## Chapter 1. THE COMMON PERSON
The common person can be divided into two types. The first type consists of people who don’t even attempt to formulate a concept of a hacker, and therefore do not operate with the term. They say, "I don’t understand this; I don’t get involved." It doesn’t occur to them that there are specialists motivated to maintain system security rather than to breach it. Typically, these individuals know exactly that they need to cover the keypad with their hand when entering a PIN code and to tape over their laptop camera just in case. However, they use the same password for all their accounts. They lack an understanding of basic information hygiene, yet hold a belief in anonymity and privacy online. Ultimately, we end up with a Frankensteins made up of superstitions and unreasoned fears.
The second type comprises those who have gleaned knowledge from the news and popular culture. For them, a hacker is a character who, sitting at home, hacks the Pentagon for fun while simultaneously working for the government. News reports on how hackers have once again stolen millions from a cryptocurrency exchange solidify in their minds that this profession is inevitably criminal. All hackers must be imprisoned because they steal other people's data.
On one hand, in their understanding, hackers are genius autistics with antisocial personality disorders, who possess boundless talent in the hard sciences. They are savage, unkempt, and lonely. On the other hand, they resemble special agents or spies. Cinematography provides an association with a cool guy, a jack-of-all-trades, who can hack a super-system in seconds, save the world, and ride off into the sunset.
---
## Chapter 2. BEGINNING SPECIALISTS AND THE DIGITAL GENERATION
Bank hacking is an integral part of life.
“Have you hacked a bank?” is a question everyone always asks. Just as every journalist dreams of writing a novel, so every hacker dreams of making money this way. Not exactly.
In reality, as the dean of MIIF often said, there’s no point in breaking a computer if you can simply carry it out through the window. This thought confounds people, as you’re not a real hacker if you seek easy shortcuts. For instance, even in my work, I wouldn’t shatter a webcam if it’s simpler to breach the perimeter, connect to the port, and try something on site. This is perceived as though you should have run a hundred meters, but only managed the last 20.
Shock content: a hacker isn’t necessarily about computers and coding or remote hacking. The new school is more focused on objectives rather than methods of breach. For example, a valuable asset is identified, which the business considers most dangerous for discrediting, and penetration testers attempt to gain access to it. The means can vary widely. They will be complex enough when dealing with companies that have developed security processes: a large, multi-component SOC operating three shifts, proprietary development protection rules, their security policies, and physical security. If a company has five layers of protection and you manage to breach it, for instance, using a drone, you have successfully completed a project.
---
## A Profession Under Seven Seals
The most common belief encountered in casual communication with acquaintances is that they don’t know this profession exists. They think specialists hone their skills for decades to work in offensive security. Moreover, they believe it’s impossible to enter the field from the outside, as these are special people tied to the government who would surely be imprisoned if they tried to leave.
Ethical hacking is legal (if done correctly), well-developed, and widespread, both with and without government involvement.
In cybersecurity, it’s generally easy. Teach me!
— Teach me or hack the Minecraft server for me so my brother doesn’t play that nonsense all day; we’re already having family drama.
— Can you hack my ex's VK? I’ll buy you a beer!
— Fix the kettle, you're a programmer!
In all seriousness, every penetration tester will recall many such requests. Friends or classmates often express interest in the topic and ask to teach them some tricks. They think it's a request similar to asking how to bake an apple pie, but in reality, they’re asking to learn how to build an internal combustion engine.
However, if you genuinely start studying pentesting, if you are highly motivated, it’s really easy—initially, there are always victories and endorphins. They drive your development. This continues for the first 2-3 years, after which you enter the world of real cybersecurity. You are given actual projects involving EDR, SOC, and binary exploits. There are no more quick wins; you lack engineering depth. Even when you discover a vulnerability, you have to prove it. There’s always a period where an internal breakdown occurs, and people suffer.
Skill rotation in cybersecurity is incredibly fast; for example, 10% of the tools we work with today appeared six months ago, and within another six months, they will disappear, replaced by others. The evolution of tools used by attackers is rapid, so to remain effective, you need to adapt to new opportunities and trends just as swiftly as the attackers do. They expect you to ensure their products are “unbreachable," and if you check even the latest methods of breach (you won’t check them all), you can reduce the likelihood of failure of that product.
There's also a stereotype that one must attend university. It’s beneficial, but not as essential as for a professional mathematician or programmer. Furthermore, courses are not as effective as advertised. A course may promise a salary of 200,000 after completion and a mid-level position, but that’s not accurate. Even annual courses are just a minimal foundation. You’ll need to continue learning, gaining experience, undergoing internships, and cut your salary expectations at least fourfold at the start.
It’s also often said that you need to participate in CTFs to practice. While this is a great experience, CTF serves as a university, providing many connections and friendship opportunities and practicing team dynamics. If you want to learn pentesting, you must actually pentest; go and exploit web interfaces. Bug bounty programs also follow a different process.
---
## Chapter 3. BUSINESS
You’ve been breached regardless of who did it!
Hackers are villains also because the line between good and evil is murky and conditional. The paradox of knowledge is that you cannot erase from your mind the information about the business you obtained through working for it.
The fact is, a good hacker has already chosen their profession and set their priorities. The most valuable asset they have, or even the cybersecurity companies providing penetration testing services, is their reputation. The potential risks to reputation outweigh the benefits of double-dealing. Furthermore, all actions are legally protected by various non-disclosure agreements.
However, that doesn’t mean specialists should go unchecked. They must be encouraged not to rest on their laurels. Directing competencies toward every aspect is very challenging; you can deviate even slightly from your tasks and become mired. The less mechanical the process is—for instance, Googling vulnerabilities, breaching, and reporting—the more granular the competency network becomes. Each separate granule represents a specific skill. To develop it, a deep understanding of the processes is essential. You need to build both depth and breadth simultaneously. You become sharp as a needle.
People must be motivated to grow; dive deeper, as there’s a whole world in the bottle; otherwise, they simply won’t be able to provide competent audits.
Who do we even matter to, for heaven’s sake?!
Companies often focus on the term "risk," which implies probability. From this, they conclude that they won’t be breached; we’re small, and no one’s watching us. It may be true that a small pig farm in Tula has never been hacked because no one knows about it, but that’s more of an exception than a rule. Often, those who think this way become the victims of hackers without even realizing it.
For example, a small foundry used an outdated version of ColdFusion, and when penetration testing was conducted, it turned out that for at least three to four years, Chinese miners had been mining cryptocurrency on the server. They established themselves and spread throughout the company’s network, bringing with them a massive toolkit: a separate client for host machines, another for servers, and even a corresponding build for ARM devices. In other words, they established themselves everywhere, turning the factory into their milking parlors. This led to an accelerated natural wear of all equipment by a factor of a thousand.
This isn’t investment; it’s an expense.
Business owners think in terms of money and profit, so in this context, cybersecurity represents a cost. Their attitude toward cybersecurity is initially rather negative simply because it forces them to spend money that never results in a return on investment.
What’s necessary to understand is the dilemma constantly faced by businesses: invest in reducing the risk of monetary loss, or in increasing profits with possible peril.
It’s theoretically impossible to assess all possible risks. Attackers are continuously searching for new methods of attack, and what was considered safe yesterday may pose a threat tomorrow.
There’s no need to burden executives with technical information. Instead, focus solely on those risks that could cause the company the most significant losses, and assess how many resources are needed to neutralize each of these threats. This will allow for calculating the investment leverage—the ratio of risks to costs. Business leaders can and should formulate tasks for cybersecurity specialists. For effective operation, the CISO must be well-versed in business tasks and have sufficient authority to make swift decisions. The interests of the business and the tasks of the cybersecurity department must be synchronized.
The common person can be divided into two types. The first type consists of people who don’t even attempt to formulate a concept of a hacker, and therefore do not operate with the term. They say, "I don’t understand this; I don’t get involved." It doesn’t occur to them that there are specialists motivated to maintain system security rather than to breach it. Typically, these individuals know exactly that they need to cover the keypad with their hand when entering a PIN code and to tape over their laptop camera just in case. However, they use the same password for all their accounts. They lack an understanding of basic information hygiene, yet hold a belief in anonymity and privacy online. Ultimately, we end up with a Frankensteins made up of superstitions and unreasoned fears.
The second type comprises those who have gleaned knowledge from the news and popular culture. For them, a hacker is a character who, sitting at home, hacks the Pentagon for fun while simultaneously working for the government. News reports on how hackers have once again stolen millions from a cryptocurrency exchange solidify in their minds that this profession is inevitably criminal. All hackers must be imprisoned because they steal other people's data.
On one hand, in their understanding, hackers are genius autistics with antisocial personality disorders, who possess boundless talent in the hard sciences. They are savage, unkempt, and lonely. On the other hand, they resemble special agents or spies. Cinematography provides an association with a cool guy, a jack-of-all-trades, who can hack a super-system in seconds, save the world, and ride off into the sunset.
---
## Chapter 2. BEGINNING SPECIALISTS AND THE DIGITAL GENERATION
Bank hacking is an integral part of life.
“Have you hacked a bank?” is a question everyone always asks. Just as every journalist dreams of writing a novel, so every hacker dreams of making money this way. Not exactly.
In reality, as the dean of MIIF often said, there’s no point in breaking a computer if you can simply carry it out through the window. This thought confounds people, as you’re not a real hacker if you seek easy shortcuts. For instance, even in my work, I wouldn’t shatter a webcam if it’s simpler to breach the perimeter, connect to the port, and try something on site. This is perceived as though you should have run a hundred meters, but only managed the last 20.
Shock content: a hacker isn’t necessarily about computers and coding or remote hacking. The new school is more focused on objectives rather than methods of breach. For example, a valuable asset is identified, which the business considers most dangerous for discrediting, and penetration testers attempt to gain access to it. The means can vary widely. They will be complex enough when dealing with companies that have developed security processes: a large, multi-component SOC operating three shifts, proprietary development protection rules, their security policies, and physical security. If a company has five layers of protection and you manage to breach it, for instance, using a drone, you have successfully completed a project.
---
## A Profession Under Seven Seals
The most common belief encountered in casual communication with acquaintances is that they don’t know this profession exists. They think specialists hone their skills for decades to work in offensive security. Moreover, they believe it’s impossible to enter the field from the outside, as these are special people tied to the government who would surely be imprisoned if they tried to leave.
Ethical hacking is legal (if done correctly), well-developed, and widespread, both with and without government involvement.
In cybersecurity, it’s generally easy. Teach me!
— Teach me or hack the Minecraft server for me so my brother doesn’t play that nonsense all day; we’re already having family drama.
— Can you hack my ex's VK? I’ll buy you a beer!
— Fix the kettle, you're a programmer!
In all seriousness, every penetration tester will recall many such requests. Friends or classmates often express interest in the topic and ask to teach them some tricks. They think it's a request similar to asking how to bake an apple pie, but in reality, they’re asking to learn how to build an internal combustion engine.
However, if you genuinely start studying pentesting, if you are highly motivated, it’s really easy—initially, there are always victories and endorphins. They drive your development. This continues for the first 2-3 years, after which you enter the world of real cybersecurity. You are given actual projects involving EDR, SOC, and binary exploits. There are no more quick wins; you lack engineering depth. Even when you discover a vulnerability, you have to prove it. There’s always a period where an internal breakdown occurs, and people suffer.
Skill rotation in cybersecurity is incredibly fast; for example, 10% of the tools we work with today appeared six months ago, and within another six months, they will disappear, replaced by others. The evolution of tools used by attackers is rapid, so to remain effective, you need to adapt to new opportunities and trends just as swiftly as the attackers do. They expect you to ensure their products are “unbreachable," and if you check even the latest methods of breach (you won’t check them all), you can reduce the likelihood of failure of that product.
There's also a stereotype that one must attend university. It’s beneficial, but not as essential as for a professional mathematician or programmer. Furthermore, courses are not as effective as advertised. A course may promise a salary of 200,000 after completion and a mid-level position, but that’s not accurate. Even annual courses are just a minimal foundation. You’ll need to continue learning, gaining experience, undergoing internships, and cut your salary expectations at least fourfold at the start.
It’s also often said that you need to participate in CTFs to practice. While this is a great experience, CTF serves as a university, providing many connections and friendship opportunities and practicing team dynamics. If you want to learn pentesting, you must actually pentest; go and exploit web interfaces. Bug bounty programs also follow a different process.
---
## Chapter 3. BUSINESS
You’ve been breached regardless of who did it!
Hackers are villains also because the line between good and evil is murky and conditional. The paradox of knowledge is that you cannot erase from your mind the information about the business you obtained through working for it.
The fact is, a good hacker has already chosen their profession and set their priorities. The most valuable asset they have, or even the cybersecurity companies providing penetration testing services, is their reputation. The potential risks to reputation outweigh the benefits of double-dealing. Furthermore, all actions are legally protected by various non-disclosure agreements.
However, that doesn’t mean specialists should go unchecked. They must be encouraged not to rest on their laurels. Directing competencies toward every aspect is very challenging; you can deviate even slightly from your tasks and become mired. The less mechanical the process is—for instance, Googling vulnerabilities, breaching, and reporting—the more granular the competency network becomes. Each separate granule represents a specific skill. To develop it, a deep understanding of the processes is essential. You need to build both depth and breadth simultaneously. You become sharp as a needle.
People must be motivated to grow; dive deeper, as there’s a whole world in the bottle; otherwise, they simply won’t be able to provide competent audits.
Who do we even matter to, for heaven’s sake?!
Companies often focus on the term "risk," which implies probability. From this, they conclude that they won’t be breached; we’re small, and no one’s watching us. It may be true that a small pig farm in Tula has never been hacked because no one knows about it, but that’s more of an exception than a rule. Often, those who think this way become the victims of hackers without even realizing it.
For example, a small foundry used an outdated version of ColdFusion, and when penetration testing was conducted, it turned out that for at least three to four years, Chinese miners had been mining cryptocurrency on the server. They established themselves and spread throughout the company’s network, bringing with them a massive toolkit: a separate client for host machines, another for servers, and even a corresponding build for ARM devices. In other words, they established themselves everywhere, turning the factory into their milking parlors. This led to an accelerated natural wear of all equipment by a factor of a thousand.
This isn’t investment; it’s an expense.
Business owners think in terms of money and profit, so in this context, cybersecurity represents a cost. Their attitude toward cybersecurity is initially rather negative simply because it forces them to spend money that never results in a return on investment.
What’s necessary to understand is the dilemma constantly faced by businesses: invest in reducing the risk of monetary loss, or in increasing profits with possible peril.
It’s theoretically impossible to assess all possible risks. Attackers are continuously searching for new methods of attack, and what was considered safe yesterday may pose a threat tomorrow.
There’s no need to burden executives with technical information. Instead, focus solely on those risks that could cause the company the most significant losses, and assess how many resources are needed to neutralize each of these threats. This will allow for calculating the investment leverage—the ratio of risks to costs. Business leaders can and should formulate tasks for cybersecurity specialists. For effective operation, the CISO must be well-versed in business tasks and have sufficient authority to make swift decisions. The interests of the business and the tasks of the cybersecurity department must be synchronized.
