Penetration Testing mailing list archives
Fwd: Re: Requesting Informational Interview
From: "Rob" <wia () ignoranceisbliss info>
Date: Mon, 22 Jun 2009 16:55:19 -0500
---------------------------- Original Message ---------------------------- Subject: Re: Requesting Informational Interview From: Aarón Mizrachi <unmanarc () gmail com> Date: Tue, June 16, 2009 1:27 am To: wia () ignoranceisbliss info -------------------------------------------------------------------------- On Lunes 15 Junio 2009 19:30:10 Rob escribió:
Hello all. I am sure you all have seen many of these questions posed on this list,
as
well as others. I am aware of the typical answers of, write a program,
compile a new LiveCD, etc. But I was hoping to try something a little bit
different. I have found myself in a precarious situation. I have been in between
jobs since October and am now finding myself able to attend some schooling. On this path to schooling, I was posed with a very interesting
question. "How did the others that do what I want to do, get there?" I want to be a pen-tester. I have been working with computers for over fifteen years - eight of
those
professionally (Help Desk, SysAdmin, InfoSec Admin). I am fluent in
Windows and can get done what I need to in Linux. I am good at just about
everything, with the exception of databases, coding and routing. I am
almost entirely self-taught and simply have not done that type of work, yet... I did attend a class at a school that I will not name (they have earned no plugs through me), though many of you have heard of it. I also
certified afterwords. It is a certification that is very similar to a
CISSP, though is is more technically based.
So, to all of you pen-testers out there, if I could please ask you for
10-15 minutes of your valuable time. If you could either reply privately
to the questions below - allowing me one reply with any questions that
you
may have invoked. Or if you would prefer to be contacted via phone - a
private message with a number and the best time to be contacted, would be
appreciated. If unsure, please choose the first choice. My questions: I am trying to discover the best path, to get me from here to there.
What
was it that you did to get there?
You must understand the difference between the different kinds of security professionals, and it will help you to get what you want. your choice: Pentester. A pentester its a security prober/tester. His mission is to understand and test what is going bad on security and document it, in other words: - Test for bugs/mistakes on security - Measure the risk and evaluate scenarios... - Make recommendations. ------- I like to define pentester as an alchimist of security matter... It will require a lot of knowledgement about the matter, its more experimental rather than a science. The main factor in his succeed is: How deep he goes. As deep you go, as deep your reputation goes up because the goal of pentesting is prove that some more formal audit is required. -------- I dont like to mention this word: hacker. But a pentester need to act like a hacker. Ethical Hacker. Then, i recomend you to get a course/book in Ethical Hacking (CEH Certification should be good for that pourporse). There are two main points... 1. How to exploit it: CEH course or similar. Also you need to correlate the explotation (Called Escalation.). Escalation is the word. AND. 2. The core of security: Know what is security. You as admin should know about it. You need to know the risks... Know to measure the value of the information... By example: Some people dont even think that emails list and names of some company are important. But you could measure the risk: - SPAM. (Low threat), but cause a downgrade in coorporation bandwidth - Password prediction. With sufficient data about the people, an attacker could predict the password (some common passwords like social security number, passport number, telephone number, whatever) - Coorporate Spy proposals / Corruption. Some mid-range workers could be prone to corruption. Email could be the way to find it.
What do you think are the good parts of the job?
Good earnings and fun with a good portion of adrenaline. Also there is no schedule to follow also. You can do this work at 3am or 11am, and explain that a real hacker wont select a 8am-5pm schedule. And if you are good, the results will ever put you a smile. The result are a definitive thing. Unlike another computer related topics (like programming or admin some system), when you end. You certainly finish. There is no things like: Oh, please, this button could be at the left side of the window? or... I unintentionally deleted the MS Word Icon, you can put it there again?
What do you think are the bad parts of the job?
Heh. The report is boring.
What is it about pentesting that keeps you coming back? Do you have any recommendations on what to watch out for?
There are some useful theory learned on CEH courses. But i also recommend practice. Public wargames and "The virtual machine" are pretty useful.
If you were able to do it all over again, would you go back into
pentesting? Maybe yes. I like pentesting. But learn the skills to be a pentester make you different. An admin could be curious to watch the files in your managed systems. But, a pentester should be curious, should investigate everything on the system...
From numbers, to passwords... From files to registry and logs..
You should act as a medic when you are a pentester. More deepest you go, more you know about the people, but it should be only for professional pourporses. I wont say lies: You will know more than you can handle.... And you will need to forget everything that you know that are not so useful for your test. At the beginning is really hard.
-- Thank you so much for your time. It is very much appreciated. Rob Thompson ------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
-- Ing. Aaron G. Mizrachi P. http://www.unmanarc.com Mobil 1: + 58 416-6143543 Mobil 2: + 58 424-2412503 BBPIN: 0x 247066C1 ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- RE: Requesting Informational Interview, (continued)
- RE: Requesting Informational Interview Rob (Jun 17)
- Re: Requesting Informational Interview Stephen Mullins (Jun 18)
- RE: Requesting Informational Interview Erin Carroll (Jun 18)
- Re: Requesting Informational Interview Stephen Mullins (Jun 19)
- Re: Requesting Informational Interview Rob (Jun 22)
- RE: Requesting Informational Interview Erin Carroll (Jun 18)
- Re: RE: Requesting Informational Interview rracic (Jun 18)
- Re: RE: Requesting Informational Interview Justin Ferguson (Jun 24)
- Re: RE: Requesting Informational Interview Radmilo Racic (Jun 24)
- Re: RE: Requesting Informational Interview Justin Ferguson (Jun 24)
- Fwd: Re: Requesting Informational Interview Rob (Jun 22)
- Re: Requesting Informational Interview Rob (Jun 22)
- Fwd: Re: Requesting Informational Interview Rob (Jun 24)