Re: Need Some Guidance Please

[Todd Haverkos <infosec () haverkos com>]

Elizabeth Tolson <elizabethtolson () gmail com> writes:

> Hi Everyone:
>
> I am finishing up my Master's Degree in Information Assurance from
> Capitol College.  I had one Penetration Testing Classes which I really
> enjoyed.
>
> I have done some research on Pen Testing and this seems to be
> something that I might be interested in doing.
>
> During my research, I saw someone who was a Licensed Pen
> Tester/Consultant.  Basically, he was hired by companies -- anywhere
> from banks, law firms, accountants, merchants, etc --- to conduct pen
> testing.  He would "ethically hack" without the employees knowing it.
> He would also do some pen testing via social engineering.  He would
> conduct Pen Testing during different hours of the day and night to
> discover vulnerabilities, etc.  After the testing, he would submit a
> report to the president/owner of the company with suggestions on
> making his network a stronger, more secure network.
>
> Does anyone do this as a consultant?  Or, is this guy blowing smoke
> and this is not a "real job".  I have seen some companies that do
> this, but have not seen any individuals who do this.

Hi Elizabeth, 

I'm happy to report that he wasn't blowing smoke.  Such
positions/individuals not only exist, but remain in fairly strong
demand involving a niche skillset for which it's difficult to recruit.

I work as a security consultant for a large security shop.  In the
past couple weeks I've done everything you said in the past
paragraphs.  It was done blind w/o employees knowing, and it was
closely held within the risk management executive leadership so they
could get a good pulse on what their exposures were without biasing
results by tipping off employees.  Engagements do vary but the blind
ones are always interesting. 

> Also, if I am interested in pursing Pen Testing, what certs would you
> recommend.  What additional training would you recommend.  What books
> would you recommend?

I don't have a magical formula, I'm afraid.  There are several ways to
skin that cat.  For whatever it's worth, I happen to have the EC
Council Licensed Penetration Tester cert (as well as their CEH and
ECSA).  But the value of certs in general is always a hot subject for
debate.  EC Counil's certified ethical hacker cert is a reasonable
entry level cert that isn't too daunting, but like any certification
is no strong guarantee of competence or character.   I have several
current and former coworkers that I respect enormously who have no
certifications at all,  but who are nonetheless top shelf pen
testers.  All the same, having some sort of cert does tell prospective
employers that you didn't just wake up yesterday and decide to apply
for their security related position. 

There are some very good training companies and strong pen certs out
there that have been mentioned on this thread.  The cert is less
important than the quality of the instructor and curriculum.  I was
very impressed with Jack Koziol's Infosec Institute training.  What
works for you though will involve decisions based on what training is
near you or you can otherwise afford (or what your employer will pay
for in a given year).  But finding a job where you can actually do
penetration testing as part of your work and work in varying
environments is extremely valuable.  

To get your foot in the door... I'm not sure of any one magical path.
In my case, I started in a networking related position in a rather
large company and made a bee line for their security group when the
opportunity arose.

Books... the trouble with them is that the publishing lead time is
such that they can't be up to date, as security and threats move so
fast.  But among those that I've personally found worthwhile: Hacking
Exposed (and friends), Database Hacker's Handbook (also several things
in this series too), Web Application Hacker's Handbook, Hacking: The
Art of Exploitation... are some titles from my shelf that come to
mind.  <plug style="shameless"> and run (don't walk) and pick up a
copy of UNIX and Linux Forensic Analysis DVD Toolkit</plug> even
though it'll do little for your pen testing.  :-) 

Conferences though...  that's where you can get a lot of bang for the
buck.  Get thee to Defcon this summer in Vegas.  It's quite
affordable, you get most of what you'd see at the more corporate Black
Hat, and you'll be surrounded with an ecclectic mix from script
kiddies to penetration testing pros.  It's very useful brain food.
Blackhat is great, much more corporate oriented, but it is expensive.
I've also heard great things from colleagues about schmoocon, RSA,
Cansec West.  etchicalhacker.net is a growing community and their
Chicagocon 2-day seminar is coming up soon as well, and is quite
affordable.

Hope this gives you some ideas.  If this is a career direction you're
considering, you'll find your skills rather-in demand once developed.
The threat landscape is getting more and more complicated, and now
that the bad guys have moved into the for profit realm, such work will
continue to be a growing part of organizations' risk management
approach to business.

Best Regards, 
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/
http://www.linkedin.com/in/toddhaverkos

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Tired of using other people's tools? Why not learn how to write your own exploits? 
InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for 
Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well. 

http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html
------------------------------------------------------------------------