This course was an internship that I had with a cybersecurity company. I learned so many valuable skills and tools during my time at the company. Below is an artifact from that course of my time during my internship. Contained within the reflection are the goals, objectives, and information learned.

Reflection of my Internship

              I decided to do an internship in the cybersecurity field in general because it is the field in which I want to have a long, prosperous career. I have been interested in cybersecurity for many years and have been working towards achieving this career as a goal. I specifically chose this company because I was referred to it by a friend for its many benefits, among which are a great work culture and an environment that fosters learning. More specifically, the internship was for a cybersecurity engineer, where the work assignments would be conducting penetration testing audits, which is exactly the role I have been searching for.

Expected Learning Outcomes

              For this internship I hoped to achieve three personal learning outcomes, based upon the three learning objectives as they were outlined within the Memorandum of Agreement. The three learning objectives were:

  • Plan, conduct, and generate deliverables for cybersecurity audits and penetration testing engagements.
  • Develop toolsets to streamline cybersecurity audits and penetration testing.
  • As needed, perform system administration/helpdesk tasks.

Based upon those three learning objectives, I wanted to focus on the following three outcomes:

  • Become proficient in the tools of the trade. The ‘What’ of penetration testing.
  • Become knowledgeable about the business life-cycle of auditing. This is the ‘How’.
  • Understand why others are interested in the field, and why they have chosen this career and company. This is the ‘Why’.

The Beginning of the Internship

              The company that I interned at is a cybersecurity focused organization. They offer services to clients nationwide, with the different areas of expertise being cybersecurity assessments and enterprise technology solutions, to customers private, public and federal. The major customers that Next Step Innovation services are public service industries. These include organizations such as K12 schools, hospitals, universities, and city and state governments. Their federal clients also play a large role in their customer base, however I cannot speak to the true breadth of that side of the company, as I was not involved with the secure work done therein. The organization operates mostly within the southern states and holds large contracts with southern states. It has been branching out to more organizations in states that are outside of the south. The company was founded in 2007 by the current CEO, and the current president. The organization is small in size, roughly 30 individuals are employed there.

              Prior to the start of my internship, I was interviewed by the CEO and the man who was to be my boss. This interview went very well, and both interviewers were very knowledgeable. They were direct in their questioning, and lenient to the gaps in my knowledgebase. However, they both agreed that this would be very beneficial for both of us and agreed to my internship. My orientation started on a Monday morning, meeting with my boss Dr. David O’Gwynn. Dr. O’Gwynn has a PhD in Computer Science, and is the Director of Security, Research and Development, as well as the lead for the cybersecurity team at Next Step Innovation. Previously he was a university professor, which means he has been able to teach me the ins and outs of the trade. This entire internship has been remote, with me residing in Virginia, and the company based in Mississippi. The first day of the internship, Dr. O’Gwynn and I went over what I would be doing for the first few weeks, some of the things he would like to see me achieve in my time there, and what my daily schedule would look like. The first few weeks were going to focus on me getting comfortable with the technical working environment and learning the methods we use within an audit. I was told that most days for the first few weeks I would be shadowing other members of the team, via Teams calls and screensharing, and learning their methods as well. While this meant that I would for the first few weeks be continually monitored in my work, it was not about micromanaging, but about learning, and that the best way the other members on the team have found to learn, is to shadow and watch others in the position. This turned out to be true, that watching others complete work gave me a better understanding of what I was going to be doing here. The initial impressions of the job were amazing, I was completely satisfied having finally gotten a position on a penetration testing team. The work culture was great, everyone in the company knows one another. During the daily standup meetings, everyone talks about their current objectives, and any roadblocks that they might be encountering. I see how beneficial it is for the company to have these short meetings, especially when most everyone is remote from one another. This creates an environment where members of different teams can ask questions and receive help from the entirety of the organization. I was welcomed very warmly by not only the people whose team I would be working with, but the company as a whole. The entire experience has proven to be wholly positive, and that was foreshadowed within the first few days of my working there. 

Management Structure

              The organization is relatively small in size, and because of this the management structure is streamlined. The CEO and president oversee all the management suite. The organization is then broken down into teams. Examples of these teams are the cybersecurity team, (the team I have been working with), the networking team, who oversee networking solutions to clients, the human resources team, and others to name a few. Looking at it from another direction, my own for example, one can see how streamlined the structure is. I work on the cybersecurity team, my boss is Dr. O’Gwynn, and his boss is the CEO. I, being the newest member of the organization, am only one degree removed from the CEO. This level of access is not seen at larger companies. This also means that if I were to have had any issues, it would not have been a far stretch to talk to the CEO of the company directly.

              Supervision at the company is never focused on micromanagement.  As detailed to me by Dr. O’Gwynn on my first day, the workday was mostly up to the individuals, so long as your standard 8 hours were completed everyday Monday-Friday. The only other firm requirement is attendance to the 10 AM EST standup meetings, and any other meetings that may come up. My workday has typically been 8 AM to 4 PM. This is because the person I have shadowed the most is also in the eastern time zone. However, there have been many days when I have worked with the other members of the team who are spread across multiple continents. There have been days when I shadow or work with team members from Europe, whose schedules mean that I wake up early, to catch them during their afternoons. This, however, does not negatively affect me, and I actually view this as a positive, as an ever-changing job never grows boring. It also provides customers with a very unique opportunity. When a penetration audit is quoted, for example 80 hours of penetration testing, that number is broken up by how many team members will be working on it. For example, if 4 people are going to work on the audit of 80 hours, each member will conduct 20 hours. When members of the team are located across Europe and the United States, clients are receiving near 24-hour coverage of their network because when the Europe team is closing their day, the United States team is just starting work. This allows for a more thorough penetration test, by having their network tested during peak hours with heavier traffic, and during non-peak hours, where detection and prevention may be lessened. This in turn gives the customer the most complete look at their organizations’ security. This also allows members to shift their schedules around whatever may need to be completed, both personally and professionally. If someone enjoys sleeping in, they are allowed to start later in the day and to work longer into the afternoon. The opposite is also true for those who wish to start earlier and finish earlier in the day. I think that this creates a highly effective environment of employees who enjoy their job and enjoy their schedule.

              Another aspect of the effectiveness of the management is their technical expertise. While each team leader is now more managerial in their work capacity, they are also subject matter experts for their teams. In my example, whenever I had technical questions, I was able to go to my boss Dr. O’Gwynn. He was not only responsible for my management, but also for my teaching. This was highly effective, as any issue be them personal, professional or technical, I had one point of contact that I knew to turn to. This creates an environment where answers and help are readily available.

Work Duties

              The following are the typical work duties and workflow that I have followed during my time here in order, however, this changes depending on the needs of the customer. This can be broken down into two different groups of duties, one being administrative duties for the organization, and the other the workflow and duties of a penetration audit. The following are the administrative duties and responsibilities:

  1. Attend all scheduled meetings
  2. Engage in technical training and compliancy training
  3. Submit timecards

The following are the standard duties for a penetration audit:

  1. Review quote for required information
  2. Contact customer for required technical information
  3. Supply customer with a laptop or VM to be used during audit
  4. Complete penetration testing services
  5. Complete review for additional security items (vulnerability scans, networking equipment reviews, database and active directory reviews)
  6. Write reports and findings for the audit
  7. Deliver reports to clients
  8. Meet with client to review report

While this is a comprehensive list, not all items are completed by one team member the entire way through. Most of these items are broken up to be shared across the team, however during my time here I have completed all the items listed above. The bulk of my duties reside in the line items 4-6. All these duties are completely necessary for the company, because removal of any one of them breaks the entire workflow, and without the penetration audit would never be able to be completed. While all of them are important, the most benefit to the client also comes from the line items 4-6. The penetration test is where the holes or gaps in the clients’ network and domain are exposed. This duty will be the findings that are presented to the client. It showcases what a malicious actor can do or see within the environment. It is useful in showing the client what a real attack would look like and how vulnerable to exploitation they are. Secondly, the additional reviews of client systems are highly beneficial. This is a service where the company uses a multitude of automated scanners and manual reviews to do a deep look into the configurations of devices on the clients’ network. This includes things like databases, active directory environments, virtual environments, Microsft365 environment and more.  The goal here is to find vulnerabilities in the client’s network, that while possibly not exploited during the penetration test, require patches or updates are additional security defenses. Lastly, writing the reports of findings is the most valuable item for clients. These are the actual deliverables that will be delivered to the client. Without performing this duty, the client would not receive the knowledge they need to improve their security and better their organization. One of the most important things I have been told during my time here is that the role of a penetration tester is a teacher. We are here to find the gaps in security and present the findings in a way to teach the clients how to improve. Our first role is to be educators, to educate clients on the most effective defense techniques, and to educate them on the security vulnerabilities in the wild. The three highlighted duties are what makes this role possible, by exploiting and reviewing a clients’ network, we can educate them on the flaws to promote growth.

              Overall, these duties provide the customer with their deliverable, which is the service the company provides. Without completing my duties, the company would not be able to provide their services completely, rendering the company moot. This has also been a massive takeaway from my time here, the fact that without completing my work the company would suffer. It has been very positive to know that the work I complete directly attributes to the companies’ success.

Use of Skills and Knowledge

My skills prior to the internship were lacking. While I was in the military and have worked in IT, I have never worked directly in cybersecurity. Most of my prior knowledgebase has been in networking, radio and communications. While security principles have been a part of the experiences prior to this opportunity, they have never been the forefront of my work experience. There have been massive gaps in the knowledge required to complete the duties, however I have learned through my time here. My schooling has also only prepared me little, as the curriculum does not teach penetration testing thoroughly, and mostly explains some techniques that to me have become outdated. I have had the opportunity to learn many skills during my time here. The following is a list of the skills or tools I have learned:

  • Linux
  • Linux terminal
  • Bash scripting
  • Python scripting
  • Github
  • Rapid7 Nessus
  • Project management
  • VSCode
  • Metasploit
  • Burp Suite
  • Hashcat, John the Ripper
  • Cryptography
  • Social Engineering
  • Nmap, Masscan
  • SQL databases
  • OpenVAS
  • SQL injection

The following is a list of the commercially available tools and exploits that I have used and become familiar with during my time at the company. This list is not exhaustive but showcases a wide array of tools that are used in many different capacities.

targetedKerberoast – Responder – NtlmRelayX – PetitPotam – Certipy – ASREPRoast – Coercer – Smbclient-  Rpcclient – Enum4Linux – Impacket (secretsdump, wmiexec) – Crackmapexec – Netexec – Tcpdump – Hydra – Eyewitness – Bloodhound – SQLmap EternalBlue

The skills  and tools mentioned above have a wide array of uses. To briefly mention a few of the tools what they do, the tools like Responder, ntlmRelayX, and EternalBlue all make use of the SMB protocol. This in turn means that during my time I had to become familiar with how the SMB protocol operates, and what its uses were. Tools like targetedKerberoast and ASREPRoast utilize the Kerberos authentication protocol. Eyewitness is a tool that screenshots a list of Ip addresses over port 80, showcasing what each is without having to manually navigate to them. It also supplies you with commonly known default passwords for applications. Enum4linux, Coercer and PetitPotam make use of misconfigured named pipes and anonymous access. All these tools are intricate, and understanding how each of them works takes not only the knowledge to operate and be able to use them, but the underlying knowledge of the protocols or methods being abused. Knowledge in this case creates an environment where no one is using exploits that may cause severe damage to an organization. Being able to read through the source code, understand it, and then utilize it is a highly valuable skill that I have been working on during my time here.

              The on-the-job experience has greatly changed the way I understand the cybersecurity field. Penetration testing had always seemed to me to be very exciting, and that has turned out to be true. The aspects that I did not anticipate are the true usefulness to clients in undergoing a penetration testing audit. There is real, quantifiable value in the work of the field. The work helps people and organizations to protect themselves and their customers. As with most fields, understanding the scope of it from the outside is limited. Once put into this field, I have started to truly grasp that the scope of cybersecurity is massive. Aside from the work that goes into penetration testing, there are all manner of other disciplines. One of the sub-disciplines that comes up a lot is policy making. When interacting with the clients at the end of an audit, their policy making personnel always ask what policies they can implement to prevent exploitation within their environment. And while technical changes often have the most direct impact, policy also directly influences and organization resilience to attack.

ODU Curriculum

              The ODU curriculum has slightly prepared me for the work I have done during my time here. There have been classes I have learned that have brought value, and others that have not. The classes that have brought the most value would be those that taught Python and Python scripting, and Linux administration. The work I have done here has benefited from having a base knowledge in those two disciplines. I have been able to grow that knowledgebase from the initial classes and start from somewhere other than the bottom. While the other classes are not un-beneficial, the work of penetration testing doesn’t benefit as much from something like Windows server administration, solely because during an audit you are not setting up a windows domain, you are exploiting it. The classes that teach the basics for something like windows administration do not go over how to break into a windows server. I will digress and say that understanding how a windows administrator manages a server environment is still beneficial, but in contrast to learning something like python scripting, it is less beneficial.

              One of the biggest connections between what I have learned during my internship and what I have learned during my time at ODU is time management and organizational skills. The company I have been working at stays very busy, and new work is continually coming in. If I did not stay on top of my work and complete everything in a timely fashion, it was easy to fall behind, and hard to catch back up. Managing my time and working most effectively always produced a better working environment for myself, and for the team. This also correlates to my time at ODU, where staying on top or ahead of the school schedule allowed me to not fall behind, to not let my grades suffer. I notice the same things across both, that falling behind is easy, and makes catching up to schedule twice as hard. This is a valuable skill that translates across any discipline, when others or you depend on you for work, it is best to ensure timely completion.

              Organizational structure also plays a key role in both school and work. In school, maintaining different classwork and juggling different class schedules requires organization. Ensuring work for one class is separate and distinct from another allows me to work efficiently. In this way, keeping sperate folders and directories of work completed for different classes makes finding a required resource much easier. This translates to my work at the internship as well in an even higher capacity. During an audit there are many deliverables and moving pieces for a client. Oftentimes, files for one client can become confused with files for a different client if proper organization is not met. This creates an even more dangerous situation than accidentally turning in the wrong work for a class. The audits completed for clients contain proprietary and confidential information, which has serious repercussions if accidentally shared to those without the need to know it. On this note, it is imperative to maintain separation and organization between client work, especially when multiple audits may be in the process at the same time.          

              Lastly, the biggest experience here that revealed a new concept that I have not learned in school is a preemptive or proactive approach to work. While the coursework for ODU has due dates, and the internship the same, the due dates for the internship work is more highly valued when turned in ahead of time. Clients are highly appreciative of work that is turned in ahead of schedule. This is a quality-of-life adjustment that has a positive impact on how the community views the company. This is the first company I have worked for that the work really feels valuable, and the public image feels important to me to maintain.

Objectives Fulfilled

The three learning objectives were:

  • Plan, conduct, and generate deliverables for cybersecurity audits and penetration testing engagements.
  • Develop toolsets to streamline cybersecurity audits and penetration testing.
  • As needed, perform system administration/helpdesk tasks.

The three outcomes were:

  • Become proficient in the tools of the trade. The ‘What’ of penetration testing.
  • Become knowledgeable about the business life-cycle of auditing. This is the ‘How’.
  • Understand why others are interested in the field, and why they have chosen this career and company. This is the ‘Why’.

Of the learning objectives, I successfully completed all three during my time at Next Step Innovation. The core of my work was the first objective, conducting and generating deliverables for cybersecurity audits. This was my overarching goal every day, to complete a part of the process for an audit, and at the end of the week or however long the engagement lasted, present the client with detailed findings. This objective felt the most important and was the driving force of my daily schedule. This objective was fulfilled and was satisfying to complete. Seeing the entire process through from start to finish was highly rewarding, not only in the detailed reports that were created and the satisfaction of a job well done, but in the feedback from clients. The clients were always highly receptive and motivated to take our findings into consideration within their environments.

              The second learning objective to develop toolsets to streamline the audit process was also accomplished. Throughout my time here I was able to contribute knowledge to the team. I was a part of the effort to document the tactics and procedures used in the audit process, to streamline the learning process for future hires. With this documentation, new hires would be able to follow the procedure with minimal support from team members, and still complete the procedure. I was a part of the team what wrote deployment scripts for new laptops. This is useful when connecting to a new machine and setting up a remote environment without manually installing tools. Instead, when connecting to a new remote environment, you could run the scripts we created and have all the tools downloaded and installed automatically.

              The last learning objective of performing system administration when needed was also fulfilled. During my time here I was able to assist other members of the team with system administration tasks such as network connectivity. This objective was not as common as the others, while still important in maintaining an efficient and effective work environment for the team.

              The first outcome of learning the tools of the trade, or the ‘what’ of penetration testing was fulfilled. As detailed before, I have become proficient with a multitude of useful tools. This outcome could not have been accomplished in a classroom but required the actual environment in production scenarios. My time here has given me so many useful tools for my proverbial toolbox. It has also given me the understanding that the many tools I have become familiar with are small in comparison to the available tools out there. This outcome has given me the ‘what’ for penetration testers, but also has left me understanding there is always more to learn.

              The second outcome of learning the business life-cycle of a penetration testing audit, or the ‘why’ has also been fulfilled. I have learned the ins and outs of penetration testing, from beginning to end. The life cycle here is a multistep process, where each step is building upon the one before. The life-cycle starts with client communication, understanding their needs and agreeing to provide them with a service. The middle steps involve gathering information, and finally presenting the information to the client.

              The last outcome and the most important, is understanding why I, and others have chosen this field. This again is the ‘why’ of penetration testing. Aside from the way that movies portray it, there is much more to penetration testing than ‘hacking’. Hacking is the most commercially exciting aspect of the job, but the end goal is knowledge. As I have mentioned, other team members always state that our job is to educate the client. We are performing this service to help people, and the best way we can do that is to teach them how to fix issues, not just to show them that there are issues. This ‘why’ is the most important to me of the outcomes, because it shows that this job is ethically and morally responsible. Teaching others is a responsibility to those with the knowledge to do so. Without passing on the knowledge learned from the penetration tests, the information found therein would be useless. Speaking in depth with the other members of the tema why they chose to work at his company was also enlightening. The team members here all agree that working for those that work for you is important. High praise is given to the team leaders for their knowledge in a professional capacity, as well as the welcoming dynamic they bring personally. Of the members of the team I am a part of, two were former students of the team leader. I have seen that a good work ethic, as well as a desire to learn has been rewarded here.

Motivating Aspects

              The most motivating aspects of this internship were the company dynamic, the amount of knowledge there was to be learned, and the ability to work remotely. I was welcomed very warmly at the start of my time here. The company and all personnel are friendly, knowledgeable and personable. No one at the company was anything but the best at their jobs, and because of its relatively small size I was able to interact with almost everyone there in some capacity. I enjoyed working with other people that wanted to work there and who wanted to do their best. There was never an instance where I found another person there not giving 100%, which motivated me to give my 100%.

              From my first interview with the company, I knew that there were people who have had decades of experience, of which I could learn many things. This motivated me to show up and give me my all, because without that how could I expect others to give me their all. Every single person on the team I work for was able to teach me something I did not already know. I work best in an environment where everyone around me has knowledge to give. The internship provided the perfect scenario for that to occur, where everyone I worked with was able to teach me something new and exciting.

              Lastly, I have highly enjoyed being able to have the opportunity to work remotely. I started my collegiate journey at Tidewater Community College and transferred to ODU last year. I have been a remote student for all those years. Being able to work and go to school remotely has been highly satisfactory for me. I enjoy working at my own pace and being able to complete all my work for both school and work from the comfort of my own home. I have grown tired of working in offices and commuting, and this opportunity has motivated me to search for remote work indefinitely.   

Discouraging Aspects

              Of my time at Next Step Innovation, I have not found myself discouraged very often. I suppose initially I was discouraged when I was not able to figure things out on my own.  There were times when I would be given a task, and as an independent individual sometimes I do not like asking for help, but I would have to. However, this discouragement was quickly displaced when I learned that team members were always more than happy to assist me. The most discouraging part of this internship was knowing that I did not know enough at the start. This has also subsided, knowing that learning is the only way to change that, and thus forcing me to continually learn.

Challenging Aspects

              The challenging aspects of the internship were some of the most rewarding. Learning how to manipulate vast datasets was challenging and has proven to become easier with more practice. Learning how to read code has been challenging, specifically when there are no comments, and you must figure out what each line does based solely on the code itself. I have been challenged in troubleshooting my own code, or the code of others when there are errors. I see these challenges as riddles, and they are always rewarding when overcome. The work itself is challenging but is highly gratifying at the same time.

Recommendations

              For future interns, I cannot recommend the company I worked for highly enough. My time here has been challenging, rewarding and gratifying. For preparation, I would suggest learning as much basic Linux knowledge as possible. I would suggest becoming comfortable without having to use a Gui, learning how to quickly move around within the terminal. I would suggest learning python and bash scripting, as both are used to automate tasks, which can improve your work and save you time. I would suggest starting to learn publicly available exploits and how they work, while not suggesting they use them anywhere except a virtual environment that is not publicly facing. I would suggest learning all the skills and tools I have written about in this report, as they are all useful in some capacity. I would suggest they focus on absorbing information about penetration testing and start working towards industry certifications. Talking with members of the team, the most valuable certifications are Security+, CISSP and OSCP for penetration testers. These are highly valued and make you a successful candidate when interviewing.

Conclusion

My main takeaways from this internship are that there are always things to learn. Education does not stop when you have a degree, and to be successful in this industry you need not only the degree, but certifications and continual knowledge. I am focused on furthering my education and plan to take graduate courses next year after graduation. I am currently enrolled in OSCP training to complete that certification and am planning to work towards CISSP when that is complete.

This experience has shown me what a successful small business looks like, one that cares about its customers and delivering the highest quality product and services. I am grateful for my time here and know that this knowledge could not have been attained elsewhere.

Moving forward through my last semesters at ODU, I will take away not only the knowledge I have learned here about technical aspects, but also personal. As I have mentioned I have gained a more proactive approach to organization and have seen the benefits of it firsthand. I look forward to more opportunities like this, and I have left with the knowledge that attaining a degree is just the first step.

              Moving forward, I am set on staying in the cybersecurity field. There is nothing about this career that I have not enjoyed so far, from continual learning to overcoming challenges. I have been validated in my choices that this is a career that I want to pursue. Other than the items mentioned above, I plan to continually better myself, professionally and educationally.