Any "hacker" careerists?

[Coldblackice]

Any [H]'ers work professionally as some type of network security "hacker"?

I'm considering this as a potential career area, but wanting to get a gauge on a bit what 1.) the general experience is like, and 2.) average wages.

Is there much demand for these types? What's the day-to-day like? Is there a general consensus on whether it's a very financially viable career?

Subjective and varied, I know, so no worries if specifics can't be afforded. Even something along the lines of, "My buddy's in the industry as an X, makes about Y, and for the most part feels Z about the job/career", etc.


EDIT:

A bit of my background for reference:

Great point.

I consider myself a moderate programmer -- I've been hobby programmer for years, with the ability to read/write in many languages (C++/Java/PHP/etc, ability to pick up others quickly) and understand most programming concepts (but nothing advanced by any means).

I've done a bit of study over the years in computer security and exploits, like buffer overflows, XSS, SQL injection, etc. But I wouldn't be able to get hired anywhere with it.

I've also done a bit of learning/study in assembly, reverse-engineering, and rootkit/virus/malware analysis. Although I'm not employable in this, I quite enjoy the process of reverse-engineering (or attempts thereof) and the arenas of virus/malware/rootkits (analysis).

My problem has always been picking one area and honing in on it through specialization. It's so hard to (for the most part) pick "one", and more or less push the others aside, even though they're all interconnected in some form or way.

But I've always felt that, because I wasn't Mitnick-level by 9/13/16/18 years old, that I've missed the boat by far, and could never hope to catch up with any of the industry's experts in any of the individual arenas. I have this mindset that I'd always be far behind anyone/everyone else who was in before me.

Then there's also the hangup of not having an idea what the industries are like in terms of salaries and work. I'll occasionally come across an article or forum post talking about how in-demand assembly coders, reverse-engineers, network intrusion, etc are, and how much they're able to make, and how they only continue to become more and more in demand. But I never know if these things are true, or just one-off opinions in some part of a sector.

 

[Ehren8879]

I believe the career path you're looking for is "network penetration testing". Beyond that I don't know anybody personally, sorry.

 

[Blackjack]

Part of my job involves security assessment of new applications we are looking to use (both internally and externally developed). Beyond a controls assessment we also do a pretty in-depth penetration test of the application. We've also performed limited-scope penetration tests on our network.

Personally its a lot of fun but you also have to remember that 99.99% of the job consists of CYA, documentation, and failed attempts at breaking into something. Its nothing like the movies.

 

[atomiser]

understanding a bit more about your background would afford a much more useful response to this question...

 

[Dark Shade]

You may be interested in taking some Certified Ethical Hacking classes or the like, if nothing else it opens up your eyes to just how insecure everything is.

 

[Coldblackice]

understanding a bit more about your background would afford a much more useful response to this question...

Great point.

I consider myself a moderate programmer -- I've been hobby programmer for years, with the ability to read/write in many languages (C++/Java/PHP/etc, ability to pick up others quickly) and understand most programming concepts (but nothing advanced by any means).

I've done a bit of study over the years in computer security and exploits, like buffer overflows, XSS, SQL injection, etc. But I wouldn't be able to get hired anywhere with it.

I've also done a bit of learning/study in assembly, reverse-engineering, and rootkit/virus/malware analysis. Although I'm not employable in this, I quite enjoy the process of reverse-engineering (or attempts thereof) and the arenas of virus/malware/rootkits (analysis).

My problem has always been picking one area and honing in on it through specialization. It's so hard to (for the most part) pick "one", and more or less push the others aside, even though they're all interconnected in some form or way.

But I've always felt that, because I wasn't Mitnick-level by 9/13/16/18 years old, that I've missed the boat by far, and could never hope to catch up with any of the industry's experts in any of the individual arenas. I have this mindset that I'd always be far behind anyone/everyone else who was in before me.

Then there's also the hangup of not having an idea what the industries are like in terms of salaries and work. I'll occasionally come across an article or forum post talking about how in-demand assembly coders, reverse-engineers, network intrusion, etc are, and how much they're able to make, and how they only continue to become more and more in demand. But I never know if these things are true, or just one-off opinions in some part of a sector.

 

[wixter]

I thought I would offer my input since I've sorta been down the road you're interested in...not exactly the same but figured if I could help then I will.

About me: I've been in the IT industry for 18 years. I primarily enjoy the operations and security aspects of it, which means just generally running things and making sure any downtime we experience is minimized. I've become intimately familiar with AD administration, VMware, complete PKI overhauls, various security products like pfsense, Sourcefire, ran a proof of concept VDI environment for a while till upper mgmt didn't like the cost of deploying it at the time, it'll be back though...typical things like that.

First, it's good that you know what area you want to target within IT. Many people get interested in the industry because they "know computers", thinking that because they know how to use Windows 7 it makes them an expert on everything. These are usually the people who are the same types looking for a "get rich quick" scheme and don't understand just how much work it can be on the backend.

My first question is, how old are you?

With that said, let me first ask you what actual experience you have using the skills you're posted about. You mentioned you're a hobby programmer...ok, but have you actually used those programming skills working for a company? I'm reading this as no. Don't take it harshly because I'm thinking you're rather young, that's ok, I was young too once. Applying your programming skills toward software development is definitely going to serve you well in the future. I would strongly recommend you look for some types of entry level development jobs with those programming skills. Software developers will be in demand for many years to come, I assure you. I would also suggest you add .NET and SQL on your list of things to learn. Of course, I'm NOT a programmer, so others here who are might better be able to help in that area.

Next, you stated you're looking for something along the lines of pen testing. Ok, well the security aspect of IT is definitely interesting and I always like keeping my skills up to date in that area. But, for me, (and let me emphasize this is just my observation and may not necessarily be indicative of where this part of the IT industry is headed) security is sort of the afterthought in a lot of companies. Now don't get me wrong, they may indeed have a small security staff in-house, but let me put some perspective on it. Typically for companies that I have observed, for every 5000 employees at that company, they may have perhaps 3-5 employees in-house that are pure IT security. Of those 5, one will be a manager, the rest the techies, mainly responsible for perhaps group permissions, monitoring network traffic, reviewing firewall/IDS logs, checking any blocked chats...day-to-day, pretty mundane stuff. For those techies, how much of their time will be spent doing real, actual pen testing? Perhaps less than 1%. If one of those guys specializes in forensics, I would say actual forensics in an investigation is maybe 5% of their work.

Pen testing is a very, very specific sub-set of IT security, which is in itself a specific subset of IT. To make a real, full-time job of doing nothing but pen testing, you'd be looking at companies specializing in this stuff which act as consultants brought on for various clients to come "hack" their network. Even if you did manage to find a job at a Fortune 500 company doing in-house pen testing, the majority of your work will be paperwork. Filling out stuff about what you were able to compromise and how you did it and what recommendations you can make to improve upon it. Even then, if management asks you to test some new network device, that's fine and all, but you would not believe just how much all executive level management usually want an outside entity to come in and do an independent test and audit of their stuff. It's not because they don't trust you, it's because they need to cover their asses from potential liability if something happened and someone made an argument that they didn't do their due diligence. And when that consultant is brought in, you won't be working with them. They'll just ask for an account or some place to connect up and that's it, you sit on the sidelines. So why not just go work for the consultants?

That's sort of the point I'm trying to make. Very specific areas of security like you're talking about isn't something the majority of companies are going to want to hire in-house. Yes, every high school guidance counselor, college professor or academic advisor will always tell you "do what you love". That sounds fine and dandy if we lived in Equestria with unicorns shitting skittles all the time to make their own rainbows, but I'm telling you what I've observed. Someone else might come along and say they've observed it to be completely the opposite; that's fine.

If you have a love for programming, you'll have no trouble finding work.

 

[Tee]

I work in security I have done some DARPA and NIST projects.

I currently only do contract work and I hold a full time job as well.

I'd rather not say what my contracts net me but its enough to live off of.

The only things I found hard about network security are:
-- General IT people hate to listen and prefer to be right
-- You have to build a good network of references which can be difficult when starting.

Otherwise, I do not have any real certifications I have lots of firewall certifications but that's about it.

I also spend the majority of my free time reading about new exploits, potential new vulnerabilities, testing software and hardware, writing my own programs (mostly python and php), studying new laws, understand the laws in each state, understanding how compliances relate to the size of business you are working with (HIPA, PCI-DSS, SOX), and some other general stuff.

It is a very time consuming field and if you want to actually stand out you need to put your fair share in and prove your worth. I'd say it is one of the few things I have done in life that I never needed to actually waste my time getting pieces of paper to prove myself, people actually listened and allowed me to prove myself, which in my mind make sense and is just simpler than being bored to death in a class.

I have not had issues with not being certified in certain things but that was only because I had references. Hell I do not have a degree. I just networked my arse off and that worked out for me because I worked hard and gave up a lot of spending time with friends and family. It paid off though and I am more then happy.

In a nutshell that's how my life has been in IT security.

 

[Coldblackice]

I thought I would offer my input since I've sorta been down the road you're interested in...not exactly the same but figured if I could help then I will.
...
So why not just go work for the consultants?

That's sort of the point I'm trying to make. Very specific areas of security like you're talking about isn't something the majority of companies are going to want to hire in-house. Yes, every high school guidance counselor, college professor or academic advisor will always tell you "do what you love". That sounds fine and dandy if we lived in Equestria with unicorns shitting skittles all the time to make their own rainbows, but I'm telling you what I've observed. Someone else might come along and say they've observed it to be completely the opposite; that's fine.

If you have a love for programming, you'll have no trouble finding work.

I'm getting the vibe that demand for this type of skillset is going to pale (greatly) in comparison to more standardized programming jobs...?

Do you have any examples of contractor companies that would hire for this this type of work? And what would you say the average salary range is for these companies that contract the work out?

Going off your viewpoint, I'm wondering if it's perhaps not a viable path for myself. Foremost, because it sounds like there's a pretty narrow slice of demand for it which is probably well-filled, as it sounds like companies don't really have a constant, revolving need for the skill(s). And then secondly, because I'd be entering the arena so late in the game, seemingly unlikely to be able to catch up with the already narrow piece of the "supply" pie.

Shucks. I guess it'd perhaps be better slated for a personal hobby :/

What about other avenues related to this area, like viruses/malware/rootkit reversing and analysis?

I work in security I have done some DARPA and NIST projects.

I currently only do contract work and I hold a full time job as well.

I'd rather not say what my contracts net me but its enough to live off of.

The only things I found hard about network security are:
-- General IT people hate to listen and prefer to be right
-- You have to build a good network of references which can be difficult when starting.

Otherwise, I do not have any real certifications I have lots of firewall certifications but that's about it.

I also spend the majority of my free time reading about new exploits, potential new vulnerabilities, testing software and hardware, writing my own programs (mostly python and php), studying new laws, understand the laws in each state, understanding how compliances relate to the size of business you are working with (HIPA, PCI-DSS, SOX), and some other general stuff.

It is a very time consuming field and if you want to actually stand out you need to put your fair share in and prove your worth. I'd say it is one of the few things I have done in life that I never needed to actually waste my time getting pieces of paper to prove myself, people actually listened and allowed me to prove myself, which in my mind make sense and is just simpler than being bored to death in a class.

I have not had issues with not being certified in certain things but that was only because I had references. Hell I do not have a degree. I just networked my arse off and that worked out for me because I worked hard and gave up a lot of spending time with friends and family. It paid off though and I am more then happy.

In a nutshell that's how my life has been in IT security.

Thanks for the info. Sounds like you've held your own quite well. Unfortunately, it sounds like it'd be hard for someone like me to reasonably ever catch up, as the rest of the race would already be so far ahead of the game than me.

It also sounds like you've had to sacrifice some pretty significant personal time and life to get there as well -- can you give an example of what this entailed? (I.e., spending X years not getting home at night till XXAM, having to consistently work weekends, etc.)

 

[wixter]

The only things I found hard about network security are:
-- General IT people hate to listen and prefer to be right
-- You have to build a good network of references which can be difficult when starting.

Otherwise, I do not have any real certifications I have lots of firewall certifications but that's about it.

I agree and disagree with this first part. Yes, I've come across IT people who hate security. Usually what I've found is the underlying reason why is because their security folks suck in general or consider themselves "above the law" so to speak since they are the ones monitoring everyone or whatever and perhaps talk has circulated that they don't monitor themselves or whatnot. It's just the general elitist attitude that can be found in anyone; that type of environment can foster its development.

But it isn't like that everywhere. I enjoy talking with security folks who really know their stuff and can discuss at length different types of solutions or where things might be headed. In my experience, and this is probably unfortunate considering who I've had to deal with (maybe I'm networking with the wrong people), those folks are few and far between. The last guy I met who was like this was about 2 years ago who was just giving us some brief training on how to use Wireshark better, but it turns out that guy was a veteran in deep packet analysis. The knowledge this dude had was incredible and I learned so much more in the inner workings of protocols and general data transmissions than I ever did with ANY networking certification...well I haven't taken the CCNP or CCIE so I can't speak for those.

An example of one thing that really stuck with me: with all the continued migration toward higher ethernet speeds, 10G, and now 40G/100G, the original TCP/IP protocols use 32-bit sequence numbers, so the maximum number is going to be like 4,294 billion, whatever. Just do 2^32 on a calculator. As data transmission occurs, the numbers increment, reset, increment, until transmission is completed. This works just fine now, but occasionally he's seen even 10G transmissions that just failed randomly. He even had a packet trace that showed this issue. What happened was that the NICs on either end that increment the numbers happened to generate the exact same number at just the right time that the data transmission just completely stopped. This had never been a problem because ethernet for the longest time maxed out at 10Mb, so 4 billion numbers was plenty. Now with speeds going past 10Gb, you can cycle through those same 4 billion numbers so quickly that the chance of the same numbers coming up again at the same time will increase.

This may in fact drive ipv6 adoption faster than potentially running out of ipv4 addresses.

 

[wixter]

I'm getting the vibe that demand for this type of skillset is going to pale (greatly) in comparison to more standardized programming jobs...?

Do you have any examples of contractor companies that would hire for this this type of work? And what would you say the average salary range is for these companies that contract the work out?

Going off your viewpoint, I'm wondering if it's perhaps not a viable path for myself. Foremost, because it sounds like there's a pretty narrow slice of demand for it which is probably well-filled, as it sounds like companies don't really have a constant, revolving need for the skill(s). And then secondly, because I'd be entering the arena so late in the game, seemingly unlikely to be able to catch up with the already narrow piece of the "supply" pie.

Shucks. I guess it'd perhaps be better slated for a personal hobby :/

What about other avenues related to this area, like viruses/malware/rootkit reversing and analysis?

Most any major anti-virus company would be a good example, Symantec or Kaspersky, of an organization that comes on site to do pen testing. It's been years since we had a last test, I don't recall what they charged. I suppose if you figure $500/hour that's probably reasonable, or some flat rate depending on the size of the organization, number of devices, etc., they'll usually just quote something. Even if you figure it comes out to $500/hour, how much of that will you actually see? Hard to say really, since everyone's salary is different. Could be anywhere from $30-$50/hour.

I will say this: I haven't yet met a pen tester who DIDN'T know his stuff. I suppose the main reason is that since dedicated jobs like that aren't in large supply, the candidate hired for such a position better damn well be the cream of the crop.

Thanks for the info. Sounds like you've held your own quite well. Unfortunately, it sounds like it'd be hard for someone like me to reasonably ever catch up, as the rest of the race would already be so far ahead of the game than me.

It also sounds like you've had to sacrifice some pretty significant personal time and life to get there as well -- can you give an example of what this entailed? (I.e., spending X years not getting home at night till XXAM, having to consistently work weekends, etc.)

Catch up? Well, let me put it this way: the IT industry in general will require you to always stay up-to-date. Back during the '90s when everyone and their grandmother started leaving their vested careers as accountants, insurance salesmen, car mechanic and whatever else to take an "IT job" because they were able to build their own PC, these same people were quickly flushed down the toilet after the dot.com bust because they really didn't know their shit beyond what was on the MCSE test.

I'm not even talking specifically IT security, I mean in general all of IT, will to some degree require you to keep your skills and education up-to-date. Not everyone is cut out for this, and that's fine, you at least need to be honest with yourself and recognize if you can commit to that type of career. For the most part, the people who stay in IT tend to be those who just have a real passion and drive for new and developing technology and what it can do; others who just want to get by doing the same thing year after year tend to wash out eventually.