While I was there I saw some guy on stage talking about pen testing - that is how a company will pay you to break into their network or their web application. I honestly thought that was the coolest thing around. Who wouldn't want to do that? I also thought that maybe someday I would even know enough or be lucky enough to get a job doing that.
A few weeks ago I just got back from a two week gig where the team I was part of worked a lot of 12 hour days breaking into everything we could at a client site - at the client's request. I even got to do a little social engineering and physical security penetration testing too. It was, of course, different than the movies: there were actual long hours, thousands of IP addresses, a million screenshots, and mountains of text to process and sift through with sed, awk, grep, cut, tr and python - a rigorous exercise in automation. It wasn't some color coded, graphical representation of a shape of virus that we manipulated by waving our hands with a flashing pop-up window at the end saying "access granted".
And there were the three weeks following that was all word documents. Tell them what you were supposed to do, tell them what you did, tell them you told them. And have an executive summary that says the same thing only with bullet points. Include pictures, everyone loves pictures.
But in some ways it was like a movie. There was a critical do or die moment when we clandestinely gained physical access to supposedly secured space. There were hours of failed attempts at accessing systems that ended with a 'Hail Mary' pass in the final moments of the deadline resulting in success. There was a password that was broken by guessing it Harrison Ford style from Clear and Present Danger. It wasn't quite "children's birthdays in reverse" but close enough for real life.
The best part besides being paid to do it of course, is that really you are a good guy. Your goal is to help the other good guys by showing them what they missed. Having done some sysadmin stuff it can be hard enough just to get things up and running as the technology and the business requirements are always changing - and not every sysadmin has been doing it for years, is created equal, or remembers everything every time. They are mostly underpaid, under staffed and overworked from what I have seen. So now, I get to help them when I can by showing them the things that I find and hope that it makes their jobs easier in the long run.
Figure 1 - Unauthorized physical access gained to secured workspace environment.
