Penetration Testing mailing list archives
Re: [PEN-TEST] How to "break into" the Pen-Testing field
From: Bob Radvanovsky <rsradvan () UNIXWORKS NET>
Date: Sat, 9 Sep 2000 10:37:55 -0500
At 04:06 PM 9/8/2000, you wrote:
I am wondering how did the readers of this list get into the pen-testing field? What steps did you take to get from where you started in the field to where your at now? Did employers train you? Did you get promoted into it? Did you create the position yourself?
Some people would say that they learned it during their years as hackers breaking into Pentagon and NORAD systems in the 70's and early 80's. Other people would say that it comes easy to them. While still others have been "elmered" (mentored by a master hacker) in the Art of Hackerdom. I consider penetration testing & analysis a form of hacking, but highly controlled and very focused on its objective. To those who love challenges, have a keen sense of vision (have a macroscopic view on life as opposed to microscopic view) and could/would sometimes be considered "paranoid" (always looking over their shoulders even though they've not done anything wrong) -- then this field is the type for those people. Give them room -- LOTS OF ROOM -- give them a task and a final objective or accomplishment, and you'll have your answer(s). I consider hacking an artform, one in which it is a fluid-like study, constantly changing and altering to mankind's current paranoias or states of mind. The artform is a form of expression, one that allows every person who partake in it, to express how they would perform a certain task, in a different method, or attack/approach the subject from different perspectives (think of the phrase "thinking outside of the box"). It's not something that many feel that you learn within a classroom, though there have (in recent years) been classroom settings which have attempted to show/demonstrate how hacking works. DISCLAIMER: I know that there are some that will be quick to correct me on the term "hacking", as there some purists who feel that "hacking" is the exploration for data/information in its truest sense (to find out knowledge about something to its finite degree); whereas, others feel that "hacking" is an extension of "cracking" "phreaking" and "pen-testing". Forgive me (to those who are the purists) -- as I am using the term loosely.
Pen testing & security is a very interesting area of the IS field I would like to break into but many positions posted are requiring years of pen-testing skills which I just don't have outside of my personal lab at home (combo of Win95,NT Srv, RH Linux). Would you recommend starting at a big 5 firm? A small firm? Fortune 500's? Has anybody heard of any pen-testing firms in St. Louis?
Security and auditing companies are still attempting to figure the mindset required for "pen-testing". Quite simply put, I feel (in my humble opinion) that in order to "catch a thief, you have to think like a thief". Now... whether or not this implies that you first have to be a "blackhat" first before becoming a "pen-tester" (I feel) may be irrelevant to why such companies are looking for these types of people. Similarly, I would use the following analogy: many "soldiers of fortune" went into security fields after the various wars and skirmishes that have been found since Vietnam; how did those people learn? Simple. They learned by doing it, by being there, by experiencing it -- first hand -- and seeing all the techniques and methods used, and using them against "combative targets" in real-time, real-life. To be honest, it would be difficult to practice for such techniques, as our laws prohibit (obviously, that's why you're reading the articles here) such activities. Under a "lab environment", it would be difficult to simulate such activities, unless you've recorded every single network packet captured over <x> period of time. This is costly (time, resources, materials, etc.), so something such as this may also be out-of-the-question. In closing, I don't know. Study a few books and get an idea first of what it means to be a hacker, a cracker, a deviant, a pen-tester...a thief. There are a number of good books that will allow you to get your studies done. Remember: it's not just the technique that you want to study, but the mindset -- the psychology that goes behind the artform. Start first, with acquiring the book about warfare techniques: The Art of War by Sun-Tsu. Worthwhile if you want to know how warfare techniques are used -- even today. Believe it or not, this is required reading for military officers (or at least, was required reading) who went into combative situations. A compliment to this would be "Information Warfare" by Win Schwartau, though a bit outdated on some of the tactics, still worthwhile reading for strategic -level reading. Next, look at "Hacking Exposed" by McClure Scambray Kurtz; also look at a more recent book called "Hack Proofing YOUR Network" by Kevin Poulsen. I know that some of this thread may have gone around the subject, but first know your audience first before engaging under combative situations. This will not get you "killed" if you have some guidance. Hope this helps... Bob Radvanovsky rsradvan () unixworks net ------------------------------------------------------------------------- This email server is running an evaluation copy of the MailShield anti- spam software. Please contact your email administrator if you have any questions about this message. MailShield product info: www.mailshield.com
Current thread:
- [PEN-TEST] How to "break into" the Pen-Testing field Lashley, Bryan (Sep 08)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Drew Simonis (Sep 09)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field El Nahual (Sep 09)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field INOM (Sep 10)
- <Possible follow-ups>
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Bob Radvanovsky (Sep 09)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field gatekeepr (Sep 09)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Dragos Ruiu (Sep 10)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Teicher, Mark (Sep 10)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Frasnelli, Dan (Sep 10)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Teicher, Mark (Sep 11)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Frasnelli, Dan (Sep 11)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Teicher, Mark (Sep 12)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Bennett Todd (Sep 12)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Teicher, Mark (Sep 12)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Frasnelli, Dan (Sep 12)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field gatekeepr (Sep 09)