Re: Just getting started in pen-testing

[Matt - MRS Security <matt () mrssecurity com>]

Every business with a computer/presence needs a pentest from the one 
office startups to the multi-billion dollar companies.

Vet's, doctors, dentists, teleco's, insurance, manufacturers, your local 
quicky-mart that takes credit cards etc.

Desktop reviews, server reviews, network device reviews, firewall rule 
reviews, voip review, internal reviews, bes reviews, active directory 
reviews, password reviews, user reviews, social engineering, VPN, war 
dial, isdn, internet review, network IDS/NIDS, web application - oh man 
i could go on.

Working as a freelancer you are going to have to prove why the bigger 
boys (NGS, NTA, NCC, MWR MCI/Verizon, Deloittes, IBM, PWC etc(which all 
have a world-wide presence) are not the people to go with and you are. 
Your also going to have to prove that you as a person can deliver small 
to large projects ontime and in a process that the customer likes unlike 
other companies who already have established routines both with testing, 
reporting, and solutions. Your also going to have to market yourself to 
these companies.

Your also going to have to sell to a company with presentations why they 
should part with their money in these rather economicaly screwed times.

Start with A in the telephone book and work through to 9.

Phone your friends, and ask them to phone their friends. Obtain 
contracting work from a pentest company. Make a name for yourself.

To be honest, i would either sub-contract to a company with links into 
other companies (thats what i did) with my friends (Myself, Robert and 
Steve!), join a pentest company or hire a sales guy - you must know a 
few people in this industry (you posted articles to 2600 a few times) so 
ring them up and ask for work! :D

Matt.


m0rebel wrote:
> Thanks for the suggestions everyone, but my original questions remain
> unanswered: What advice can you give about _working as a freelancer_,
> and what type of _small businesses_ need pen tests? I'm doing other
> research into these questions, of course, but it only makes sense to
> ask other pen testers.
>
> I know my dark-themed website is untraditional in the pen-testing
> industry, but it was a deliberate decision. If I wanted to market
> myself differently, I wouldn't have chosen the name Bandit Defense.
> I'm also not asking for advice in how to advance my career as a pen
> testing, or what other certs to take. I'm just trying to hear from
> people who have also worked freelance, and who have had customers that
> weren't medium to large corporations.
>
> J, I don't know why you assume that I only use automated tools and
> that I'm a scriptkiddy, but I apologize if my website scared you away.
>
> m0rebel
> Bandit Defense
>
>
> On Mon, Nov 10, 2008 at 2:58 PM, J. Oquendo <sil () infiltrated net> wrote:
>   
> > On Mon, 10 Nov 2008, Matt - MRS Security wrote:
> >
> >     
> > > Hey J.
> > >
> > > I think that direction towards courses as a recommendation would be
> > > suitable for people so they could launch themselves towards getting
> > > certain qualifications.
> > >
> > > I think getting a few people to commit to helping out would be the way
> > > forwards. Thats if Erin wants a FAQ.
> > >
> > > Thanks
> > >
> > > Matt.
> > >       
> > Interesting but I believe it's dual-edged sword - the certificate approach.
> > I started getting certs recently  with an already established background
> > in infosec. I don't and have never needed them not to mention to be honest
> > about it the only thing they've gotten me so far is, more email, more
> > paperwork... With this said there is also the flipside of things - I have
> > learned to broaden my horizons with them, but this was post-cert.
> >
> > Pentesting to me as I said before is similar to an art. There are far and
> > few courses worth looking into as far as certifications go. For example,
> > my most "coveted" for lack of better terms cert is the OSCP because I
> > actually re-learned things and saw them from a different angle. This does
> > not mean it should be viewed as the "de-facto" cert to get however, I'd
> > personally respect interviewing or meeting another OSCP over a CISSP, C|EH,
> > etc., and this is not to take anything away from those cert holders so I
> > don't need CISSP's to come complaining about apples and oranges.
> >
> > My problem with the cert route is - unless you're going to re-cert with
> > that body, it will be useless as the industry changes at such a rapid pace.
> > There would be too much to learn for one sitting period especially in a
> > year.s time frame. Right now I'm doing CISM studies - which I could care
> > little for (managerial) however, I enjoy learning the business processes
> > involved with security governance. There is more to it all than just
> > tools ;)
> >
> > Does this mean I want to revamp and push papers (not taking anything away
> > from security managers)... The answer is no. I study and learn constantly
> > to understand it all as in-depth as I can. I usually tell others who ask
> > me to understand network and systems heavily before even focusing on tools.
> > I believe in doing so, they'll be able to understand the inner workings of
> > it all and quite possibly create their own tools, methods, etc., so am I
> > wrong in thinking along these terms.
> >
> > Now let's go to the working class "Joe the Plumber" - the real "Joe the
> > Plumber" who doesn't make 200k per year. You expect him to fork over X
> > amount of money on "recommended" courses? Recommended by whom and why? Do
> > you believe that everyone can recommend courses without introducing
> > polit(r)ic(k)s into the mix? I sincerely doubt this.
> >
> > Also because pentesting is extremely broad, what course if you can actually
> > find any - would you promote to say pentest a VoIP infrastructure? It's
> > pretty much non-existent. You either understand the topology, technology,
> > etc., from the top down, or you'll be lost in the sauce. And no "Hacking
> > VoIP" (hello Dave/Mark) can only help you so much. However, if you
> > understood the underlying framework of packets and protocols, you'd be able
> > to determine what to look for on which layers of the OSI period, no matter
> > what you're pentesting.
> >
> > I believe certs can definitely help, but they are of limited use on the
> > learning phase. So you waste (or spend depending on your view) time learning
> > about say web application security. You spend/waste time reading and
> > re-reading Shellcoder's Handbook, learning C or some other language. You
> > spend or waste time learning about fuzziers and all that you're trying is
> > failing. You never took the time to learn about the networking side of
> > things so you're not running tcpdump, snoop or any other sniffer on the wire
> > to see that you're not trunked in the right VLAN. Then what?
> >
> > I believe a top down approach to it all - via books, trial and error labs is
> > the way to go WAY before one invests money in any cert. It's what I believes
> > separates the pros from the joes. You could tell me you possess all the certs
> > in the world and unless you really know your stuff, I can point you out to
> > plenty of "well certified" individuals whom I could mop the floor with on a
> > CTF on any given day with one hand, no coffee, on a 486 running RH Hurricane.
> > And I mean this not arrogantly, but I mean it as a matter of factual - truth
> > is the truth - way. Not bringing any person down, any cert down...
> >
> > I have a friend (hello RR) who to this day I believe is possibly the best
> > pentester I've met. Uses no one's tools. Prefers doing things the old school
> > way. Maybe its how he feels comfortable doing it, maybe it's what he learned
> > in Indiana (;)) who knows. I respect him for his ability and his very intimate
> > knowledge. He has zero cert that I'm aware of. In fact, most of the pentesters
> > I know and respect most... Don't have titles to their names ;) Does this mean
> > they're cert illiterate, "unschooled", "unreliable" pentesters?  Sorry I don't
> > believe the cert route is necessarily the best route. Just my two cents - alas
> > I rambled on enough, but if I had to recommend what you asked for, then I would
> > be telling people to take the following route:
> >
> > Networking/Design:
> > CCNA
> > CCDA
> > CCNP
> > CCDP
> >
> > Systems:
> > SCSA
> > Linux+
> > MCSA
> >
> > Security:
> > Security+
> > C|EH - to become exposed to tools
> > OSCP
> > OPSA
> > CPTE
> >
> > Web-applications:
> > What do you suggest here ;)
> >
> >
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > J. Oquendo
> > SGFA, SGFE, C|EH, CNDA, CHFI, OSCP
> >
> > "Each player must accept the cards life deals him
> > or her: but once they are in hand, he or she alone
> > must decide how to play the cards in order to win
> > the game." Voltaire
> >
> > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB
> >
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Security Trends Report from Cenzic
> > Stay Ahead of the Hacker Curve!
> > Get the latest Q2 2008 Trends Report now
> >
> > www.cenzic.com/landing/trends-report
> > ------------------------------------------------------------------------
> >
> >
> >     


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------