CSCUK

Cyber Security Stories

My family didn’t believe penetration testers existed

When Jasmine Gillard first told her family about her new job as a penetration tester, her family didn’t believe a word of it.

Jasmine said, ‘They laughed, and asked, “Is that really real?” and said that they thought that sort of stuff happened on TV, but didn’t think it actually happened in the real world.’

Jasmine is now Consultant Team Leader at Leeds-based security consultancy Pentest People and says she has never lost her ‘impostor syndrome’ about her job in the industry, but says she is finding ways to cope with it.

She explains that penetration testers are like ‘legal hackers’ who attempt to find flaws in systems to make them safer. She says, ‘I am trying to do what a hacker would do, but on the legal side of it… and before a real hacker can go and find it. It’s all about finding holes in systems and taking advantage of them and seeing where you can go from there.’

How I got into cybersecurity

She says that there is now a huge amount of support including online courses for young people wanting to get into cybersecurity. Jasmine admits her own entry to the world of cybersecurity was ‘quite strange’, but believes that it highlights the many different paths into the sector.

Jasmine suffered an illness which meant she couldn’t go to university, and ended up working in Wetherspoons, first as a barmaid, then in the company’s corporate offices, and then worked in various other job roles, and briefly ended up studying psychology at the Open University.

‘But then I realised I didn’t want to be a psychologist and sit and talk all day,’ she laughs.

After a brief stint in the merchant navy, which was cut short by COVID, Jasmine started to study tech subjects via online courses, having always been good at IT. When she found cybersecurity, it ignited a passion, and she reached out to Pentest People, where she now works.

‘I sent them an email, because I had never seen a firm just dedicated to penetration testing, and asked, ‘“What should I do to get a job, because there’s hundreds of certificates and I have no idea what I should be looking at?”’

The company replied, and allowed Jasmine to join their graduate program, despite her being the only non-graduate. Jasmine says, ‘That’s where my impostor syndrome came from, because I felt so overwhelmed. I realised all the courses I had done didn’t really teach you that much.

‘Actually, I do know what I am doing!’

After a year of hard work and determination, she sat exams and achieved some ‘industry gold-standard’ certifications. She says that as a pen tester she ‘never gets bored’ because there is so much to learn.

‘There’s so many different areas, and it’s always evolving, and there’s always new tricks to learn,’ she says. ‘You might find something that hasn’t been found yet (what we call a ‘zero day’ vulnerability, that isn’t yet in the public domain). That’s one of our goals.’

She says that the cybersecurity industry still has issues around diversity. She says that she is only one out of two female pen testers, out of 60 or 70 at her organisation, and points out that across the board, women make up just 20% of roles in cybersecurity. Jasmine believes that the problem begins at school, because boys who are into gaming are often pushed towards technical subjects.

She says, ‘It can be lonely sometimes, to be honest with you. But then I do get along with men quite well, so it’s not really that much of an issue for me.’

She says that organisations such as Women in Cybersecurity are ‘really good’ and offer support and community, and women in cybersecurity look after each other.

‘Because it’s such a minority, we do try to look after each other a bit more,’ she says.
‘The other girl who works for our company, I’ve talked to her sometimes, and you can both help each other that way. There’s a good support network at Pentest People, I can go to people and ask questions, and they make you realise, “Actually I do know what I’m doing, and I am fine!”’

She says she has dealt with her impostor syndrome, ‘for now’, but says she still has moments where she suffers from it.

‘I find it funny sometimes to look back and realise where you’ve come from and see that maybe you are good at what you’re doing. I’m OK at the moment, but I’m sure in a couple of weeks I might get impostor syndrome again.’

She says that she would recommend young people with an ambition to work in the sector start with online courses, training programmes and online resources like ‘Hack the Box’ which can give young people a sense of whether they will like the job.

‘The best thing about penetration testing is that it’s so broad,’ Jasmine says, ‘You’ve got the blue team, where you’re on the defensive side, the red team, where you are attacking, and you’ve got the purple team where you analyse the pentesting to make programmes and strategies out of it. So there’s lots of different things to do!’

Do you want to feature in our blog series about people in the cybersecurity industry? Why not get in touch?

 

Why games are a crucial tool for teaching young people about cybersecurity

Videogames can help young people to learn the basics of cybersecurity, says Zayd Dawood, university lecturer and game designer for Cyber Security Challenge UK.

Computing lecturer Zayd designed a game to teach young people the pitfalls of cybersecurity in a vivid, exciting way in partnership with Cyber Security Challenge UK. Zayd and his colleagues had brainstormed ideas including escape rooms and 3D puzzles – but eventually settled on a Mario-style platform game set in a futuristic landscape.

The idea is to teach young people the basics of Britain’s Computer Misuse Act – via the antics of a robot character, Astro the Android, in a two-dimensional cyberpunk world filled with chatty NPCs (non-player characters). The game is playable free on both PC and smartphones here.

‘The Cyber Security Challenge UK is trying to make people who have access to the digital world realise that not everything there is safe. Hopefully we show that even some of the things that young people might have a go at doing themselves, might actually get them into trouble.’

It’s important that young people immerse themselves in technology so that they can understand both the good side and the ‘dark side’ of technology, Zayd believes. Part of that is to learn about and understand the ‘dark secrets’ of the cybersecurity world. Young people need to be able to make informed decisions, Zayd believes.

‘It’s important that they delve into the information around cybercrime as much as possible – to avoid being in a position where they’ve caused an offence. It can be a grey area, because nowadays being a hacker isn’t always a wrong thing to do: the world is looking for hackers who do the right thing.’

The Cyber Security Challenge is no stranger to using games to spread its message to technically able young people, with web games on its site such as Cyberland, which offers 16 immersive activities that teach important safety lessons about staying safe online, and introduce key cyber concepts such as firewalls and phishing.

Astro the Android is a more in-depth experience teaching the ins and outs of the Computer Misuse Act, which was brought in in 1990 just before the dawn of the World Wide Web to cover then-emerging offences such as hacking. The act governs issues such as hacking into computer systems, computer fraud, blackmail and viruses. Failing to comply with the Computer Misuse Act can lead to fines or prison sentences.

The game is a full-fledged action title, where Astro has to collect items and avoid enemies, as well as collecting the game’s currency (called ‘crypto coins’). Throughout the levels, there are also NPCs who ask questions (themed around what is and isn’t illegal under the Computer Misuse Act). Answering the questions correctly scores the player points – and helps them rise up a global leaderboard.

‘They can see their score on a leaderboard, which is globally active – so every player can see where they are compared to other players around the world. I have really enjoyed the challenge of working out how games get made. ‘What do you need to do to tell the computer to make your character jump? So I hope people enjoy it!’

Zayd believes that young people need to know more about cybersecurity because the field is growing in importance every year. Zayd points out that there are dozens of careers available for young people in the cybersecurity field, from lawyers that specialise in a cybercrime, or a programmer who designs apps to stop Trojan attacks.

‘Cybersecurity is a challenge in itself,’ he points out, ‘Because you’re up against people who are out to cause damage – and who want to prove they are better than you.’

The Cyber Security Challenge offers  games and activities themed around cyber security, including Astro the Android and ‘Cyber Land’ activities which offer fun ways to engage with the basics of security. Click here to visit and learn more about Cyber Security Challenge and its work with young people. Interested in taking part in a future blog? Email us here.

Alex Roxon on why ‘gamification’ is key to inspiring young people to work in cybersecurity

Games and puzzles are one of the best ways to ignite an interest in cybersecurity in young people, says Alex Roxon, Infosec and Cyber Consultant at Cortida Limited.

Alex became involved in the Cyber Security Challenge due to the Challenge’s use of ‘gamification’ as a way to reach out to young people – as it’s an approach he believes works. Alex previously produced his own cybersecurity playing card deck filled with cyber attacks and defences – and a pick-your-own-path novel about an attack by a sinister cyber threat group called Golden Slug.

Organisations can’t afford to have a boring message if they are going to get through to young people, Alex believes – it has to be something that grabs the attention. He says, ‘If it’s PowerPoint, or someone reading from a slide and it’s incredibly dull and not inspiring, it’s not going to capture anybody.’

Gamification helps to communicate an important message to young people: that cybersecurity offers well-paying jobs which they could be good at. The messaging has to be fun because young people sometimes need guide rails to ensure they use their talents, Alex believes. That’s why the Cyber Security Challenge’s work with young people is so important.

‘There’s a few very talented penetration testers who started off by being criminals,’ Alex says. ‘They are curious and have this energy and this enthusiasm about computers, but because they didn’t have any guide rails to work with, they strayed into the wrong territory.’

Alex is passionate about capturing that energy and persuading young people to go into cybersecurity jobs. He points out that there are great salaries on offer for technically astute young people. While young people can ‘change tack’ and become penetration testers after dabbling in crime, the picture is brighter for young people who go straight into cybersecurity.

Alex says, ‘If that positivity and that enthusiasm can be captured really early on, the sky’s the limit for those people.’

Alex hopes to speak at schools and give away copies of his cybersecurity card deck and book as part of his work with the Cybersecurity Challenge. The card deck is a normal set of playing cards, but with cybersecurity attacks and defences on them – each card depicting one cybersecurity concept. Hearts and diamonds are ‘red team’ activities (attacks) and clubs and spades offer defences.

Alex’s book, ‘Choose Your Infosec Path’ was inspired by the Give Yourself Goosebumps stories he read as a youngster – but here, readers pick what to do in a cybersecurity crisis.

‘You’re a CISO at a company,’ he says. ‘You get told by the boss that there’s a new threat actor on the loose called Golden Slug, and your choices will dictate whether it ends in disaster or triumph.’

With 50 or 60 endings, the book is designed to teach beginners the basics of cybersecurity – written in plain language and targeting youngsters without any background in the field, and capturing some of the excitement of the job.

Alex believes it’s important to keep growing the talent pool for cybersecurity – and that games and puzzles are a vital part of that.

The Cyber Security Challenge offers  games and activities themed around cyber security, with its ‘Cyber Land’ activities offering fun ways to engage with the basics of security. Click here to visit and learn more about Cyber Security Challenge and its work with young people. Looking for a guest speaker for cyber careers at schools or universities? Get in touch with Alex Roxon via alex@roxon.co.uk