Armando Romeo is the founder of eLearnSecurity, responsible for day-to-day management as well as content creation and delivery of all company courses. Prior to founding eLearnSecurity, Armando served as administrator and head of security for the Hackers Center Research Group and IT Security Services Manager for the Italian Security Brigade. Armando's has extensive experience and expertise in the areas of network security, information security, secure coding and design, Web application security, penetration testing and security awareness. We are very glad that Armando took out some of his precious time and answer few common questions asked by newbies.
Mr Armando it is a great honour for me to take your interview, Would you like to spend few minutes telling our readers on how you got started in the field of Ethical hacking and security?
My pleasure to answer your questions. It all started with the interest and passion for technology in late 80's early 90's when PC's were not so spread and you only had some sporadic friends owning one.
From then I developed the virus of any hacker: curiosity.
I've seriously destroyed my first computer 4 times in the first month because of that. Breaking things is part of curiosity. If you don't break things you are not learning. When you have such a passion, security is the next step. You know the inner details of each component and you can use this knowledge for good or bad purposes. But there's no "hacking" without curiosity and there's no security without "hacking".
What advice would you like to give to the beginners who have just started in this field?
Don't be afraid of frustration. Frustration is your fuel and is what keeps you awake the night figuring out things you don't understand. Be happy to be frustrated, because as long as you strive to understand things, you are on your right path to success.
According to you what is the most common mistake which beginners often make?
Trying to do many things all at once. You cannot learn everything all at once. You have to follow a proper path which takes time and perseverance. Too often giving up is the result of frustration.
One needs to be persistent with the path chosen and follow it until enough skills have been acquired in that area before moving on with new interesting study subjects.
Focus is key. Focus on one topic at a time, master it, then move on.
Why do you think that your courses stand out from the rest of the training and certification programs?
Our courses stand out for two main reasons: the way student learn things, the way students put in practice learned things. The learning path I was talking about before, is the cornerstone of our courses and is proven by the success obtained by thousands of students worldwide. Our courses are not a collection of random articles on how to hack this or that. It's optimized to minimize frustration and maximize skills transferred.
Our virtual labs are the most advanced available today. This allows our students to practice their skills against real world networks before they do it in real life.
Finally our certification process is 100% practical. When you see an eCPPT professional it means that he can carry out a penetration test in depth and can provide you with an outstanding report. Simply as that.
Do you think are certifications really worth the knowledge/money?
Multiple choices quizzes will never determine the possession of skills, at least in IT Security and especially into Penetration testing. Human Resources know this and just know that you are not proving any actual skills with those.
What is worth the money is skills you have acquired. Even better if you can prove these skills through a practical certification.
There is a opinion of some people that in order to become a good hacker you need to be a master programmer, do you agree with it?
I started programming since I was 12 and I kept learning new programming languages up to my last year of my Master in Computer Engineering. This has greatly helped me in any security matter.
I've yet to see a great Penetration tester who doesn't know a bit of programming.
But there are many Penetration testers who work and have a decent career even without that.
You should say thanks to Metasploit by the way. (Or actually not).
My advise is to learn programming. Nowadays Python or Ruby are really not that hard to deal with and can perform many tasks that a pentester needs to automate during his career.
If you are brave enough dive into C and ASM. They are pure fun once you understand them.
What according to you is more important essential to learn for a penetration tester first, programming or networking?
There's no prescribed order for this. I personally learned programming first.
I'd say that writing a small socket program in Python with Wireshark running in the background and a good TCP/IP book on your desk might be fun and very educational!
What's the key difference between student penetration testing course and professional penetration testing course?
The key difference is that the Student course covers basic knowledge such as networking and web applications which the Professional course doesn't.
The Student course is the perfect first step for a complete beginner.
The Professional course goes much much more in depth for every technique covered and also covers many more techniques compared to the Student course.
The Professional course is advised for someone who already has networking knowledge basics and has played at least a little bit with simple pentesting techniques and tools and wants to become a real Professional.
The Professional course prepares for a real job in the field.
What's the most important lesson you learned in your life?
As an entrepreneur: you can't please anyone. As an Information security professional: don't trust anyone, let alone users' input.
Why do you think that most of the people quit learning in terms of becoming a hacker or penetration tester?
Frustration is reason number one.
With no guidance you end up giving up.
No real passion on the subject is number two.
There's really nothing between you and becoming a pentester besides yourself.
With new tools being released on daily basis, Do you think penetration testing has became more difficult?
I would agree that it has become more difficult but not due to tools that generally make things easier.
It has become more difficult because as technology becomes more pervasive in our lives, so does security.
So you have to know how to pentest a network, a web application, a mobile phone a critical infrastructure and so on. Up to 4-5 years ago you only cared about the network.
Now critical infrastractures have a web app interface with an underlying network and maybe is even manageable from a mobile phone. A penetration tester should be able to keep up with these trends and should learn as much as possible, throughout his entire career.