Name: Kelly Albrink
Position: Security Analyst
Former art dealer Kelly Albrink is a self-taught infosec professional hailing from a one-of-a-kind background. She is set to present "Network Penetration Testing Toolkit: Netcat, Nmap, and Metasploit Basics" several times as part of the Day of Shecurity on Saturday, June 16. Read about her journey to her role as a Security Analyst at Bishop Fox below.
Meet Kelly Albrink, Penetration Tester and Social Engineer at Bishop Fox
What originally drew you to security?
Hacking is kind of a superpower; it’s a child-like fantasy where you get to do cool things that would normally land you in jail. There is this amazing knowledge and power with hacking. Hackers are usually portrayed by the media as evil people in hoodies and balaclavas, so it’s fun for me to help people through hacking.
How did you get your first job in the industry?
I saw a video of the Danger Drone at DEF CON and I thought, “Wow, that is really cool.” Then I read the job posting, which seemed so creative and different. It really seemed to be targeting people from non-traditional backgrounds with new perspectives. I thought, Hey, maybe they would appreciate someone with a strange art dealer/English major background like me. All around, Bishop Fox felt so different from the “pen test puppy mills” that are common in our industry. Seeing all the varied backgrounds of the pen testers at Bishop Fox really appealed to me.
Tell me about one career highlight.
One of my favorite projects was when I socially engineered my way in a bank account with only a name and a phone number. I used brute-force guessing to figure out the additional security question answers. My fake identity was a 65-year-old grandmother with a head injury. That was the first real social engineering project I worked on. And it made me realize that while our job can be highly technical, it has this cool “con man” aspect to it too. Incorporating accents and sound effects into my vishing engagements has been really rewarding.
Where would you like to be in the next 5-10 years (career wise)?
Educating. I would like to help get more diversity in the infosec workforce and to support anyone who wants to do any kind of self-teaching (which is what I did). I would love to write a book about hacking – hardware hacking or the network side of assessments would be the areas most interesting to me.
What was one unexcepted challenge you have encountered?
Ask any consultant this question, and they’ll tell you reporting is always dreadful. It’s not the writing of it (and I have an English degree!), but it’s the process of making a technical finding accessible and understandable. It’s flipping the switch in your brain. Targeting a non-technical audience versus the technical audience is completely different. Part of our job is to break things, to exploit things, and make them work in a way that’s not intended. But you’re doing it for someone who is paying you and wants to learn what they need to improve. You need to be tactful.
What advice would you give to someone wanting to break in and/or advance in security?
Don’t go it alone; get involved in your hacking community, locally or online. I personally had a great team of people in my corner. Without them, I don’t think I would have been able to do it. There’s this huge knowledge mountain you need to climb when entering infosec. Imposter syndrome is rampant and can take you down. But you need people who will push you to the next stage. Persistence is one of the most important personality traits for a pen tester. Always try harder. Overall, networking was really important for me – being involved in the security community is crucial since it’s a small world. You’ll see the same faces over and over again. Participating in the community and not falling prey to the battle of egos is important.
What is the greatest resource you have found?
For me, the greatest learning tool was getting hands-on experience. The OSCP certification has a great lab that is so helpful. There are also some free options worth investigating: HackTheBox is a free pentesting lab. The only catch is that you have to hack the invite process. The machines are constantly changing with HackTheBox. And then there’s VulnHub, which is great, too.
What’s the biggest misconception in security?
There’s this archetype of hackers being these 500-lb guys in their mom’s basement. They are supposed to be antisocial and strange. Not true! That archetype can be intimidating to an outside perspective. But when you’re in the industry and you meet these normal wonderful people, it smashes that stereotype into pieces. While hackers are secretive and reserved, what I’ve found is that they love sharing what they know. Seeing someone try, fail, and then ask for help is generally met with enthusiasm and answers. Just don’t ask someone to google something for you.
Tell me one interesting fact about yourself.
I love 3D printing! Just got a brand-new printer and have been playing with glow-in-the-dark and wood filaments. I teach 3D printing classes at my local hackerspace. Most of my work is in breaking things, so for me it’s quite exciting being creative and building things too. In my former life, I was an art dealer, so that may also surprise people.