RE: How to become a professional penetration tester?

["Spencer, Ed M. -ND" <Ed.M.Spencer.-ND () disney com>]

Just as a side note, I have found more people with degrees in music or
professional musicians working in IT than people with IT degrees.

As for becoming a professional penetration tester, I've found that a good
understanding of the basics, and an ability to explain that information to
management is important.  All the knowledge, and abilities in the world
won't do you much good unless you can explain what you've done.

I agree with the statement below: there are many ways to polish and develop
the skills needed to do penetration testing.  No matter where you get the
basics and the skills to do penetration testing, understanding the data
being protected is invaluable.  It's the 'Security is a process' mentality
you have to build and pass on to those you work with/for.

Basically, think of a penetration tester as being part:

Administrator (Unix and/or NT)
DBA (You are trying to get data, right?)
Programmer (especially a little C/C++/Perl)
Network Admin (a good understanding of IP, Vlan's, etc.)
Security Admin (firewalls, IDS, sniffers)
Network Design (gotta be able to design a solution)
MBA (again, back to the business case)
Comedian (a good sense of humor always helps keep your sanity)
Politician (only for Tact - and no one shows it better - except maybe a
military officer)
Technical Writer (you have to put together reports when you do the work)
Hacker (the good kind - you gotta like to tear things apart and see how they
work... push the envelope and more)
Priest (ethics - I couldn't think of a better example - I'm sure there's one
out there somewhere)
Lawyer (understanding of the basics of law - HIPAA, CIPP (CIAO), state laws
regarding crime)
Detective (investigations are part of the job - including forensics)
Teacher (have to explain things to others/do presentations)

And while I'm sure there are other things that should be there, you need to
have a basic sense of everything... while you can specialize in almost any
area, an overall understanding of everything makes you more valuable.  Think
of the CISSP - it's a test on 10 areas of knowledge and only 250 questions
(and 6 hours).  25 questions per area.  It's a broad spectrum of knowledge
you are expected to know - back to the jack of trades.  You can specialize,
but then you really need a team to complement your skills in the areas you
don't have (which is always nice).

It's hard work staying up to speed on the technology, business, and other
advancements, but if you really enjoy what you do it all seems worthwhile at
the end of a long day....

Good luck in perusing your career!

Ed Spencer
MCSE/MCT/CNA/A+/Network+
Security Analyst - IS Security
Renaissance Worldwide, Inc. - Walt Disney World
 
This communication is confidential, intended only for the named recipient(s)
above and may contain trade secrets or other information that is exempt from
disclosure under applicable law.  Any use, dissemination, distribution or
copying of this communication by anyone other than the named recipient(s) is
strictly prohibited.  If you have received this communication in error,
please immediately notify us by calling (407) 566-5195.  The ideas,
opinions, and information expressed within the above email are the express
sole opinion of the author and are not the opinion of the Walt Disney World
Corporation.  Thank you.


-----Original Message-----
From: batz [mailto:batsy () vapour net]
Sent: Monday, June 18, 2001 12:00 PM
To: Jim Utkin
Cc: 'David Fuller'; 'Pen - Test List'
Subject: RE: How to become a professional penetration tester?


On Thu, 14 Jun 2001, Jim Utkin wrote:

:Being a security professional IMHO is the hardest specialty in
:Information Technology, you have to be good in almost every aspect of
:IT, but an expert at none.

Agreed, but with one additional comment. As a security professional, 
you have to understand the business needs for security. In fact, you
will probably find more security consultants with business administration
or even MBA's than you will comp.sci backgrounds.
 

Whether this is a detriment to the field is still open to discussion, 
but as far as how to start; A good (capital 'H') Hacker can be a 
passable intrusion tester, a good strategist, administrator, or analyst 
will be a good security professional. 

It's the difference between a technician and an analyst, which in my
mind is about $40k. 


--
batz
Reluctant Ninja
Defective Technologies