Penetration Testing mailing list archives
Re: Need Some Guidance Please
From: Todd Haverkos <infosec () haverkos com>
Date: Thu, 23 Apr 2009 01:47:57 -0500
Elizabeth Tolson <elizabethtolson () gmail com> writes:
Hi Everyone: I am finishing up my Master's Degree in Information Assurance from Capitol College. I had one Penetration Testing Classes which I really enjoyed. I have done some research on Pen Testing and this seems to be something that I might be interested in doing. During my research, I saw someone who was a Licensed Pen Tester/Consultant. Basically, he was hired by companies -- anywhere from banks, law firms, accountants, merchants, etc --- to conduct pen testing. He would "ethically hack" without the employees knowing it. He would also do some pen testing via social engineering. He would conduct Pen Testing during different hours of the day and night to discover vulnerabilities, etc. After the testing, he would submit a report to the president/owner of the company with suggestions on making his network a stronger, more secure network. Does anyone do this as a consultant? Or, is this guy blowing smoke and this is not a "real job". I have seen some companies that do this, but have not seen any individuals who do this.
Hi Elizabeth, I'm happy to report that he wasn't blowing smoke. Such positions/individuals not only exist, but remain in fairly strong demand involving a niche skillset for which it's difficult to recruit. I work as a security consultant for a large security shop. In the past couple weeks I've done everything you said in the past paragraphs. It was done blind w/o employees knowing, and it was closely held within the risk management executive leadership so they could get a good pulse on what their exposures were without biasing results by tipping off employees. Engagements do vary but the blind ones are always interesting.
Also, if I am interested in pursing Pen Testing, what certs would you recommend. What additional training would you recommend. What books would you recommend?
I don't have a magical formula, I'm afraid. There are several ways to skin that cat. For whatever it's worth, I happen to have the EC Council Licensed Penetration Tester cert (as well as their CEH and ECSA). But the value of certs in general is always a hot subject for debate. EC Counil's certified ethical hacker cert is a reasonable entry level cert that isn't too daunting, but like any certification is no strong guarantee of competence or character. I have several current and former coworkers that I respect enormously who have no certifications at all, but who are nonetheless top shelf pen testers. All the same, having some sort of cert does tell prospective employers that you didn't just wake up yesterday and decide to apply for their security related position. There are some very good training companies and strong pen certs out there that have been mentioned on this thread. The cert is less important than the quality of the instructor and curriculum. I was very impressed with Jack Koziol's Infosec Institute training. What works for you though will involve decisions based on what training is near you or you can otherwise afford (or what your employer will pay for in a given year). But finding a job where you can actually do penetration testing as part of your work and work in varying environments is extremely valuable. To get your foot in the door... I'm not sure of any one magical path. In my case, I started in a networking related position in a rather large company and made a bee line for their security group when the opportunity arose. Books... the trouble with them is that the publishing lead time is such that they can't be up to date, as security and threats move so fast. But among those that I've personally found worthwhile: Hacking Exposed (and friends), Database Hacker's Handbook (also several things in this series too), Web Application Hacker's Handbook, Hacking: The Art of Exploitation... are some titles from my shelf that come to mind. <plug style="shameless"> and run (don't walk) and pick up a copy of UNIX and Linux Forensic Analysis DVD Toolkit</plug> even though it'll do little for your pen testing. :-) Conferences though... that's where you can get a lot of bang for the buck. Get thee to Defcon this summer in Vegas. It's quite affordable, you get most of what you'd see at the more corporate Black Hat, and you'll be surrounded with an ecclectic mix from script kiddies to penetration testing pros. It's very useful brain food. Blackhat is great, much more corporate oriented, but it is expensive. I've also heard great things from colleagues about schmoocon, RSA, Cansec West. etchicalhacker.net is a growing community and their Chicagocon 2-day seminar is coming up soon as well, and is quite affordable. Hope this gives you some ideas. If this is a career direction you're considering, you'll find your skills rather-in demand once developed. The threat landscape is getting more and more complicated, and now that the bad guys have moved into the for profit realm, such work will continue to be a growing part of organizations' risk management approach to business. Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/ http://www.linkedin.com/in/toddhaverkos ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Tired of using other people's tools? Why not learn how to write your own exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well. http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- Re: Need Some Guidance Please, (continued)
- Re: Need Some Guidance Please Nate (Apr 18)
- Need for Intrusion/Infection Data Baykal, Adnan (CSCIC) (Apr 21)
- Re: Need for Intrusion/Infection Data Jon Janego (Apr 21)
- Re: Need for Intrusion/Infection Data Leonardo Cavallari Militelli (Apr 21)
- RE: Need for Intrusion/Infection Data Honer, Lance (Apr 21)
- Re: Need Some Guidance Please Nate (Apr 18)
- Re: Need Some Guidance Please Elizabeth Tolson (Apr 21)
- Re: Need Some Guidance Please Stephen Mullins (Apr 21)
- Re: Need Some Guidance Please Aarón Mizrachi (Apr 30)
- Re: Need Some Guidance Please Matt Gardenghi (Apr 21)
- Re: Need Some Guidance Please Pete Herzog (Apr 21)
- Re: Need Some Guidance Please Todd Haverkos (Apr 23)