In this Q&A with Jim O’Gorman, chief content and strategy officer, Offensive Security, we discuss the current cybersecurity talent landscape, what makes a good pen tester, and some of the new, exciting pen testing training offerings from Offensive Security that set them apart from the rest of the industry.
The cyber skills gap and talent shortage is considerable. It's the elephant in the room. How does Offensive Security view the infosec job landscape right now? What can we do as an industry to help close the gap?
In many respects, this talent shortage is not as much of a skills gap as it is a perspective one. It’s a priority issue. It’s an issue of business requirements.
To expand on that, the skills of a good system administrator and the skills of a penetration tester are not that much different. In fact, most of the best infrastructure penetration testers come from a system administration background. Most of the best application assessors come from an application development background.
The skills are very similar. It’s the application of those skills that differ. In many respects, the issue is not so much skills but what businesses are prioritizing. When developing an application, what matters most? A new feature? Speed to market? A secure architecture? When deploying servers how many system administrators are told by management that its OK to take a bit of extra time and lock down the server?
Our raw talent is there. We just need to nurture it and communicate that cyber security is an important business requirement. There are differences in the application of skills for sure, but that's pretty minor. In our PWK course, we see individuals coming from non-security focused fields all the time with the raw skills they need for success in cyber security and all we have to do is redirect them and show them how to use those skills with a security focus.
Organizations -- the top enterprises and MSSPs -- are trying to find the best talent possible. Penetration testing has never been more in demand. What are the most desired pen test skills? How does Offensive Security help train those skills?
The most successful pen testers possess not only the technical skills, but the proper mindset.
This is known within OffSec and our community as the ‘Try Harder’ mindset.
Beyond learning the technical skills, we encourage our students to be persistent and perceptive in the search for creative solutions in order to pass our certification exams. OffSec certificate holders have proven they understand that hard work is part of the process. They know how and when to step back, see the big picture, and manage themselves and their time.
Our certifications are based on real-world, practical training, which makes infosec professionals more valuable in their work and better equipped to defend their organizations.
What sets Offensive Security certifications apart from others in the industry?
At Offensive Security, we teach that offense is the best defense.
It starts with our online training courses, such as Penetration Testing with Kali Linux (PWK), which encourages students to use the same tools, techniques, and mindset as a hacker to level the playing field for defenders. The same expert security professionals that designed Kali Linux developed our courses. These professionals leverage their own real-world penetration testing experience to ensure an unwavering focus on the practical applicability of course materials.
Our curriculum goes beyond teaching technical skills. We also challenge our students to “Try Harder”, which has become the ethos of our community and our team. This means developing a growth mindset, engaging critical thinking skills, and overcoming unforeseen obstacles.
In addition to extensive course materials and videos, which we’re investing in, all of our students receive access to a virtual lab environment, which allows them to work through course exercises and practice attack techniques safely and legally. Many training programs provide written education components but fail to provide a practical test. Applying penetration testing training and skills in a controlled environment is a critical component of our hands-on approach.
Completing one of our courses and passing the certification exam places you among an elite group of security professionals. And unlike many other programs, Offensive Security does not require students to pay an annual fee or to submit continuing education credits to maintain their certification status.
Tell me about your new additions to the flagship Penetration Testing with Kali Linux (PWK) training course. What are the benefits to the update?
We’re very excited to bring a major update to PWK to our community and customers.
The new course doubles the amount of content available to teach students the skills and mindset required to be a successful security professional and prepare for the Offensive Security Certified Professional (OSCP) certification. Students also gain access to several more extensive virtual lab environments to practice skills learned through the course.
The new course doubles the amount of content available to teach students the skills and mindset required to prepare for the OSCP certification. We overhauled the virtual lab to feature three different Active Directory deployments and more sophisticated targets, and 27 new machines along with numerous updates to existing machines.
We also increased the focus on Microsoft Active Directory. The flexibility and complexity that Active Directory brings into a network also creates a vast attack surface, making it critical to have a robust understanding of this technology. PWK introduces students to fundamental Active Directory concepts, which provide the basis for attacks discussed in the course.
We improved PowerShell coverage, which is significant because it is important for infosec professionals to understand how it can be used to attack Active Directory in order to better defend it.
We increased emphasis on privilege escalation by adding new coverage on local information-gathering techniques and presenting several privilege escalation examples on Linux and Windows including UAC bypass.
PWK also includes brand new web attacks content, including exploiting admin consoles, XSS, directory traversal vulnerabilities, SQL injections, as well as new client-side attacks, such as HTA attacks, Microsoft Word macros, object linking and DDE embedding.
Where can folks interested in this training course sign up?
Individuals interested in the PWK training course should visit the Offensive Security website at https://www.offensive-security.com/pwk-oscp/. Enterprises looking to make more security training available to their employees can purchase training materials in bulk through the OffSec Flex program.