our cyber strength now, we might be up for a devastating hack. Up until now, in most government offices, we're still using pen and paper to take records. As soon as we complete our transition over to digital resources, if the security remains weak, we might be up for a surprise.
This is why, within a decade or two, or even sooner, we might see a spike in the need for security researchers.
Is AI the end of Hackers?
I don't think so. You can only do so much with automated testing. There will always be something that requires a little bit of, out of the box thought, that human element. Also, AIs are created by humans. If humans create them, there could be a bug in them as well. And this is a real possibility, looking back at almost everything that humans have coded, there have always been security flaws. It will indeed be difficult to find Low Hanging Bugs like XXS, but I believe finding Business logic errors will still be a task for humans.
Let's Talk Money
Now let's talk about money. The attraction for most people. There's a lot of money in this field but, if you're not passionate about the field, you might get burned out and lose enthusiasm. But if you persist, its kinda like the dream job.
So, if you sign up for a job in someone else's company, in countries like the United States, you will be making over a $100k per year, within a year or two. And, trust me, this is the low end of the spectrum. In fortune 500 companies with Red Teams, if you get into one, you'll have a lot of advantages. From work from home to the organization paying for your training and certifications, to potentially making half a million dollars every year. In Red teams, you will most be studying, learning more and more every day and then, your main goal will usually be to exploit the internal network. You will be working with things like Active Directory a lot.
Or, you could join a cybersecurity firm or do it individually. This way, you talk to your client, organize an attack plan and then execute it in the organization, mostly without letting their employees know. Here, if you're doing it alone, you could charge as much as you want, provided that the client is up for it. So basically, the more pen tests that you can do, the more you make. Here as well, expect no less than 6 figure payments.
Bug Bounties are another hot topic today. Basically, you follow a given set of rules laid out by a program, and then test the applications that they have listed in scope and submit them. They, according to the severity of the bug will pay you. Now, there's a lot of money in bug bounties. A lot, lot. Santiago Lopez, a 19-year-old from Buenos Aires, is the youngest millionaire from hacker one. He found his first bug when he was 16 and was paid only $50, but hey, look at him now. And, he's not the only one, there are many more to look up to. These pro hackers only work for a few hours every week and make it rain.
If you're still not satisfied with it, there are many more ways with which you can make money with this skill. You could write a book, develop a video course, teach people one on one, stream on twitch and do similar stuff. In this case as well, given that you are dedicated, you can make a lot of money. It might be a little bit tougher at first but with time, as your popularity grows, you'll be able to make it rain!
Wrapping up, all that I have to say is, yes this is a pretty difficult field to break into and there's a lot to learn, but you can do it if you try! Especially given that, there's a huge demand, which is still gonna skyrocket. However, if you're not enthusiastic about it and don't like to do something that requires constant learning, unfortunately, this isn't the field for you.
So, are you up for it?