Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Computer Security (http://www.velocityreviews.com/forums/f38-computer-security.html)
-   -   Starting a Pen-Testing Career (http://www.velocityreviews.com/forums/t394514-starting-a-pen-testing-career.html)

seraphimrhapsody@gmail.com 10-26-2006 07:36 PM

Starting a Pen-Testing Career
 
Hello all,

This post is directed towards current network security/penetration
testing professionals.

I'm not sure what group this would be most appropriate in, so if this
is in the incorrect group, then please let me know and I'll move it
there (I've looked for a few groups that are strictly for pen-testers,
and haven't really found much). So I apologize in advance if this is
misplaced.

I'm currently a software engineer, but have a passion for network
security, and in particular penetration testing. I have to admit, I've
looked and looked for possible job descriptions for this type of work,
the pro's and con's of it, how to get into the field, etc... and
haven't found a whole lot regarding the first steps to get into this
type of industry.

I would love to have a few questions answered by those who have been
there and done this type of work. That being said, here are my
questions...

1) How did you get your start into this field of work?
1a) Did you attend any official courses to prepare?
1b) Did you obtain any certifications before you landed your first
pen-testing job?

2) What is an average day of work like for you?
2a) What are the pro's of working as a Pen-Tester?
2b) What are the con's of working as a Pen-Tester (what makes you hate
coming to work?)
2c) Do you work in a large or small firm? Or are you doing freelance
work? Which would you prefer/recommend?

3) What should I do to prepare?
3a) Are there any solid courses offered to prepare for this type of
work?
3b) What are the most credible and affordable courses one could take?
3c) In your opinion, what are the strongest certifications to have? Or
are any certifications worth their salt?

4) Are there any websites out there that would have some or all of the
answers to the questions above?

I've looked into going to the InfoSec school for Ethical Hacking, and
would love to have the bootcamp style training to get me started, but
atm, the cost is a bit outside of my limits. I can say, though, that
sometime next year I will be able to take such a course. In the
meantime, though, I'm trying to figure out if this is something that
I'd like to pursue. I currently have a very secure job and am quite
happy with it (most days :) ), as well as having a very bright future
for advancement in the industry, but I'm pretty sure I would absolutely
love this type of work. I feel like I've only read 'hype' about the
career, though. I'd love to pick a grizzled veteran's brain about this
and see if it's the right career move for me. Also, I'm young enough to
make a career switch a viable option. So it's been weighing on my mind
pretty heavily as of late, heh.

Thanks in advance to all reply with anything useful,
Keith


fuzzynoreply@invalid.org 10-26-2006 08:18 PM

Re: Starting a Pen-Testing Career
 
seraphimrhapsody@gmail.com wrote:
> 1) How did you get your start into this field of work?
> 1a) Did you attend any official courses to prepare?
> 1b) Did you obtain any certifications before you landed your first
> pen-testing job?


Nope. Nope. I transfered within a large company I was already
working for.

> 2) What is an average day of work like for you?


Walk down the hall, login to the computer. Break something new every
week or so. Short engagements, lots of new stuff all the time.
Always learning.

> 2a) What are the pro's of working as a Pen-Tester?


It's a lot more fun and rewarding to break stuff than to have to deal
with all the tedium of having to create things for the lowest common
denominator to use.

> 2b) What are the con's of working as a Pen-Tester (what makes you hate
> coming to work?)


When customers have you reassess their stuff a year later and all the
same stuff you reported a year ago is still broken. That's about it
though. It's a dream job.

> 2c) Do you work in a large or small firm? Or are you doing freelance
> work? Which would you prefer/recommend?


I'm in a large one. It has its benefits and detriments. A small firm
arguably can be more aggressive in their testing as they're not as
large a target for getting sued should something go horribly wrong.
Hasn't happened of course, but just htinking out loud. A large firm
has all the resources of a large firm, and an established brand that
connotes trust with a customer and applied appropriately, a steady
stream of business. Education budgets, lots of network
infrastructure and all that jazz. Smaller outfits mean more
uncertainty but generally higher salaries, less to invest in education
perhaps, less places to go if you ever get burned out.

This question I think is largely orthogonal of the profession and more
a personal choice regardless of your IT specialty I guess. Also
depends a lot on the individual company.

> 3) What should I do to prepare?


Send me your resume. I'll see if there's a fit.

If you aren't already very comfortable in both Linux and Windows, get
comfortable in both.

> 3a) Are there any solid courses offered to prepare for this type of
> work?


Oh yes. That Infosec CEH class you mention later is pretty darned
good. They have an advanced class as well that includes exploit
coding...and I think your background would make you very interested in
that.

Defcon is a decent cheap conference that's held annually.

> 3b) What are the most credible and affordable courses one could take?
> 3c) In your opinion, what are the strongest certifications to have? Or
> are any certifications worth their salt?


CISSP is probably the most widely known, but it requires someone with
a CISSP to certify that you've worked in a security related field for
a givne amount of time. Your work as a software developer though can
be construed in that way however. Make friends with a CISSP.

SANS.org GIAC certifications are a little more highly regarded I'd say
but cost will be an issue there as well, and then there's the issue of
which one to take. I don't know that I'd recommend it as a first
step.

> 4) Are there any websites out there that would have some or all of the
> answers to the questions above?
>
> I've looked into going to the InfoSec school for Ethical Hacking, and
> would love to have the bootcamp style training to get me started, but
> atm, the cost is a bit outside of my limits.


Talk with them see what you can negotiate. It's a good class, a very
good organization (Jack's awesome) and the EC Council certification
will carry some weight too. I haven't tested mine out in the
marketplace, so it's hard to say.

> I can say, though, that sometime next year I will be able to take
> such a course. In the meantime, though, I'm trying to figure out if
> this is something that I'd like to pursue.


Sounds like a great fit for your interests.

> I currently have a very secure job and am quite happy with it (most
> days :) ), as well as having a very bright future for advancement in
> the industry, but I'm pretty sure I would absolutely love this type
> of work. I feel like I've only read 'hype' about the career,
> though.


If you ask me, the hype is real. It's very fun to break stuff for a
living.

> I'd love to pick a grizzled veteran's brain about this and see if
> it's the right career move for me. Also, I'm young enough to make a
> career switch a viable option. So it's been weighing on my mind
> pretty heavily as of late, heh.


Security is still very much a growth industry and I dont' see that
changing any time soon. Versus software development, if you're living
in the US, there's an argument to be made that folks will be less
prone to offshore their security assessment work than they would code
and software engineering.

> Thanks in advance to all reply with anything useful,


Dunno if I've tripped that level, but yer welcome retroactively, as
applicable. :-)

--

http://www {dot} toddh {dot} net/

erewhon 10-28-2006 05:14 AM

Re: Starting a Pen-Testing Career
 

> 2) What is an average day of work like for you?


As someone on the end of reading security audit reports, can you:

1 - write high-level management reports, with scare stories to generate more
work?

2 - can you write down all the issues their own tech team tell you are
issues, and present this as your own work?

3 - can you state the bleeding obvious in an important-looking document -
'you need to patch your systems, have firewalls & IDS, do more monitoring,
QA your software, run up-to-date AV, limit admin accts, enforce password
policy, limit physical access, review security logs....'. (Since every firm
is always just one step behind in some area, you will always find an 'in').
If they are fully up-to-date and compliant, can you scare them with 0-day
exploits and more consultancy costs.

4 - can you steer someone else's cleverly written vulnerability scanner, and
produce reams of pdf reports which justifies your pointless exercise and
substantial contract fee

If so, go work for a big audit firm and keep reselling the above and keep
creaming the profits, whilst knowing in your heart you've never written a
line of exploit code or had an original idea on security yourself.

erewhon
alt.hacker



Todd H. 10-28-2006 05:34 AM

Re: Starting a Pen-Testing Career
 
"erewhon" <sminkypinky@nowhere.net> writes:

> > 2) What is an average day of work like for you?

>
> As someone on the end of reading security audit reports, can you:
>
> 1 - write high-level management reports, with scare stories to generate more
> work?
>
> 2 - can you write down all the issues their own tech team tell you are
> issues, and present this as your own work?
>
> 3 - can you state the bleeding obvious in an important-looking document -
> 'you need to patch your systems, have firewalls & IDS, do more monitoring,
> QA your software, run up-to-date AV, limit admin accts, enforce password
> policy, limit physical access, review security logs....'. (Since every firm
> is always just one step behind in some area, you will always find an 'in').
> If they are fully up-to-date and compliant, can you scare them with 0-day
> exploits and more consultancy costs.
>
> 4 - can you steer someone else's cleverly written vulnerability scanner, and
> produce reams of pdf reports which justifies your pointless exercise and
> substantial contract fee



Pity.

Sounds like you have contracted someone doing vulnerability scanning
vs actual ethical hacking.

But it's funny cus the market does have a lot of such crap out there.

Best Regards,
--
Todd H.
http://www.toddh.net/

erewhon 10-28-2006 05:36 AM

Re: Starting a Pen-Testing Career
 

> Pity.
>
> Sounds like you have contracted someone doing vulnerability scanning
> vs actual ethical hacking.


From a company perspective, they just want a report which tells them what
their exposures are (which any idiot could tell them - see point 3), and
then they can justify the spend and action the recommendations, and thereby
cover their ass should anyone externally need to have proof of their
'security'

It's not about hacking into code, it's about ticking the boxes.

> But it's funny cus the market does have a lot of such crap out there.


Ususally with a big brand name and a ludicrous fee



seraphimrhapsody@gmail.com 11-02-2006 12:17 AM

Re: Starting a Pen-Testing Career
 
Not sure if my experience applies, but I used to work for the GeekSquad
at BestBuy. It was hell. But I did learn a few things. Mainly, though,
I learned that people pay for convenience. People pay for others to do
the things they need done, but don't have the time to learn how to
do...

My job consisted of booting up a computer, and then clicking 'scan' on
a few antivirus scanners, and a few spyware scanners, and then
documenting my work. Any monkey could have done the same. So why didn't
these customers have me do it?

They didn't have the time, perhaps even the aptitude, to learn and
educate themselves on how to do it themselves. Something so seemingly
simple, yet they didn't do it. I even went to _great_ lengths to show
these people they were being 'scammed', to show them how to do my
'job'. 9 times out of 10, though, these people flat out told me they
'didn't care, just fix it'.

Perhaps you have some truth in your inflammatory, pessimistic attitude
of penetration testing/ethical hacking. But I think your opinions are
more wrong than right.

1) Businesses want to know worst case scenario, and to be prepared for
them.

2) Sure I can. Will I? No. To assume and lump all penetration testers
into this unethical behavior is a bit narrow minded and immature, imo.

3) What is bleeding-obvious to you, may not necessarily be obvious to
others less savvy than yourself. Take my example of spyware, for
instance. Most people don't understand that a free screensaver is chock
full of malware and resource hogging software that is generally bad for
your system. Most people are too busy themselves to sit down and
educate themselves thoroughly enough to become a smart or even savvy
internet user. Case in point, most businesses are busy earning money
and making their business plans work to worry so much about security.
Hence, they hire a pen-tester or ethical hacker to tell them the things
they need.

4) Simply because I don't write my own vulnerability scanners doesn't
mean I am somehow less knowledgeable or less of a professional. Using
someone's already established tools is far better than reinventing the
wheel. It's smart. Do I write all of my current software in assembly,
because that would somehow make me a superior coder to those who use
high-level frameworks? No. I use the frameworks given to me to make my
life easier, my software development more efficient and my production
time less. Am I less of a software engineer because I don't write all
my projects in low-level languages? And just because I don't use those
low level languages, does that mean I don't understand what's going on
beneath the hood of my framework? You are making large assumptions that
don't necessarily add up to anything. On the same token, using someone
else's tools does not mean that I do not understand the
vulnerabilities. I _could_ attempt the vulnerabilities one by one
myself, manually executing them, but that would be tedious and slow.
I'd probably think about automating that, but wait... someone's already
done that! I'm sure you see my point.

As for pointless exercises... I'd beg to differ. If they were so
pointless, perhaps you should tell the CEO that the next time his/her
security is compromised. "Yes, you were compromised because of this
particular insecurity, but checking for that before you had been
attacked would have been pointless in my opinion." Make statements such
as that, and I'd wonder why you even browse this newsgroup...

As for substantial contract fees... knowledge is power. The reason
software engineers are paid well (or at least more than average) is
because of their knowledge and experience alone; because many have
devoted their time, effort, and finances to learning their trade. The
same goes with a penetration tester who stays current. Aside from that,
I'd wonder how you consider a company's peace of mind and security any
less valuable than it already is.

Lastly... simply because I would work as a penetration tester doesn't
automatically qualify me as a moron in the vulnerability research
department... And quite honestly, I would probably find myself adequate
at doing it, considering my background. I do see your point, though, in
that a truly excellent penetration tester should know these details to
truly understand his job.

So, with all of this, I'm going to call you out. I am quite sure that
if we were to know your line of business, we could make equally narrow
minded and inflammatory remarks. I won't, of course, but that was an
attempt to open your mind a bit. And since you posted in this group, on
this particular topic... have you ever written exploit code? Have you
ever contributed fresh ideas to the security community? Or do you
simply deride everyone else's careers, quite likely because of your own
insecurity in your own skillset? Heck, with your mindset, have you
written your own OS? Or are you just an inferior user? Have you made
your own motherboard? Processor? Memory units? Or are you just a simple
consumer?

Do you now see how rediculous your claims sound? In retrospect, had you
written something like, "Here's how you can be a horrible
pen-tester..." or perhaps, "These, in my opinion, are great
pen-testers...", I think I wouldn't have had a problem at all with your
post. I'd venture to say that constructive criticism _could_ go a long
way for you. I doubt you'd heed the advice though.



erewhon wrote:
> > 2) What is an average day of work like for you?

>
> As someone on the end of reading security audit reports, can you:
>
> 1 - write high-level management reports, with scare stories to generate more
> work?
>
> 2 - can you write down all the issues their own tech team tell you are
> issues, and present this as your own work?
>
> 3 - can you state the bleeding obvious in an important-looking document -
> 'you need to patch your systems, have firewalls & IDS, do more monitoring,
> QA your software, run up-to-date AV, limit admin accts, enforce password
> policy, limit physical access, review security logs....'. (Since every firm
> is always just one step behind in some area, you will always find an 'in').
> If they are fully up-to-date and compliant, can you scare them with 0-day
> exploits and more consultancy costs.
>
> 4 - can you steer someone else's cleverly written vulnerability scanner, and
> produce reams of pdf reports which justifies your pointless exercise and
> substantial contract fee
>
> If so, go work for a big audit firm and keep reselling the above and keep
> creaming the profits, whilst knowing in your heart you've never written a
> line of exploit code or had an original idea on security yourself.
>
> erewhon
> alt.hacker



erewhon 11-02-2006 06:56 AM

Re: Starting a Pen-Testing Career
 
> 9 times out of 10, though, these people flat out told me they
> 'didn't care, just fix it'.


That's certainly the case.

> Perhaps you have some truth in your inflammatory, pessimistic attitude
> of penetration testing/ethical hacking. But I think your opinions are
> more wrong than right.
>
> 1) Businesses want to know worst case scenario, and to be prepared for
> them.


Buinsesses don't care about security and vulnerabilty and exposure. Their
only interest in technology is in making a manual job easier (and therefore
saving cost), or generating revenue. In the process they know they have to
protect their assests (since this impacts their market position, or bottom
line if services are unavailable or compromised), and that they usually know
they have to be compliant with a variety of legal obligations in terms of
data security.

Their driver is not to 'want to know worst case scenario' - they know the
worst case scenario (I might get ****ed over). What they want to know is 'am
I up to industry standards & best practice' and 'where are my weaknesses'.
In a large organisation with internal IT, you don't need an external audit
to tell you this - go and ask your existing teams. They'll have a list of
jobs which need doing, from laptop encryption, to improved IDS, to personal
firewalls, to spamware and malware scanners and filters, to better patch
management... the list will be comprehensive, assuming they actually ask!.


> 2) Sure I can. Will I? No. To assume and lump all penetration testers
> into this unethical behavior is a bit narrow minded and immature, imo.


If you are exployed by a large audit firm they will have a standard
approach - investigate their IT by examining all the information obtained
regarding their infrastructure from their IT teams, discuss their processes,
ask questions about the aforementioned areas likely to cause concern
(firewalls, patch, malware, encryption, et al) then present this list of
flaws in an audit report for management.
The managers will expect this - the audit firm knows this, and it will be a
cookbook delivery - the content of which will be obtained from existing IT
teams. How else would they be able to provide such a report in isolation -
audit every single network switch, firewall setting, PC and server? No -
they work from the inside to obtain, the resell back to you your own
information.


> 3) What is bleeding-obvious to you, may not necessarily be obvious to
> others less savvy than yourself. Take my example of spyware, for
> instance. Most people don't understand that a free screensaver is chock
> full of malware and resource hogging software that is generally bad for
> your system. Most people are too busy themselves to sit down and
> educate themselves thoroughly enough to become a smart or even savvy
> internet user. Case in point, most businesses are busy earning money
> and making their business plans work to worry so much about security.
> Hence, they hire a pen-tester or ethical hacker to tell them the things
> they need.


No they don't. They need to employ a team who can provide rigourous desktop
and server build standards. Someone who can write and enforce policy. They
need to employ someone to install AV, patch management, firewalls, IDS,
packet monitoring, proxy servers, malware and content sweepers at the
gateways et al.

That's why I stated your report needs to contain the obvious."'you need to
patch your systems, have firewalls & IDS, do more monitoring, QA your
software, run up-to-date AV, limit admin accts, enforce password policy,
limit physical access, review security logs....".

It does not require a pen-tester/ethical hacker to provide this analysis. It
needs a compentant and informed IT team. Anyone who's big enough to buy pen
testing, is big enough to have its own IT team provide such a report
detailling areas for improvement.

Having written such a detailled report covering all such exposures, and
mitigating factors, and technology & process required to resolve it, I then
realised big firms think very little of their own skilled IT team. They
ended up paying $200k+ for an audit firm to do a fraction of the analysis I
did, with far fewer practical solutions. It's only by paying third parties
to come in, do the glossy report, that the IT managers can go to the board
and justify the spend on fixing the issues. Third party auditors know this -
your skills on code-exploit writing will not be required for the job of a
pen-tester.

> 4) Simply because I don't write my own vulnerability scanners doesn't
> mean I am somehow less knowledgeable or less of a professional.


Of couse it does. The people who make such tools are obviously better
informed as to how the vulnerabilities exisit, how they can be exploited and
how they can be detected. The user of such tool is just that - a user of
someone elses tool. If they had the abilty they claimed, they would write
their own.

> Using
> someone's already established tools is far better than reinventing the
> wheel.


I never said it wasn't. I said 'can you steer someone else's cleverly
written vulnerability scanner' to produce reports. Any monkey can do this -
you don't need a experienced code head/pen tester/ethical hacker to point
and click these tools.

>It's smart. Do I write all of my current software in assembly,
> because that would somehow make me a superior coder to those who use
> high-level frameworks? No. I use the frameworks given to me to make my
> life easier, my software development more efficient and my production
> time less. Am I less of a software engineer because I don't write all
> my projects in low-level languages? And just because I don't use those
> low level languages, does that mean I don't understand what's going on
> beneath the hood of my framework?


Most auditors/pen testers who sell their services have little knowledge in
this regard. It's just not required to produce the reports and anaylsis
which is being commissioned. The buisiness needs a report from a tool which
can detect these holes. They don't give a **** if the person steering the
tool actually HAS the expertise to write the exploit code - they only need
to know if the hole exists and therefore the POSSIBILITY exists that someone
could exploit it.

>You are making large assumptions that
> don't necessarily add up to anything.


I am? Where exactly are my assertions flawed?

> On the same token, using someone
> else's tools does not mean that I do not understand the
> vulnerabilities. I _could_ attempt the vulnerabilities one by one
> myself, manually executing them, but that would be tedious and slow.
> I'd probably think about automating that, but wait... someone's already
> done that! I'm sure you see my point.


And my point is that no-one in the business cares if the employed
hacker/pen-tester/auditer actually has the skills to carry out the attacks
they say they are vulnerable to. They only need to know that such
possibilites exist - and for this you don't need to be a hacker/pen-tester -
just a monkey in a suit, with an arm full of reports and a penchant for
selling them back their own ideas.

> As for pointless exercises... I'd beg to differ. If they were so
> pointless, perhaps you should tell the CEO that the next time his/her
> security is compromised. "Yes, you were compromised because of this
> particular insecurity, but checking for that before you had been
> attacked would have been pointless in my opinion." Make statements such
> as that, and I'd wonder why you even browse this newsgroup...


I never said pen-testing was pointless. I said that the job of a
'professional pen-tester' is not what you would end up doing, since people
would be paying you to deliver to a common set of criteria - none of which
require an in-depth knowledge of exploit code and holes, only the means to
identify where they exisit.

> As for substantial contract fees... knowledge is power. The reason
> software engineers are paid well (or at least more than average) is
> because of their knowledge and experience alone; because many have
> devoted their time, effort, and finances to learning their trade. The
> same goes with a penetration tester who stays current.


My point is that this task does not require a substantial amount of
knowledge, above and beyond what a competant network or server engineer has
at hand, to deliver the output of such reports.

>> Lastly... simply because I would work as a penetration tester doesn't

> automatically qualify me as a moron in the vulnerability research
> department... And quite honestly, I would probably find myself adequate
> at doing it, considering my background. I do see your point, though, in
> that a truly excellent penetration tester should know these details to
> truly understand his job.


Actually, my point is - the best pen testers work in the background, writing
the tools and exploits. Buisness facing pen-testers do not - they steer
tools, & write cookbook reports.

> So, with all of this, I'm going to call you out. I am quite sure that
> if we were to know your line of business, we could make equally narrow
> minded and inflammatory remarks.


I'm a server engineer - I scope, design, & implement solutions, with a
degree of third line support for a multi-billion pound firm I get paid ****
loads cos I'm very good at it.

I know what tools to use, have written best design practice, and how to
deliver a secure, resilent solution on time, within budget and following
process.

> I won't, of course, but that was an
> attempt to open your mind a bit. And since you posted in this group, on
> this particular topic... have you ever written exploit code?


No. I don't claim to have.

> Have you
> ever contributed fresh ideas to the security community?


Yes.

> Or do you
> simply deride everyone else's careers, quite likely because of your own
> insecurity in your own skillset?


Me - insecure?! I'm not deriding the career path - I'm stating it will not
be what you expect and hope it to be.

>Heck, with your mindset, have you
> written your own OS?


No.

>Or are you just an inferior user? Have you made
> your own motherboard? Processor? Memory units? Or are you just a simple
> consumer?


I did a smattering of electronics during my degree..

> Do you now see how rediculous your claims sound? In retrospect, had you
> written something like, "Here's how you can be a horrible
> pen-tester..." or perhaps, "These, in my opinion, are great
> pen-testers...", I think I wouldn't have had a problem at all with your
> post. I'd venture to say that constructive criticism _could_ go a long
> way for you. I doubt you'd heed the advice though.


Hey - It's just my perspective based on experience.

erewhon
alt.hacker



seraphimrhapsody@gmail.com 11-02-2006 07:15 AM

Re: Starting a Pen-Testing Career
 
Perhaps my perceptions of the business are a bit naive, I suppose. And
perhaps I was too quick to judge by your own response.

So this is one of those rare occasions on the 'net that anyone will see
an apology in these types of discussions -- Sorry for jumping to my own
assumptions. I suppose we all know where they lead.

So. Perhaps a corporate pen-tester is not the job I'd like to go into,
and I have been mislead. I suppose then, I would rephrase my question.
I like security; I like breaking into networks, and also finding out
how others have broken into mine. I'm a pretty damn good programmer,
and understand low level languages. What _would_ be the career that
would best facilitate that? Perhaps a network forensics consultant?
Something along those lines? Perhaps a vulnerability researcher?

Any direction here would be wonderful.
Thanks, and again, my apologies.

erewhon wrote:
> > 9 times out of 10, though, these people flat out told me they
> > 'didn't care, just fix it'.

>
> That's certainly the case.
>
> > Perhaps you have some truth in your inflammatory, pessimistic attitude
> > of penetration testing/ethical hacking. But I think your opinions are
> > more wrong than right.
> >
> > 1) Businesses want to know worst case scenario, and to be prepared for
> > them.

>
> Buinsesses don't care about security and vulnerabilty and exposure. Their
> only interest in technology is in making a manual job easier (and therefore
> saving cost), or generating revenue. In the process they know they have to
> protect their assests (since this impacts their market position, or bottom
> line if services are unavailable or compromised), and that they usually know
> they have to be compliant with a variety of legal obligations in terms of
> data security.
>
> Their driver is not to 'want to know worst case scenario' - they know the
> worst case scenario (I might get ****ed over). What they want to know is 'am
> I up to industry standards & best practice' and 'where are my weaknesses'.
> In a large organisation with internal IT, you don't need an external audit
> to tell you this - go and ask your existing teams. They'll have a list of
> jobs which need doing, from laptop encryption, to improved IDS, to personal
> firewalls, to spamware and malware scanners and filters, to better patch
> management... the list will be comprehensive, assuming they actually ask!.
>
>
> > 2) Sure I can. Will I? No. To assume and lump all penetration testers
> > into this unethical behavior is a bit narrow minded and immature, imo.

>
> If you are exployed by a large audit firm they will have a standard
> approach - investigate their IT by examining all the information obtained
> regarding their infrastructure from their IT teams, discuss their processes,
> ask questions about the aforementioned areas likely to cause concern
> (firewalls, patch, malware, encryption, et al) then present this list of
> flaws in an audit report for management.
> The managers will expect this - the audit firm knows this, and it will be a
> cookbook delivery - the content of which will be obtained from existing IT
> teams. How else would they be able to provide such a report in isolation -
> audit every single network switch, firewall setting, PC and server? No -
> they work from the inside to obtain, the resell back to you your own
> information.
>
>
> > 3) What is bleeding-obvious to you, may not necessarily be obvious to
> > others less savvy than yourself. Take my example of spyware, for
> > instance. Most people don't understand that a free screensaver is chock
> > full of malware and resource hogging software that is generally bad for
> > your system. Most people are too busy themselves to sit down and
> > educate themselves thoroughly enough to become a smart or even savvy
> > internet user. Case in point, most businesses are busy earning money
> > and making their business plans work to worry so much about security.
> > Hence, they hire a pen-tester or ethical hacker to tell them the things
> > they need.

>
> No they don't. They need to employ a team who can provide rigourous desktop
> and server build standards. Someone who can write and enforce policy. They
> need to employ someone to install AV, patch management, firewalls, IDS,
> packet monitoring, proxy servers, malware and content sweepers at the
> gateways et al.
>
> That's why I stated your report needs to contain the obvious."'you need to
> patch your systems, have firewalls & IDS, do more monitoring, QA your
> software, run up-to-date AV, limit admin accts, enforce password policy,
> limit physical access, review security logs....".
>
> It does not require a pen-tester/ethical hacker to provide this analysis. It
> needs a compentant and informed IT team. Anyone who's big enough to buy pen
> testing, is big enough to have its own IT team provide such a report
> detailling areas for improvement.
>
> Having written such a detailled report covering all such exposures, and
> mitigating factors, and technology & process required to resolve it, I then
> realised big firms think very little of their own skilled IT team. They
> ended up paying $200k+ for an audit firm to do a fraction of the analysis I
> did, with far fewer practical solutions. It's only by paying third parties
> to come in, do the glossy report, that the IT managers can go to the board
> and justify the spend on fixing the issues. Third party auditors know this -
> your skills on code-exploit writing will not be required for the job of a
> pen-tester.
>
> > 4) Simply because I don't write my own vulnerability scanners doesn't
> > mean I am somehow less knowledgeable or less of a professional.

>
> Of couse it does. The people who make such tools are obviously better
> informed as to how the vulnerabilities exisit, how they can be exploited and
> how they can be detected. The user of such tool is just that - a user of
> someone elses tool. If they had the abilty they claimed, they would write
> their own.
>
> > Using
> > someone's already established tools is far better than reinventing the
> > wheel.

>
> I never said it wasn't. I said 'can you steer someone else's cleverly
> written vulnerability scanner' to produce reports. Any monkey can do this -
> you don't need a experienced code head/pen tester/ethical hacker to point
> and click these tools.
>
> >It's smart. Do I write all of my current software in assembly,
> > because that would somehow make me a superior coder to those who use
> > high-level frameworks? No. I use the frameworks given to me to make my
> > life easier, my software development more efficient and my production
> > time less. Am I less of a software engineer because I don't write all
> > my projects in low-level languages? And just because I don't use those
> > low level languages, does that mean I don't understand what's going on
> > beneath the hood of my framework?

>
> Most auditors/pen testers who sell their services have little knowledge in
> this regard. It's just not required to produce the reports and anaylsis
> which is being commissioned. The buisiness needs a report from a tool which
> can detect these holes. They don't give a **** if the person steering the
> tool actually HAS the expertise to write the exploit code - they only need
> to know if the hole exists and therefore the POSSIBILITY exists that someone
> could exploit it.
>
> >You are making large assumptions that
> > don't necessarily add up to anything.

>
> I am? Where exactly are my assertions flawed?
>
> > On the same token, using someone
> > else's tools does not mean that I do not understand the
> > vulnerabilities. I _could_ attempt the vulnerabilities one by one
> > myself, manually executing them, but that would be tedious and slow.
> > I'd probably think about automating that, but wait... someone's already
> > done that! I'm sure you see my point.

>
> And my point is that no-one in the business cares if the employed
> hacker/pen-tester/auditer actually has the skills to carry out the attacks
> they say they are vulnerable to. They only need to know that such
> possibilites exist - and for this you don't need to be a hacker/pen-tester -
> just a monkey in a suit, with an arm full of reports and a penchant for
> selling them back their own ideas.
>
> > As for pointless exercises... I'd beg to differ. If they were so
> > pointless, perhaps you should tell the CEO that the next time his/her
> > security is compromised. "Yes, you were compromised because of this
> > particular insecurity, but checking for that before you had been
> > attacked would have been pointless in my opinion." Make statements such
> > as that, and I'd wonder why you even browse this newsgroup...

>
> I never said pen-testing was pointless. I said that the job of a
> 'professional pen-tester' is not what you would end up doing, since people
> would be paying you to deliver to a common set of criteria - none of which
> require an in-depth knowledge of exploit code and holes, only the means to
> identify where they exisit.
>
> > As for substantial contract fees... knowledge is power. The reason
> > software engineers are paid well (or at least more than average) is
> > because of their knowledge and experience alone; because many have
> > devoted their time, effort, and finances to learning their trade. The
> > same goes with a penetration tester who stays current.

>
> My point is that this task does not require a substantial amount of
> knowledge, above and beyond what a competant network or server engineer has
> at hand, to deliver the output of such reports.
>
> >> Lastly... simply because I would work as a penetration tester doesn't

> > automatically qualify me as a moron in the vulnerability research
> > department... And quite honestly, I would probably find myself adequate
> > at doing it, considering my background. I do see your point, though, in
> > that a truly excellent penetration tester should know these details to
> > truly understand his job.

>
> Actually, my point is - the best pen testers work in the background, writing
> the tools and exploits. Buisness facing pen-testers do not - they steer
> tools, & write cookbook reports.
>
> > So, with all of this, I'm going to call you out. I am quite sure that
> > if we were to know your line of business, we could make equally narrow
> > minded and inflammatory remarks.

>
> I'm a server engineer - I scope, design, & implement solutions, with a
> degree of third line support for a multi-billion pound firm I get paid ****
> loads cos I'm very good at it.
>
> I know what tools to use, have written best design practice, and how to
> deliver a secure, resilent solution on time, within budget and following
> process.
>
> > I won't, of course, but that was an
> > attempt to open your mind a bit. And since you posted in this group, on
> > this particular topic... have you ever written exploit code?

>
> No. I don't claim to have.
>
> > Have you
> > ever contributed fresh ideas to the security community?

>
> Yes.
>
> > Or do you
> > simply deride everyone else's careers, quite likely because of your own
> > insecurity in your own skillset?

>
> Me - insecure?! I'm not deriding the career path - I'm stating it will not
> be what you expect and hope it to be.
>
> >Heck, with your mindset, have you
> > written your own OS?

>
> No.
>
> >Or are you just an inferior user? Have you made
> > your own motherboard? Processor? Memory units? Or are you just a simple
> > consumer?

>
> I did a smattering of electronics during my degree..
>
> > Do you now see how rediculous your claims sound? In retrospect, had you
> > written something like, "Here's how you can be a horrible
> > pen-tester..." or perhaps, "These, in my opinion, are great
> > pen-testers...", I think I wouldn't have had a problem at all with your
> > post. I'd venture to say that constructive criticism _could_ go a long
> > way for you. I doubt you'd heed the advice though.

>
> Hey - It's just my perspective based on experience.
>
> erewhon
> alt.hacker



Todd H. 11-02-2006 02:38 PM

Re: Starting a Pen-Testing Career
 
seraphimrhapsody@gmail.com writes:

> Perhaps my perceptions of the business are a bit naive, I suppose. And
> perhaps I was too quick to judge by your own response.
>
> So this is one of those rare occasions on the 'net that anyone will see
> an apology in these types of discussions -- Sorry for jumping to my own
> assumptions. I suppose we all know where they lead.
>
> So. Perhaps a corporate pen-tester is not the job I'd like to go into,
> and I have been mislead.



Let's just say I wouldn't let erewhon's bleak look into compliance
based, audit testing scare you away.

There are very cool pentesting jobs out there where a decent
proportion of your customers are getting their audits done out of
wanting to be secure rather than just getting a rubber stamp that says
they are, to paraphrase a defcon speaker's comments. :-)

Best Regards,
--
Todd H.
http://www.toddh.net/

erewhon 11-02-2006 07:16 PM

Re: Starting a Pen-Testing Career
 
> Perhaps my perceptions of the business are a bit naive, I suppose. And
> perhaps I was too quick to judge by your own response.
>
> So this is one of those rare occasions on the 'net that anyone will see
> an apology in these types of discussions -- Sorry for jumping to my own
> assumptions. I suppose we all know where they lead.
>
> So. Perhaps a corporate pen-tester is not the job I'd like to go into,
> and I have been mislead.


Not necessarily - I paint a picture based on corporate requirements, and
their need for audit reports and legal compliance. My concern was that as
someone such as yourself with a deeper interest in the subject matter, with
a talent for coding and understanding of the nature of code exploits, that
this type of job would not provide the type of challenge and interest you
appear to be looking for.

As an 'in' to the security market, perhaps it would not be such a bad thing
to go thro this excercise of working for such an audit firm. This would give
you access to a wide range of IT environments, allow you to develop your
management report writing and board presentation skills, and give you access
to IT professionals with a range of backgrounds and skills, and see how good
firms do it well, and how bad ones **** it up.

As with all jobs, the job you hope it will be is not necessarily the one it
actually is.

Get some training. Get certified. Apply for the jobs.

Then when you get to the interview, ask the questions - what will the job
entail, how much training is provided to keep abreast of technololgies and
their vulnerabilites, how to you perform the audits, what reports do you
produce, who is your client base. This will give you a clear picture of what
you are getting yourself into.

Don't be surprised if the corporate audit firms are closer to how I describe
them than you may hope.

> I suppose then, I would rephrase my question.
> I like security; I like breaking into networks, and also finding out
> how others have broken into mine. I'm a pretty damn good programmer,
> and understand low level languages. What _would_ be the career that
> would best facilitate that? Perhaps a network forensics consultant?
> Something along those lines? Perhaps a vulnerability researcher?


Very possibly. As a coder, you could also advertise your skills reviewing
other people code to ensure it is not susceptible to exploit - a very
important QA function.

You could work for a firm which writes anti-virus, anti-malware, or content
filterting software - or at their sharp end of exploit / virus analysis and
patch management.

All vendors need QA and security patches.

> Any direction here would be wonderful.


Take on board a range of perspectives. You may have to take a leap of faith
and learn the pro's and con's of each career prospect. At worse your CV
looks stronger for the experience.

> Thanks, and again, my apologies.


No apologies required. I offer merely one perspective (that of my own).

Opinions are like ass-holes. Everyone's got one :)

erewhon
alt.hacker




All times are GMT. The time now is 06:56 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.