Re: Pen Tester Qualification

["J. Oquendo" <sil () infiltrated net>]

On Tue, 23 Sep 2008, Haymi Rock wrote:

> Guys,
> I need your experience.
>
> What are the qualifications for the ideal "Penetration Tester"?
> Your opinions and experiences are so much appreciated

This is likely going to differ from the normal tailored
answer you'll hear from the suit types so here goes. The
qualifications for pentesting if I were conducting the
interview would vary. I would prefer to find someone
with a thorough background in networking, systems
administration and programming.

The experience for me would have to be a few years in
an industry where the usage of those technologies
were heavy. For examply, I'd prefer to find someone
with hands on experience in say a NOC environment or
a SOC environment.

The candidate would HAVE to have hands on experience
first and foremost. I believe the at the bottom of
the line, experience outweighs any certifications
someone would have on their resume.

Secondly, I'd like to see them exposed professionally
in the security industry. In some capacity doing some
type of auditing, be it system level, network level.
For me, again, they'd have to have the technical know
how involved with systems administration as well as
with networking.

In the common tasks of a system administrator, there
are many learning curves for many systems (Windows,
Linux, BSD, etc.). There are many programs to be
learned and understood to effectively manage those
systems. There are duties including creating the
creation of accounts, group assigning, etc., this
exposes the candidate to the AAA concepts.

Networking is a must period. No network, no pentest.
I won't get into physical pentesting on this ramble.
Understanding networking is a tremendous advantage
since one needs to understand how things work from
the ground up. The candidate should be able to pick
apart layer by layer the OSI/DoD model to determine
a starting and exiting point when addressing their
penetration test.

Because I believe in a form of structured penetration
test, I feel the candidate should be a jack of all
trades on the protocols. They'd need to be well
versed to know when to perform networking related
security testing (MITM, packet injection, covert
channel testing) versus say application level
testing.

Next comes the core of understanding the protocol
itself. I'd want someone with a mixture of dealing
with security protocols. Perhaps someone having
experience configuring webservers with OpenSSL or
something along these lines. Someone whom I can
ask a quick question like say... What's are the
differences between aggressive and main modes of
VPN's? They'd need to understand what I'm talking
about and why I would ask something like this.

They'd need to be well versed on CVSS topics,
commonly used exploits, industry top 10's and 20's
as far as threats go, they'd need to understand a
few concepts related to doing paperwork as well.
This means understanding a broad but structured
view of topics such as BIA, DRM, ROI, etc., it's
a matter of preference, but the more experienced
in the subject matters even if its broadly based
I believe will get me a more professional pentest
expert on my team as opposed to someone who sat
around all day running tools.

I answered a question similar to this a week or
two ago; the need for those coming into the field
to understand the basics before solely focusing
solely on the usage of popular tools. My ideal
pentester would make his own tools a-la McGuyver
if they had to. There is no guarantee you will
always be able to use tools and many individuals
need to understand this concept. What happens
if you're at a client and they ask you right on
the spot to perform an assessment on their
machines without those fancy tools you'd swore
would find any hole. Would you know what to do
without them, would you know how to search for
open ports (lsof, netstat). Would you know the
system well enough for you to be able to perform
a pentest under those conditions.

Recap...

MUST
Networking, Systems, Applications, Security Concepts

SHOULD
Business concepts, Information Security Concepts
(not to be confused with IT Security... I mean
audit based, CISA/CISM style concepts). Good
knowledge of regulations (HIPAA, SOX, etc).

It all boils down to where you intend on working
to be honest. Some companies solely hire what
I call toolmonkeys. "OMFG YOU'VE USED CENZIC
HAILSTORM!" Means little if you don't understand
how things work under the hood. Anyone can go
around pointing and clicking a tool. It's the
individual who can use the common underlying
information on what the tool does, how it does
it who I'd want on my time. "Can you do the
same using say curl?", "Can you go through the
motions of performing say SQL injections w/o
the use of INSERT_FAVORITE_INDUSTRY_TOOL_HERE"

Anything else, comes after the fact. Certifications,
what uberly massive list of tools you want to place
on your resume. If a candidate cannot offer me
something outside of "experience using NMAP..."
I wouldn't bother interviewing them. If I asked
the potential candidate something like, "can you
gather the same output that NMAP would give you
with netcat. And the understood what I mean w/o
questioning why I would choose to use NC, then
I'd get into deeper discussion with them. Its 
all about versatility for me.


// end of rambling

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, CNDA, CHFI, OSCP

"A good district attorney can indict a ham sandwich
if he wants to ... The accusations harm as much as
the convictions ... they're obviously harmful or it
wouldn't be news.." - John Carter

wget -qO - www.infiltrated.net/sig|perl

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------