Penetration Testing mailing list archives
Re: Need Some Guidance Please
From: "Nate" <marshallnate () hotmail com>
Date: Fri, 17 Apr 2009 23:38:16 -0600
Well said Jeff. Don't give a person with four fingers a hammer... Doesn't this job include the deep, fast-talking voice "results may very. Only at participating stores. etc..."
-N -------------------------------------------------- From: "Jeffrey Walton" <noloader () gmail com> Sent: Friday, April 17, 2009 10:35 PM To: "Elizabeth Tolson" <elizabethtolson () gmail com> Cc: <pen-test () securityfocus com> Subject: Re: Need Some Guidance Please
Hi Elizabeth,I am finishing up my Master's Degree in Information AssuranceCongratulations.During my research, I saw someone who was a Licensed Pen Tester/Consultant.You'll get lots of answers from folks who do it for a living. Allow me offer the SysAdmin view. While glamorous, the penetration testing can be very destructive on a network. I perform regular audits with MBSA, NetChk, NMap, and Nessus. As a SysAdmin, I am really interested in two things: what ports are open (and why), and what hosts are not patched to the latest revision (and why). I have no desire to walk around rebooting workstations and servers after a test. MBSA and Shavlik are least destructive - it's all about versioning. NMap can be hard on a poorly written service. It does some interesting things (both inside and outside of the three way TCP handshake) while trying to eek out if a host is present on the other side of the wall. Nessus, can be especially destructive when *not using* safe checks. And I have never found a need to use MetaSploit and its tools.He would "ethically hack" without the employees knowing it.This can get you in trouble. I've been part of many incidences where alarms start going off (literally - What's Up Gold and NetIQ) in the NOC because the Security Team was testing without informing anyone. The result is that someone higher up on the food chain gets very irritated because the NOC team had to report downtime on servers. And it only gets worst when Domain Controllers are forced to reboot because a test 'got away' from the Security team. I was also part of a database recovery because a server was rebooted due to a penetration test. Again, no one was informed, the DBA did not have an up to date backup, and the instantaneous reboot corrupted the database. In the end, nearly anyone can acquire and use the tools. It's all in the proper application to achieve the goals of the organization. Jeff On 4/17/09, Elizabeth Tolson <elizabethtolson () gmail com> wrote:Hi Everyone: I am finishing up my Master's Degree in Information Assurance from Capitol College. I had one Penetration Testing Classes which I really enjoyed. I have done some research on Pen Testing and this seems to be something that I might be interested in doing. During my research, I saw someone who was a Licensed Pen Tester/Consultant. Basically, he was hired by companies -- anywhere from banks, law firms, accountants, merchants, etc --- to conduct pen testing. He would "ethically hack" without the employees knowing it. He would also do some pen testing via social engineering. He would conduct Pen Testing during different hours of the day and night to discover vulnerabilities, etc. After the testing, he would submit a report to the president/owner of the company with suggestions on making his network a stronger, more secure network. Does anyone do this as a consultant? Or, is this guy blowing smoke and this is not a "real job". I have seen some companies that do this, but have not seen any individuals who do this. Also, if I am interested in pursing Pen Testing, what certs would you recommend. What additional training would you recommend. What books would you recommend? Thanks a lot. Elizabeth [SNIP]------------------------------------------------------------------------ This list is sponsored by: InfoSec InstituteLearn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience.http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: InfoSec InstituteLearn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- Need Some Guidance Please Elizabeth Tolson (Apr 17)
- Re: Need Some Guidance Please Jeffrey Walton (Apr 17)
- Re: Need Some Guidance Please Michael Boman (Apr 18)
- Re: Need Some Guidance Please Daniel Clemens (Apr 18)
- Re: Need Some Guidance Please Jeffrey Walton (Apr 18)
- Re: Need Some Guidance Please Micheal Cottingham (Apr 18)
- Re: Need Some Guidance Please Michael Boman (Apr 21)
- Re: Need Some Guidance Please Nate (Apr 18)
- Need for Intrusion/Infection Data Baykal, Adnan (CSCIC) (Apr 21)
- Re: Need for Intrusion/Infection Data Jon Janego (Apr 21)
- Re: Need for Intrusion/Infection Data Leonardo Cavallari Militelli (Apr 21)
- RE: Need for Intrusion/Infection Data Honer, Lance (Apr 21)
- Re: Need Some Guidance Please Jeffrey Walton (Apr 17)
- Re: Need Some Guidance Please Elizabeth Tolson (Apr 21)
- Re: Need Some Guidance Please Stephen Mullins (Apr 21)
- Re: Need Some Guidance Please Aarón Mizrachi (Apr 30)
- Re: Need Some Guidance Please Matt Gardenghi (Apr 21)
- Re: Need Some Guidance Please Pete Herzog (Apr 21)
- Re: Need Some Guidance Please Todd Haverkos (Apr 23)