Conscientiousness as a(the?) Primary Hacker Attribute

grit-2

Many are familiar with the Briggs-Meyers personality test, where you end up with a score like INTJ (mine).

What fewer people know is that this personality test is largely deprecated within scientific circles, and has been replaced by a superior system called the Big Five Personality Traits, also called OCEAN.

The traits that make up OCEAN are the following:

  • Openness to Experience: the willingness to try new things

  • Conscientiousness: self-discipline and attention to detail

  • Extraversion: gaining energy in social settings

  • Agreeableness: general concern for social harmony

  • Neuroticism: the tendency to experience negative emotions, such as anger, anxiety, or depression (for this one low scores are better)

Although the traits are generally set up to be equal, conscientiousness is widely considered the most important one in the group.

[ NOTE: Intelligence is considered a separate but supremely important trait as well, and some versions include it. ]

You may have heard conscientiousness getting press in the last couple of years as grit, with many studies showing that it predicts success more than any other factor, including IQ, grades, education, etc.

The difference between good and great hackers

Most think hacking computers is something like Matrix dodging bullets, or defeating Agent Smith in the final battle. Basically a short burst of genius or exceptionalism that cannot be stopped.

The reality is less sexy, but more interesting.

I’d be willing to say that the best hackers aren’t necessarily those with the best programming skills, or the highest IQs, or the best educations.

The best hackers are those who simply don’t give up. They plod forward, methodically, mercilessly, bringing to bear their countless skills that have been honed over time by that same persistence.

And as it turns out, it’s usually possible to get in if you put in enough time. But it’s painful time—like sifting through grains of sand on a beach until you find the one grain that is made of Unobtanium.

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

Everyone should know that the plural of anecdote is not data, but I have seen countless situations where a super talented tester pokes around on a website for a few minutes, finds nothing, and gives up. And then a less flashy tester comes behind him and turns over every single rock, and ends up with major bugs.

Discovery, bug bounties, and pentesting

The way this translates to bug bounties and other types of real-world testing is fascinating.

In bug bounties, it’s a race to find the most interesting bugs so you can get paid for them, and they go quick. The best testers I know in the space all have a similar approach.

They put massive effort into discovery.

They don’t just go after the main domain and throw 50 tools and their manual methodology at it. No.

They start with things like:

  • Check the scope of the engagement very carefully

  • Find all subdomains that are in scope, including those that are quite hard to find

  • Look for IP space that is in scope but might not be scrutinized by most hunters

  • Find all IPs listening on web ports

  • Find all sites listening on those ports (it’s often many on a single port, of course)

  • Find all the content on those sites, not just the easily discoverable stuff

[ NOTE: I created the RobotsDisallowed project to help with the last step. ]

Persistence of effort is also a major factor in the asymmetry between attack and defense in the real world.

Top-tier adversaries have people on staff who will pick through ever grain of sand on your beach until they get in, and they do it quietly, over weeks, months, or even years.

Summary

  1. Don’t underestimate the power of self-discipline and persistence in the security testing and overall information security arena

  2. Conscientiousness (grit) is one of the most important personality characteristics for overall success in life, and this especially applies to being a security tester

  3. Success in security testing is heavily weighted to persistence of effort, and those with low grit often give up very quickly and don’t find the good stuff

  4. If you’re a company looking to employ someone as a tester, look for evidence of conscientiousness in their online presence as an additional factor of hiring. It’s like the ultimate work sample

  5. If you’re a tester looking to up your game, focus on being more thorough and methodical in everything you do

Notes

  1. The less-mentioned but often considered to be an equally important trait is intelligence.

  2. My buddy Jason Haddix (Director at Bugcrowd) had another observation, which was that the initial deluge of vulns that come in are often mediums, and then towards the end the badass testers bring the criticals, implying that they’ve likely been doing discovery while others were racing for the easy stuff.

  3. If you want to read a rad book related to OCEAN, I strongly recommend Spent.

Related posts: