Pentest interview Do’s and Don’ts
Top Tips for a Pentest Interview
Welcome to the second of our ‘Breakfast Series’ by information security specialist Abdul Ikbal. You can catch the first one here: How I can gain access to your building.
This series is designed as a quick read over your morning coffee, or, if you’re reading this over the festive holiday, your morning eggnog.
Abs is one of Perspective Risk’s Managing Consultants and has conducted more interviews for penetration testers than you’ve had, well, eggnogs. Here he offers do’s and don’ts on preparing for a pentest interview with PR and shares insights from the interviewer’s chair.
Enjoy the experience
First things first; we’ll aim to make you feel comfortable. This should be an interview you enjoy. The format is more ‘teaching and learning’ – we don’t dictate the rights and wrongs. Hopefully you’ll leave feeling positive and having learned something.
Here are my top tips on what you should – and shouldn’t – be doing.
Pentest Interview Do’s
We appreciate and value honesty. Pentesting is of course a career which demands a certain level of professionalism. AT PR, if you own a suit you already have one up on one of our senior techies. Here’s a hint: he looks like he’s just stepped out of a popular shampoo advert from the 70’s.
A bit like show and tell, you have every reason to bring examples of your dedication to the field. Recent examples of what candidates have brought to interview:
- Uber cool raspberry pi setup intended to be left onsite. Used to capture internal AD authentication hashes, connect to a remote cloud server, crack hashes and email the tester with stats on how many were cracked.
- Wireless hacking setup which sparked a good discussion between us and the interviewee.
All were welcomed.
We encourage you to ask questions, technical or otherwise. We’re happy to help and they allow us to get to know you better.
Know the information security fundamentals
How many layers in the OSI model? TCP model? All those questions you thought no one would ever ask again, might be asked of you.
Brush up on your cyber security skills
Pentest interviews with Perspective Risk include a technical/practical element requiring the use of tools such as Metasploit, Burp and other common pentest tools.
Pentest Interview Don’ts
Don’t be arrogant (please)
No one knows it all, and those who claim to are probably just trying to miserably social engineer you. If you claim to know something, great, but do be prepared to be demonstrate it.
Don’t be under-prepared
There’s more than one way to skin a cat (poor cat). As with any pentest engagement, you would have more than one tool to perform the same action. In the same vein, during the interview you may be asked to use a tool that you’ve never heard of. Be aware of your resources e.g. Linux man files, README files etc.
Don’t Panic – we’re nice people
There’s no place for this in the security industry. Just take a step back, gather yourself, and answer honestly.
As I mentioned earlier, this is a teaching and learning exercise. We genuinely care about security and excellent customer care. If we find we’re not right for each other, as a minimum we’d like you to leave having learned something. As a result, you’ll provide better security advice to your future clients.
Don’t be too early
Everyone knows being late for an interview creates a poor impression, but being too early can be inconvenient for your interviewer too. We’re probably still preparing up to the last 20 minutes before your interview. We’ve had a candidate arrive 40 minutes early while we were still in meetings.
If you would like to be considered for a role with Perspective Risk, please email your CV to I_want_in@flprisktran.wpengine.com No agencies please.