Apply hacking skills to your job search

Hacking skills, such as reconnaissance and social engineering, can be used in a job search for a position in information security.

Infosec Career Hacking: Sell Your Skillz, Not Your Soul

By Aaron W. Bayles, Chris Hurley, Johnny Long and Ed Brindley

472 pages; $39.95


In this excerpt from Chapter 2 of Infosec Career Hacking, authors Aaron W. Bayles, Chris Hurley, Johnny Long and Ed Brindley provide an overview on how to apply social engineering to the information security job search.

Being able to determine which type of job you are seeking is crucial. In-house and contract employees have different challenges. If you decide to pursue a federal job, FISMA scores are a starting point, as well as a goal for understanding the environment. Much information is available publicly for federal and private sector companies. Recent contract wins and any enforcement action should be noted, as well as awards and recognition for outstanding work and employee satisfaction. Purchases and sales of smaller companies are a good indicator of business growth opportunities, as well as knowledge about skills important to the company.

In order to gain internal information about the company, try to get personal interaction with employees of your target. Human Resources departments sometimes hold job fairs or community outreach allowing you to get more information about the employees and their opinions. Research into newsgroups and mailing lists can turn up topics of interest to the company. Knowledge of regulatory environments for the company's customers is critical for interview stages.

More information

Read Chapter 2, Reconnaissance: Social Engineering for Profit

Read a review of this book by Information Security magazine

Read more book excerpts, chapters and reviews

Has this book helped your job search?

Visit our infosec jobs resource center for more advice on landing a job in information security

Solutions fast track

Narrowing your choices

  • For in-house work, try to match up your skill sets to a company with the same needs and challenges, in other words, remote connectivity, database intensive operations. Federal work needs to correlate to FISMA requirements.

  • Contractor work varies, but is still skill oriented. Large companies have stability, but are slower to move. Medium-sized companies are less stable, but more likely to create new opportunities. Small companies have a high level of risk, but are very flexible for new business and if successful, they are likely to be acquired.

    Digging for information

  • Search for company history on hiring and layoff trends.

  • Search for acquisitions and divestitures of smaller companies to find out growth potential.

  • Determine if your target company has received awards for work or satisfaction, or has been involved with recent business wins. Make sure your prospect does not show up as having excessive compliance issues or enforcement actions.

    Researching for rewards

  • Use Public Relations and Human Resource departments to gain personal interaction with employees.

  • Job fairs and outreach programs are a good way to gain face time with the target company.

  • Internships are a great way in for candidates recently out of educational work.

    Making the contacts

  • Blend in for personal interaction, and be flexible with your responses.
  • Try to keep talking at a higher level; don't overload the person with all your skills.

  • Find out background information, such as compliance or regulatory environments.

  • Be aware of contractual issues within a particular job or industry.

    Read the rest of Chapter 2, Reconnaissance: Social Engineering for Profit

  • This was last published in September 2005

    Dig Deeper on Information security certifications, training and jobs

    Join the conversation


    Send me notifications when other members comment.

    Please create a username to comment.

    Is there really a benefit to this method when there are so many legitimate sources out there for finding a job?
    I think that these are some good, and very clever tips. Many times, if you don't have a close personal contact at an organization, it can be very difficult to get a foot in the door. You could be an extremely qualified candidate, but if your only pathway for getting into a company is by going through the HR department, there's a good chance that your resume is just going to get lost in the big black hole that most HR departments seem to be. 
    I have to concur with abuell. If you are going in cold, i.e. through a Resumix system or web site application process, there's probably little you can do to genuinely get recognized, even with reverse hacking. Having said that, these ideas do work well if you find yourself sitting for an actual interview, or at least they could work well. It's important to gauge your audience and see how they will react. 

    One of the best lessons I remember from many years ago was when we were hiring software testers, and during the interview debriefing, the lead tester sighed and said "we have a demo on our site, prominently displayed. Do you think any of these candidates downloaded the demo, installed it, looked at it, and had anything to say about it? Nope, not a one." When I asked if someone did that and talked to it, what level of impact might that have had on their hiring decision, the answer was "all things being equal, that alone would be a tipping point for me". That was enough of an answer for me :). Will such things help guarantee a gig? No, but they can certainly help you stand out and look prepared, and much of the time, that's almost as good.