Penetration Testing mailing list archives
Re: [PEN-TEST] How to "break into" the Pen-Testing field
From: "J. Oquendo" <intrusion () ENGINEER COM>
Date: Sun, 10 Sep 2000 13:00:05 -0400
I am wondering how did the readers of this list get into the pen-testing field? What steps did you take to get from where you started in the field to where your at now? Did employers train you? Did you get promoted into it? Did you create the position yourself?
I started out into goal oriented studying the at the infamous PacketStorm back when Ken Williams had about 9000+ hits and Underground Security was sort of a taboo issue. I read anything and everything I could, and posted tons of stuff on the forum although I waited about 6 months to do so, in order to get a feel for the people there. Its difficult to sit and read through hundreds of news server posts as well as mailing lists so I narrowed it down heavily at the time to 3-5. Showdown.org, PacketStorm, Bugtraq, Technotronic, the mailing list at toad.com. I started off as a sysadmin and pestered the company I worked for to jack up their security and proved I could do it and maintained it for a while before I began to look for a security oriented position ONLY.
From there I had the opportunity to move to a large network where I learned more from more knowledgeable people and maintained a large number of people I could correspond to.
Pen testing & security is a very interesting area of the IS field I would like to break into but many positions posted are requiring years of pen-testing skills which I just don't have outside of my personal lab at home (combo of Win95,NT Srv, RH Linux). Would you recommend starting at a big 5 firm? A small firm? Fortune 500's? Has anybody heard of any pen-testing firms in St. Louis?
Experience does count heavily for large companies and you should try to break in via a small or mid-sized company. It worked for me and I'm sure a minimal percent of the people just didn't jump on the scene as CTO of BigCorp.com, everyone has to start somewhere and sometimes larger companies won't provide the opportunity to work with other technologies you would at a small or mid sized firm since most of the architecture is in place already and would cost a hefty amount to mix technologies such as a big firm running Checkpoint, Pix, Netscreen. Its uncommon and most tend to select a specific vendor/product and stick with it. This is an advantage of smaller corporations especially companies which outsource network/security/etc. products, you get to play with all sorts of neat things. As for the testing portion I suggest heavily reading and understanding whats going on without thinking that a simple scan of a site will render you the option of penetrating it. Understaning architectures, networking, and "computer-psychology" (art of understanding how and why people may have set up their network and what their network does) is valuable. Along with the techie stuff I tend to diagram things in a personal notebook I get and cross analyze information. Setting up a network at home is pretty cool but take into consideration no two networks will work the same and unless you can afford all the different types of hardware/software companies use it can become fruitless and waste time. Offer pen tests to friends, smaller companies, and see what you can do and can learn. I started from scratch as switched over from the advertising field where I used to work at one of the top ten advertisers in the world. Although I could've made more money and would have less stress, security is something I enjoy and this is the greatest factor you have to weigh. There are a lot of times you can get frustrated breaking into the scene, simply remember, if your doing it do it for the love of it and you'll learn a heck of a lot more than if your looking at it from a "I have xxx cert and will make xxx amount more money if I work for xxx corp." Do it for yourself at your own pace. my two cents... greets? heh too many to list... ______________________________________________ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup
Current thread:
- Re: [PEN-TEST] How to "break into" the Pen-Testing field, (continued)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Carric Dooley (Sep 12)
- Message not available
- Re: [PEN-TEST] Network Mapping (was Re: [PEN-TEST] How to "break into" the Pen-Testing field) Teicher, Mark (Sep 12)
- Re: [PEN-TEST] Network Mapping (was Re: [PEN-TEST] How to "break into" the Pen-Testing field) Adrian Lazar (Sep 12)
- Re: [PEN-TEST] Network Mapping (was Re: [PEN-TEST] How to "break into" the Pen-Testing field) Carric Dooley (Sep 13)
- Re: [PEN-TEST] Network Mapping (was Re: [PEN-TEST] How to "break into" the Pen-Testing field) Teicher, Mark (Sep 13)
- Re: [PEN-TEST] Visio bites Carric Dooley (Sep 14)
- Re: [PEN-TEST] Visio bites batz (Sep 14)
- [PEN-TEST] Network Mapping (was Re: [PEN-TEST] How to "break into" the Pen-Testing field) batz (Sep 12)
- Re: [PEN-TEST] Network Mapping (was Re: [PEN-TEST] How to "break into" the Pen-Testing field) Jose Nazario (Sep 12)
- Re: [PEN-TEST] Network Mapping (was Re: [PEN-TEST] How to "break into" the Pen-Testing field) Carric Dooley (Sep 13)
- [PEN-TEST] VMware Greg (Sep 11)