Starting a Pen-Testing Career

Discussion in 'Computer Security' started by seraphimrhapsody@gmail.com, Oct 26, 2006.

  1. Guest

    Hello all,

    This post is directed towards current network security/penetration
    testing professionals.

    I'm not sure what group this would be most appropriate in, so if this
    is in the incorrect group, then please let me know and I'll move it
    there (I've looked for a few groups that are strictly for pen-testers,
    and haven't really found much). So I apologize in advance if this is
    misplaced.

    I'm currently a software engineer, but have a passion for network
    security, and in particular penetration testing. I have to admit, I've
    looked and looked for possible job descriptions for this type of work,
    the pro's and con's of it, how to get into the field, etc... and
    haven't found a whole lot regarding the first steps to get into this
    type of industry.

    I would love to have a few questions answered by those who have been
    there and done this type of work. That being said, here are my
    questions...

    1) How did you get your start into this field of work?
    1a) Did you attend any official courses to prepare?
    1b) Did you obtain any certifications before you landed your first
    pen-testing job?

    2) What is an average day of work like for you?
    2a) What are the pro's of working as a Pen-Tester?
    2b) What are the con's of working as a Pen-Tester (what makes you hate
    coming to work?)
    2c) Do you work in a large or small firm? Or are you doing freelance
    work? Which would you prefer/recommend?

    3) What should I do to prepare?
    3a) Are there any solid courses offered to prepare for this type of
    work?
    3b) What are the most credible and affordable courses one could take?
    3c) In your opinion, what are the strongest certifications to have? Or
    are any certifications worth their salt?

    4) Are there any websites out there that would have some or all of the
    answers to the questions above?

    I've looked into going to the InfoSec school for Ethical Hacking, and
    would love to have the bootcamp style training to get me started, but
    atm, the cost is a bit outside of my limits. I can say, though, that
    sometime next year I will be able to take such a course. In the
    meantime, though, I'm trying to figure out if this is something that
    I'd like to pursue. I currently have a very secure job and am quite
    happy with it (most days :) ), as well as having a very bright future
    for advancement in the industry, but I'm pretty sure I would absolutely
    love this type of work. I feel like I've only read 'hype' about the
    career, though. I'd love to pick a grizzled veteran's brain about this
    and see if it's the right career move for me. Also, I'm young enough to
    make a career switch a viable option. So it's been weighing on my mind
    pretty heavily as of late, heh.

    Thanks in advance to all reply with anything useful,
    Keith
     
    , Oct 26, 2006
    #1
    1. Advertising

  2. Guest

    wrote:
    > 1) How did you get your start into this field of work?
    > 1a) Did you attend any official courses to prepare?
    > 1b) Did you obtain any certifications before you landed your first
    > pen-testing job?


    Nope. Nope. I transfered within a large company I was already
    working for.

    > 2) What is an average day of work like for you?


    Walk down the hall, login to the computer. Break something new every
    week or so. Short engagements, lots of new stuff all the time.
    Always learning.

    > 2a) What are the pro's of working as a Pen-Tester?


    It's a lot more fun and rewarding to break stuff than to have to deal
    with all the tedium of having to create things for the lowest common
    denominator to use.

    > 2b) What are the con's of working as a Pen-Tester (what makes you hate
    > coming to work?)


    When customers have you reassess their stuff a year later and all the
    same stuff you reported a year ago is still broken. That's about it
    though. It's a dream job.

    > 2c) Do you work in a large or small firm? Or are you doing freelance
    > work? Which would you prefer/recommend?


    I'm in a large one. It has its benefits and detriments. A small firm
    arguably can be more aggressive in their testing as they're not as
    large a target for getting sued should something go horribly wrong.
    Hasn't happened of course, but just htinking out loud. A large firm
    has all the resources of a large firm, and an established brand that
    connotes trust with a customer and applied appropriately, a steady
    stream of business. Education budgets, lots of network
    infrastructure and all that jazz. Smaller outfits mean more
    uncertainty but generally higher salaries, less to invest in education
    perhaps, less places to go if you ever get burned out.

    This question I think is largely orthogonal of the profession and more
    a personal choice regardless of your IT specialty I guess. Also
    depends a lot on the individual company.

    > 3) What should I do to prepare?


    Send me your resume. I'll see if there's a fit.

    If you aren't already very comfortable in both Linux and Windows, get
    comfortable in both.

    > 3a) Are there any solid courses offered to prepare for this type of
    > work?


    Oh yes. That Infosec CEH class you mention later is pretty darned
    good. They have an advanced class as well that includes exploit
    coding...and I think your background would make you very interested in
    that.

    Defcon is a decent cheap conference that's held annually.

    > 3b) What are the most credible and affordable courses one could take?
    > 3c) In your opinion, what are the strongest certifications to have? Or
    > are any certifications worth their salt?


    CISSP is probably the most widely known, but it requires someone with
    a CISSP to certify that you've worked in a security related field for
    a givne amount of time. Your work as a software developer though can
    be construed in that way however. Make friends with a CISSP.

    SANS.org GIAC certifications are a little more highly regarded I'd say
    but cost will be an issue there as well, and then there's the issue of
    which one to take. I don't know that I'd recommend it as a first
    step.

    > 4) Are there any websites out there that would have some or all of the
    > answers to the questions above?
    >
    > I've looked into going to the InfoSec school for Ethical Hacking, and
    > would love to have the bootcamp style training to get me started, but
    > atm, the cost is a bit outside of my limits.


    Talk with them see what you can negotiate. It's a good class, a very
    good organization (Jack's awesome) and the EC Council certification
    will carry some weight too. I haven't tested mine out in the
    marketplace, so it's hard to say.

    > I can say, though, that sometime next year I will be able to take
    > such a course. In the meantime, though, I'm trying to figure out if
    > this is something that I'd like to pursue.


    Sounds like a great fit for your interests.

    > I currently have a very secure job and am quite happy with it (most
    > days :) ), as well as having a very bright future for advancement in
    > the industry, but I'm pretty sure I would absolutely love this type
    > of work. I feel like I've only read 'hype' about the career,
    > though.


    If you ask me, the hype is real. It's very fun to break stuff for a
    living.

    > I'd love to pick a grizzled veteran's brain about this and see if
    > it's the right career move for me. Also, I'm young enough to make a
    > career switch a viable option. So it's been weighing on my mind
    > pretty heavily as of late, heh.


    Security is still very much a growth industry and I dont' see that
    changing any time soon. Versus software development, if you're living
    in the US, there's an argument to be made that folks will be less
    prone to offshore their security assessment work than they would code
    and software engineering.

    > Thanks in advance to all reply with anything useful,


    Dunno if I've tripped that level, but yer welcome retroactively, as
    applicable. :)

    --

    http://www {dot} toddh {dot} net/
     
    , Oct 26, 2006
    #2
    1. Advertising

  3. erewhon Guest


    > 2) What is an average day of work like for you?


    As someone on the end of reading security audit reports, can you:

    1 - write high-level management reports, with scare stories to generate more
    work?

    2 - can you write down all the issues their own tech team tell you are
    issues, and present this as your own work?

    3 - can you state the bleeding obvious in an important-looking document -
    'you need to patch your systems, have firewalls & IDS, do more monitoring,
    QA your software, run up-to-date AV, limit admin accts, enforce password
    policy, limit physical access, review security logs....'. (Since every firm
    is always just one step behind in some area, you will always find an 'in').
    If they are fully up-to-date and compliant, can you scare them with 0-day
    exploits and more consultancy costs.

    4 - can you steer someone else's cleverly written vulnerability scanner, and
    produce reams of pdf reports which justifies your pointless exercise and
    substantial contract fee

    If so, go work for a big audit firm and keep reselling the above and keep
    creaming the profits, whilst knowing in your heart you've never written a
    line of exploit code or had an original idea on security yourself.

    erewhon
    alt.hacker
     
    erewhon, Oct 28, 2006
    #3
  4. Todd H. Guest

    "erewhon" <> writes:

    > > 2) What is an average day of work like for you?

    >
    > As someone on the end of reading security audit reports, can you:
    >
    > 1 - write high-level management reports, with scare stories to generate more
    > work?
    >
    > 2 - can you write down all the issues their own tech team tell you are
    > issues, and present this as your own work?
    >
    > 3 - can you state the bleeding obvious in an important-looking document -
    > 'you need to patch your systems, have firewalls & IDS, do more monitoring,
    > QA your software, run up-to-date AV, limit admin accts, enforce password
    > policy, limit physical access, review security logs....'. (Since every firm
    > is always just one step behind in some area, you will always find an 'in').
    > If they are fully up-to-date and compliant, can you scare them with 0-day
    > exploits and more consultancy costs.
    >
    > 4 - can you steer someone else's cleverly written vulnerability scanner, and
    > produce reams of pdf reports which justifies your pointless exercise and
    > substantial contract fee



    Pity.

    Sounds like you have contracted someone doing vulnerability scanning
    vs actual ethical hacking.

    But it's funny cus the market does have a lot of such crap out there.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Oct 28, 2006
    #4
  5. erewhon Guest


    > Pity.
    >
    > Sounds like you have contracted someone doing vulnerability scanning
    > vs actual ethical hacking.


    From a company perspective, they just want a report which tells them what
    their exposures are (which any idiot could tell them - see point 3), and
    then they can justify the spend and action the recommendations, and thereby
    cover their ass should anyone externally need to have proof of their
    'security'

    It's not about hacking into code, it's about ticking the boxes.

    > But it's funny cus the market does have a lot of such crap out there.


    Ususally with a big brand name and a ludicrous fee
     
    erewhon, Oct 28, 2006
    #5
  6. Guest

    Not sure if my experience applies, but I used to work for the GeekSquad
    at BestBuy. It was hell. But I did learn a few things. Mainly, though,
    I learned that people pay for convenience. People pay for others to do
    the things they need done, but don't have the time to learn how to
    do...

    My job consisted of booting up a computer, and then clicking 'scan' on
    a few antivirus scanners, and a few spyware scanners, and then
    documenting my work. Any monkey could have done the same. So why didn't
    these customers have me do it?

    They didn't have the time, perhaps even the aptitude, to learn and
    educate themselves on how to do it themselves. Something so seemingly
    simple, yet they didn't do it. I even went to _great_ lengths to show
    these people they were being 'scammed', to show them how to do my
    'job'. 9 times out of 10, though, these people flat out told me they
    'didn't care, just fix it'.

    Perhaps you have some truth in your inflammatory, pessimistic attitude
    of penetration testing/ethical hacking. But I think your opinions are
    more wrong than right.

    1) Businesses want to know worst case scenario, and to be prepared for
    them.

    2) Sure I can. Will I? No. To assume and lump all penetration testers
    into this unethical behavior is a bit narrow minded and immature, imo.

    3) What is bleeding-obvious to you, may not necessarily be obvious to
    others less savvy than yourself. Take my example of spyware, for
    instance. Most people don't understand that a free screensaver is chock
    full of malware and resource hogging software that is generally bad for
    your system. Most people are too busy themselves to sit down and
    educate themselves thoroughly enough to become a smart or even savvy
    internet user. Case in point, most businesses are busy earning money
    and making their business plans work to worry so much about security.
    Hence, they hire a pen-tester or ethical hacker to tell them the things
    they need.

    4) Simply because I don't write my own vulnerability scanners doesn't
    mean I am somehow less knowledgeable or less of a professional. Using
    someone's already established tools is far better than reinventing the
    wheel. It's smart. Do I write all of my current software in assembly,
    because that would somehow make me a superior coder to those who use
    high-level frameworks? No. I use the frameworks given to me to make my
    life easier, my software development more efficient and my production
    time less. Am I less of a software engineer because I don't write all
    my projects in low-level languages? And just because I don't use those
    low level languages, does that mean I don't understand what's going on
    beneath the hood of my framework? You are making large assumptions that
    don't necessarily add up to anything. On the same token, using someone
    else's tools does not mean that I do not understand the
    vulnerabilities. I _could_ attempt the vulnerabilities one by one
    myself, manually executing them, but that would be tedious and slow.
    I'd probably think about automating that, but wait... someone's already
    done that! I'm sure you see my point.

    As for pointless exercises... I'd beg to differ. If they were so
    pointless, perhaps you should tell the CEO that the next time his/her
    security is compromised. "Yes, you were compromised because of this
    particular insecurity, but checking for that before you had been
    attacked would have been pointless in my opinion." Make statements such
    as that, and I'd wonder why you even browse this newsgroup...

    As for substantial contract fees... knowledge is power. The reason
    software engineers are paid well (or at least more than average) is
    because of their knowledge and experience alone; because many have
    devoted their time, effort, and finances to learning their trade. The
    same goes with a penetration tester who stays current. Aside from that,
    I'd wonder how you consider a company's peace of mind and security any
    less valuable than it already is.

    Lastly... simply because I would work as a penetration tester doesn't
    automatically qualify me as a moron in the vulnerability research
    department... And quite honestly, I would probably find myself adequate
    at doing it, considering my background. I do see your point, though, in
    that a truly excellent penetration tester should know these details to
    truly understand his job.

    So, with all of this, I'm going to call you out. I am quite sure that
    if we were to know your line of business, we could make equally narrow
    minded and inflammatory remarks. I won't, of course, but that was an
    attempt to open your mind a bit. And since you posted in this group, on
    this particular topic... have you ever written exploit code? Have you
    ever contributed fresh ideas to the security community? Or do you
    simply deride everyone else's careers, quite likely because of your own
    insecurity in your own skillset? Heck, with your mindset, have you
    written your own OS? Or are you just an inferior user? Have you made
    your own motherboard? Processor? Memory units? Or are you just a simple
    consumer?

    Do you now see how rediculous your claims sound? In retrospect, had you
    written something like, "Here's how you can be a horrible
    pen-tester..." or perhaps, "These, in my opinion, are great
    pen-testers...", I think I wouldn't have had a problem at all with your
    post. I'd venture to say that constructive criticism _could_ go a long
    way for you. I doubt you'd heed the advice though.



    erewhon wrote:
    > > 2) What is an average day of work like for you?

    >
    > As someone on the end of reading security audit reports, can you:
    >
    > 1 - write high-level management reports, with scare stories to generate more
    > work?
    >
    > 2 - can you write down all the issues their own tech team tell you are
    > issues, and present this as your own work?
    >
    > 3 - can you state the bleeding obvious in an important-looking document -
    > 'you need to patch your systems, have firewalls & IDS, do more monitoring,
    > QA your software, run up-to-date AV, limit admin accts, enforce password
    > policy, limit physical access, review security logs....'. (Since every firm
    > is always just one step behind in some area, you will always find an 'in').
    > If they are fully up-to-date and compliant, can you scare them with 0-day
    > exploits and more consultancy costs.
    >
    > 4 - can you steer someone else's cleverly written vulnerability scanner, and
    > produce reams of pdf reports which justifies your pointless exercise and
    > substantial contract fee
    >
    > If so, go work for a big audit firm and keep reselling the above and keep
    > creaming the profits, whilst knowing in your heart you've never written a
    > line of exploit code or had an original idea on security yourself.
    >
    > erewhon
    > alt.hacker
     
    , Nov 2, 2006
    #6
  7. erewhon Guest

    > 9 times out of 10, though, these people flat out told me they
    > 'didn't care, just fix it'.


    That's certainly the case.

    > Perhaps you have some truth in your inflammatory, pessimistic attitude
    > of penetration testing/ethical hacking. But I think your opinions are
    > more wrong than right.
    >
    > 1) Businesses want to know worst case scenario, and to be prepared for
    > them.


    Buinsesses don't care about security and vulnerabilty and exposure. Their
    only interest in technology is in making a manual job easier (and therefore
    saving cost), or generating revenue. In the process they know they have to
    protect their assests (since this impacts their market position, or bottom
    line if services are unavailable or compromised), and that they usually know
    they have to be compliant with a variety of legal obligations in terms of
    data security.

    Their driver is not to 'want to know worst case scenario' - they know the
    worst case scenario (I might get fucked over). What they want to know is 'am
    I up to industry standards & best practice' and 'where are my weaknesses'.
    In a large organisation with internal IT, you don't need an external audit
    to tell you this - go and ask your existing teams. They'll have a list of
    jobs which need doing, from laptop encryption, to improved IDS, to personal
    firewalls, to spamware and malware scanners and filters, to better patch
    management... the list will be comprehensive, assuming they actually ask!.


    > 2) Sure I can. Will I? No. To assume and lump all penetration testers
    > into this unethical behavior is a bit narrow minded and immature, imo.


    If you are exployed by a large audit firm they will have a standard
    approach - investigate their IT by examining all the information obtained
    regarding their infrastructure from their IT teams, discuss their processes,
    ask questions about the aforementioned areas likely to cause concern
    (firewalls, patch, malware, encryption, et al) then present this list of
    flaws in an audit report for management.
    The managers will expect this - the audit firm knows this, and it will be a
    cookbook delivery - the content of which will be obtained from existing IT
    teams. How else would they be able to provide such a report in isolation -
    audit every single network switch, firewall setting, PC and server? No -
    they work from the inside to obtain, the resell back to you your own
    information.


    > 3) What is bleeding-obvious to you, may not necessarily be obvious to
    > others less savvy than yourself. Take my example of spyware, for
    > instance. Most people don't understand that a free screensaver is chock
    > full of malware and resource hogging software that is generally bad for
    > your system. Most people are too busy themselves to sit down and
    > educate themselves thoroughly enough to become a smart or even savvy
    > internet user. Case in point, most businesses are busy earning money
    > and making their business plans work to worry so much about security.
    > Hence, they hire a pen-tester or ethical hacker to tell them the things
    > they need.


    No they don't. They need to employ a team who can provide rigourous desktop
    and server build standards. Someone who can write and enforce policy. They
    need to employ someone to install AV, patch management, firewalls, IDS,
    packet monitoring, proxy servers, malware and content sweepers at the
    gateways et al.

    That's why I stated your report needs to contain the obvious."'you need to
    patch your systems, have firewalls & IDS, do more monitoring, QA your
    software, run up-to-date AV, limit admin accts, enforce password policy,
    limit physical access, review security logs....".

    It does not require a pen-tester/ethical hacker to provide this analysis. It
    needs a compentant and informed IT team. Anyone who's big enough to buy pen
    testing, is big enough to have its own IT team provide such a report
    detailling areas for improvement.

    Having written such a detailled report covering all such exposures, and
    mitigating factors, and technology & process required to resolve it, I then
    realised big firms think very little of their own skilled IT team. They
    ended up paying $200k+ for an audit firm to do a fraction of the analysis I
    did, with far fewer practical solutions. It's only by paying third parties
    to come in, do the glossy report, that the IT managers can go to the board
    and justify the spend on fixing the issues. Third party auditors know this -
    your skills on code-exploit writing will not be required for the job of a
    pen-tester.

    > 4) Simply because I don't write my own vulnerability scanners doesn't
    > mean I am somehow less knowledgeable or less of a professional.


    Of couse it does. The people who make such tools are obviously better
    informed as to how the vulnerabilities exisit, how they can be exploited and
    how they can be detected. The user of such tool is just that - a user of
    someone elses tool. If they had the abilty they claimed, they would write
    their own.

    > Using
    > someone's already established tools is far better than reinventing the
    > wheel.


    I never said it wasn't. I said 'can you steer someone else's cleverly
    written vulnerability scanner' to produce reports. Any monkey can do this -
    you don't need a experienced code head/pen tester/ethical hacker to point
    and click these tools.

    >It's smart. Do I write all of my current software in assembly,
    > because that would somehow make me a superior coder to those who use
    > high-level frameworks? No. I use the frameworks given to me to make my
    > life easier, my software development more efficient and my production
    > time less. Am I less of a software engineer because I don't write all
    > my projects in low-level languages? And just because I don't use those
    > low level languages, does that mean I don't understand what's going on
    > beneath the hood of my framework?


    Most auditors/pen testers who sell their services have little knowledge in
    this regard. It's just not required to produce the reports and anaylsis
    which is being commissioned. The buisiness needs a report from a tool which
    can detect these holes. They don't give a shit if the person steering the
    tool actually HAS the expertise to write the exploit code - they only need
    to know if the hole exists and therefore the POSSIBILITY exists that someone
    could exploit it.

    >You are making large assumptions that
    > don't necessarily add up to anything.


    I am? Where exactly are my assertions flawed?

    > On the same token, using someone
    > else's tools does not mean that I do not understand the
    > vulnerabilities. I _could_ attempt the vulnerabilities one by one
    > myself, manually executing them, but that would be tedious and slow.
    > I'd probably think about automating that, but wait... someone's already
    > done that! I'm sure you see my point.


    And my point is that no-one in the business cares if the employed
    hacker/pen-tester/auditer actually has the skills to carry out the attacks
    they say they are vulnerable to. They only need to know that such
    possibilites exist - and for this you don't need to be a hacker/pen-tester -
    just a monkey in a suit, with an arm full of reports and a penchant for
    selling them back their own ideas.

    > As for pointless exercises... I'd beg to differ. If they were so
    > pointless, perhaps you should tell the CEO that the next time his/her
    > security is compromised. "Yes, you were compromised because of this
    > particular insecurity, but checking for that before you had been
    > attacked would have been pointless in my opinion." Make statements such
    > as that, and I'd wonder why you even browse this newsgroup...


    I never said pen-testing was pointless. I said that the job of a
    'professional pen-tester' is not what you would end up doing, since people
    would be paying you to deliver to a common set of criteria - none of which
    require an in-depth knowledge of exploit code and holes, only the means to
    identify where they exisit.

    > As for substantial contract fees... knowledge is power. The reason
    > software engineers are paid well (or at least more than average) is
    > because of their knowledge and experience alone; because many have
    > devoted their time, effort, and finances to learning their trade. The
    > same goes with a penetration tester who stays current.


    My point is that this task does not require a substantial amount of
    knowledge, above and beyond what a competant network or server engineer has
    at hand, to deliver the output of such reports.

    >> Lastly... simply because I would work as a penetration tester doesn't

    > automatically qualify me as a moron in the vulnerability research
    > department... And quite honestly, I would probably find myself adequate
    > at doing it, considering my background. I do see your point, though, in
    > that a truly excellent penetration tester should know these details to
    > truly understand his job.


    Actually, my point is - the best pen testers work in the background, writing
    the tools and exploits. Buisness facing pen-testers do not - they steer
    tools, & write cookbook reports.

    > So, with all of this, I'm going to call you out. I am quite sure that
    > if we were to know your line of business, we could make equally narrow
    > minded and inflammatory remarks.


    I'm a server engineer - I scope, design, & implement solutions, with a
    degree of third line support for a multi-billion pound firm I get paid shit
    loads cos I'm very good at it.

    I know what tools to use, have written best design practice, and how to
    deliver a secure, resilent solution on time, within budget and following
    process.

    > I won't, of course, but that was an
    > attempt to open your mind a bit. And since you posted in this group, on
    > this particular topic... have you ever written exploit code?


    No. I don't claim to have.

    > Have you
    > ever contributed fresh ideas to the security community?


    Yes.

    > Or do you
    > simply deride everyone else's careers, quite likely because of your own
    > insecurity in your own skillset?


    Me - insecure?! I'm not deriding the career path - I'm stating it will not
    be what you expect and hope it to be.

    >Heck, with your mindset, have you
    > written your own OS?


    No.

    >Or are you just an inferior user? Have you made
    > your own motherboard? Processor? Memory units? Or are you just a simple
    > consumer?


    I did a smattering of electronics during my degree..

    > Do you now see how rediculous your claims sound? In retrospect, had you
    > written something like, "Here's how you can be a horrible
    > pen-tester..." or perhaps, "These, in my opinion, are great
    > pen-testers...", I think I wouldn't have had a problem at all with your
    > post. I'd venture to say that constructive criticism _could_ go a long
    > way for you. I doubt you'd heed the advice though.


    Hey - It's just my perspective based on experience.

    erewhon
    alt.hacker
     
    erewhon, Nov 2, 2006
    #7
  8. Guest

    Perhaps my perceptions of the business are a bit naive, I suppose. And
    perhaps I was too quick to judge by your own response.

    So this is one of those rare occasions on the 'net that anyone will see
    an apology in these types of discussions -- Sorry for jumping to my own
    assumptions. I suppose we all know where they lead.

    So. Perhaps a corporate pen-tester is not the job I'd like to go into,
    and I have been mislead. I suppose then, I would rephrase my question.
    I like security; I like breaking into networks, and also finding out
    how others have broken into mine. I'm a pretty damn good programmer,
    and understand low level languages. What _would_ be the career that
    would best facilitate that? Perhaps a network forensics consultant?
    Something along those lines? Perhaps a vulnerability researcher?

    Any direction here would be wonderful.
    Thanks, and again, my apologies.

    erewhon wrote:
    > > 9 times out of 10, though, these people flat out told me they
    > > 'didn't care, just fix it'.

    >
    > That's certainly the case.
    >
    > > Perhaps you have some truth in your inflammatory, pessimistic attitude
    > > of penetration testing/ethical hacking. But I think your opinions are
    > > more wrong than right.
    > >
    > > 1) Businesses want to know worst case scenario, and to be prepared for
    > > them.

    >
    > Buinsesses don't care about security and vulnerabilty and exposure. Their
    > only interest in technology is in making a manual job easier (and therefore
    > saving cost), or generating revenue. In the process they know they have to
    > protect their assests (since this impacts their market position, or bottom
    > line if services are unavailable or compromised), and that they usually know
    > they have to be compliant with a variety of legal obligations in terms of
    > data security.
    >
    > Their driver is not to 'want to know worst case scenario' - they know the
    > worst case scenario (I might get fucked over). What they want to know is 'am
    > I up to industry standards & best practice' and 'where are my weaknesses'.
    > In a large organisation with internal IT, you don't need an external audit
    > to tell you this - go and ask your existing teams. They'll have a list of
    > jobs which need doing, from laptop encryption, to improved IDS, to personal
    > firewalls, to spamware and malware scanners and filters, to better patch
    > management... the list will be comprehensive, assuming they actually ask!.
    >
    >
    > > 2) Sure I can. Will I? No. To assume and lump all penetration testers
    > > into this unethical behavior is a bit narrow minded and immature, imo.

    >
    > If you are exployed by a large audit firm they will have a standard
    > approach - investigate their IT by examining all the information obtained
    > regarding their infrastructure from their IT teams, discuss their processes,
    > ask questions about the aforementioned areas likely to cause concern
    > (firewalls, patch, malware, encryption, et al) then present this list of
    > flaws in an audit report for management.
    > The managers will expect this - the audit firm knows this, and it will be a
    > cookbook delivery - the content of which will be obtained from existing IT
    > teams. How else would they be able to provide such a report in isolation -
    > audit every single network switch, firewall setting, PC and server? No -
    > they work from the inside to obtain, the resell back to you your own
    > information.
    >
    >
    > > 3) What is bleeding-obvious to you, may not necessarily be obvious to
    > > others less savvy than yourself. Take my example of spyware, for
    > > instance. Most people don't understand that a free screensaver is chock
    > > full of malware and resource hogging software that is generally bad for
    > > your system. Most people are too busy themselves to sit down and
    > > educate themselves thoroughly enough to become a smart or even savvy
    > > internet user. Case in point, most businesses are busy earning money
    > > and making their business plans work to worry so much about security.
    > > Hence, they hire a pen-tester or ethical hacker to tell them the things
    > > they need.

    >
    > No they don't. They need to employ a team who can provide rigourous desktop
    > and server build standards. Someone who can write and enforce policy. They
    > need to employ someone to install AV, patch management, firewalls, IDS,
    > packet monitoring, proxy servers, malware and content sweepers at the
    > gateways et al.
    >
    > That's why I stated your report needs to contain the obvious."'you need to
    > patch your systems, have firewalls & IDS, do more monitoring, QA your
    > software, run up-to-date AV, limit admin accts, enforce password policy,
    > limit physical access, review security logs....".
    >
    > It does not require a pen-tester/ethical hacker to provide this analysis. It
    > needs a compentant and informed IT team. Anyone who's big enough to buy pen
    > testing, is big enough to have its own IT team provide such a report
    > detailling areas for improvement.
    >
    > Having written such a detailled report covering all such exposures, and
    > mitigating factors, and technology & process required to resolve it, I then
    > realised big firms think very little of their own skilled IT team. They
    > ended up paying $200k+ for an audit firm to do a fraction of the analysis I
    > did, with far fewer practical solutions. It's only by paying third parties
    > to come in, do the glossy report, that the IT managers can go to the board
    > and justify the spend on fixing the issues. Third party auditors know this -
    > your skills on code-exploit writing will not be required for the job of a
    > pen-tester.
    >
    > > 4) Simply because I don't write my own vulnerability scanners doesn't
    > > mean I am somehow less knowledgeable or less of a professional.

    >
    > Of couse it does. The people who make such tools are obviously better
    > informed as to how the vulnerabilities exisit, how they can be exploited and
    > how they can be detected. The user of such tool is just that - a user of
    > someone elses tool. If they had the abilty they claimed, they would write
    > their own.
    >
    > > Using
    > > someone's already established tools is far better than reinventing the
    > > wheel.

    >
    > I never said it wasn't. I said 'can you steer someone else's cleverly
    > written vulnerability scanner' to produce reports. Any monkey can do this -
    > you don't need a experienced code head/pen tester/ethical hacker to point
    > and click these tools.
    >
    > >It's smart. Do I write all of my current software in assembly,
    > > because that would somehow make me a superior coder to those who use
    > > high-level frameworks? No. I use the frameworks given to me to make my
    > > life easier, my software development more efficient and my production
    > > time less. Am I less of a software engineer because I don't write all
    > > my projects in low-level languages? And just because I don't use those
    > > low level languages, does that mean I don't understand what's going on
    > > beneath the hood of my framework?

    >
    > Most auditors/pen testers who sell their services have little knowledge in
    > this regard. It's just not required to produce the reports and anaylsis
    > which is being commissioned. The buisiness needs a report from a tool which
    > can detect these holes. They don't give a shit if the person steering the
    > tool actually HAS the expertise to write the exploit code - they only need
    > to know if the hole exists and therefore the POSSIBILITY exists that someone
    > could exploit it.
    >
    > >You are making large assumptions that
    > > don't necessarily add up to anything.

    >
    > I am? Where exactly are my assertions flawed?
    >
    > > On the same token, using someone
    > > else's tools does not mean that I do not understand the
    > > vulnerabilities. I _could_ attempt the vulnerabilities one by one
    > > myself, manually executing them, but that would be tedious and slow.
    > > I'd probably think about automating that, but wait... someone's already
    > > done that! I'm sure you see my point.

    >
    > And my point is that no-one in the business cares if the employed
    > hacker/pen-tester/auditer actually has the skills to carry out the attacks
    > they say they are vulnerable to. They only need to know that such
    > possibilites exist - and for this you don't need to be a hacker/pen-tester -
    > just a monkey in a suit, with an arm full of reports and a penchant for
    > selling them back their own ideas.
    >
    > > As for pointless exercises... I'd beg to differ. If they were so
    > > pointless, perhaps you should tell the CEO that the next time his/her
    > > security is compromised. "Yes, you were compromised because of this
    > > particular insecurity, but checking for that before you had been
    > > attacked would have been pointless in my opinion." Make statements such
    > > as that, and I'd wonder why you even browse this newsgroup...

    >
    > I never said pen-testing was pointless. I said that the job of a
    > 'professional pen-tester' is not what you would end up doing, since people
    > would be paying you to deliver to a common set of criteria - none of which
    > require an in-depth knowledge of exploit code and holes, only the means to
    > identify where they exisit.
    >
    > > As for substantial contract fees... knowledge is power. The reason
    > > software engineers are paid well (or at least more than average) is
    > > because of their knowledge and experience alone; because many have
    > > devoted their time, effort, and finances to learning their trade. The
    > > same goes with a penetration tester who stays current.

    >
    > My point is that this task does not require a substantial amount of
    > knowledge, above and beyond what a competant network or server engineer has
    > at hand, to deliver the output of such reports.
    >
    > >> Lastly... simply because I would work as a penetration tester doesn't

    > > automatically qualify me as a moron in the vulnerability research
    > > department... And quite honestly, I would probably find myself adequate
    > > at doing it, considering my background. I do see your point, though, in
    > > that a truly excellent penetration tester should know these details to
    > > truly understand his job.

    >
    > Actually, my point is - the best pen testers work in the background, writing
    > the tools and exploits. Buisness facing pen-testers do not - they steer
    > tools, & write cookbook reports.
    >
    > > So, with all of this, I'm going to call you out. I am quite sure that
    > > if we were to know your line of business, we could make equally narrow
    > > minded and inflammatory remarks.

    >
    > I'm a server engineer - I scope, design, & implement solutions, with a
    > degree of third line support for a multi-billion pound firm I get paid shit
    > loads cos I'm very good at it.
    >
    > I know what tools to use, have written best design practice, and how to
    > deliver a secure, resilent solution on time, within budget and following
    > process.
    >
    > > I won't, of course, but that was an
    > > attempt to open your mind a bit. And since you posted in this group, on
    > > this particular topic... have you ever written exploit code?

    >
    > No. I don't claim to have.
    >
    > > Have you
    > > ever contributed fresh ideas to the security community?

    >
    > Yes.
    >
    > > Or do you
    > > simply deride everyone else's careers, quite likely because of your own
    > > insecurity in your own skillset?

    >
    > Me - insecure?! I'm not deriding the career path - I'm stating it will not
    > be what you expect and hope it to be.
    >
    > >Heck, with your mindset, have you
    > > written your own OS?

    >
    > No.
    >
    > >Or are you just an inferior user? Have you made
    > > your own motherboard? Processor? Memory units? Or are you just a simple
    > > consumer?

    >
    > I did a smattering of electronics during my degree..
    >
    > > Do you now see how rediculous your claims sound? In retrospect, had you
    > > written something like, "Here's how you can be a horrible
    > > pen-tester..." or perhaps, "These, in my opinion, are great
    > > pen-testers...", I think I wouldn't have had a problem at all with your
    > > post. I'd venture to say that constructive criticism _could_ go a long
    > > way for you. I doubt you'd heed the advice though.

    >
    > Hey - It's just my perspective based on experience.
    >
    > erewhon
    > alt.hacker
     
    , Nov 2, 2006
    #8
  9. Todd H. Guest

    writes:

    > Perhaps my perceptions of the business are a bit naive, I suppose. And
    > perhaps I was too quick to judge by your own response.
    >
    > So this is one of those rare occasions on the 'net that anyone will see
    > an apology in these types of discussions -- Sorry for jumping to my own
    > assumptions. I suppose we all know where they lead.
    >
    > So. Perhaps a corporate pen-tester is not the job I'd like to go into,
    > and I have been mislead.



    Let's just say I wouldn't let erewhon's bleak look into compliance
    based, audit testing scare you away.

    There are very cool pentesting jobs out there where a decent
    proportion of your customers are getting their audits done out of
    wanting to be secure rather than just getting a rubber stamp that says
    they are, to paraphrase a defcon speaker's comments. :)

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Nov 2, 2006
    #9
  10. erewhon Guest

    > Perhaps my perceptions of the business are a bit naive, I suppose. And
    > perhaps I was too quick to judge by your own response.
    >
    > So this is one of those rare occasions on the 'net that anyone will see
    > an apology in these types of discussions -- Sorry for jumping to my own
    > assumptions. I suppose we all know where they lead.
    >
    > So. Perhaps a corporate pen-tester is not the job I'd like to go into,
    > and I have been mislead.


    Not necessarily - I paint a picture based on corporate requirements, and
    their need for audit reports and legal compliance. My concern was that as
    someone such as yourself with a deeper interest in the subject matter, with
    a talent for coding and understanding of the nature of code exploits, that
    this type of job would not provide the type of challenge and interest you
    appear to be looking for.

    As an 'in' to the security market, perhaps it would not be such a bad thing
    to go thro this excercise of working for such an audit firm. This would give
    you access to a wide range of IT environments, allow you to develop your
    management report writing and board presentation skills, and give you access
    to IT professionals with a range of backgrounds and skills, and see how good
    firms do it well, and how bad ones **** it up.

    As with all jobs, the job you hope it will be is not necessarily the one it
    actually is.

    Get some training. Get certified. Apply for the jobs.

    Then when you get to the interview, ask the questions - what will the job
    entail, how much training is provided to keep abreast of technololgies and
    their vulnerabilites, how to you perform the audits, what reports do you
    produce, who is your client base. This will give you a clear picture of what
    you are getting yourself into.

    Don't be surprised if the corporate audit firms are closer to how I describe
    them than you may hope.

    > I suppose then, I would rephrase my question.
    > I like security; I like breaking into networks, and also finding out
    > how others have broken into mine. I'm a pretty damn good programmer,
    > and understand low level languages. What _would_ be the career that
    > would best facilitate that? Perhaps a network forensics consultant?
    > Something along those lines? Perhaps a vulnerability researcher?


    Very possibly. As a coder, you could also advertise your skills reviewing
    other people code to ensure it is not susceptible to exploit - a very
    important QA function.

    You could work for a firm which writes anti-virus, anti-malware, or content
    filterting software - or at their sharp end of exploit / virus analysis and
    patch management.

    All vendors need QA and security patches.

    > Any direction here would be wonderful.


    Take on board a range of perspectives. You may have to take a leap of faith
    and learn the pro's and con's of each career prospect. At worse your CV
    looks stronger for the experience.

    > Thanks, and again, my apologies.


    No apologies required. I offer merely one perspective (that of my own).

    Opinions are like ass-holes. Everyone's got one :)

    erewhon
    alt.hacker
     
    erewhon, Nov 2, 2006
    #10
  11. Guest

    Just wanted to thank you both for all of your insight and help. I'll be
    getting certifications and looking around at the local scene to see if
    there are any entry level positions available.

    Thanks again!

    erewhon wrote:
    > > Perhaps my perceptions of the business are a bit naive, I suppose. And
    > > perhaps I was too quick to judge by your own response.
    > >
    > > So this is one of those rare occasions on the 'net that anyone will see
    > > an apology in these types of discussions -- Sorry for jumping to my own
    > > assumptions. I suppose we all know where they lead.
    > >
    > > So. Perhaps a corporate pen-tester is not the job I'd like to go into,
    > > and I have been mislead.

    >
    > Not necessarily - I paint a picture based on corporate requirements, and
    > their need for audit reports and legal compliance. My concern was that as
    > someone such as yourself with a deeper interest in the subject matter, with
    > a talent for coding and understanding of the nature of code exploits, that
    > this type of job would not provide the type of challenge and interest you
    > appear to be looking for.
    >
    > As an 'in' to the security market, perhaps it would not be such a bad thing
    > to go thro this excercise of working for such an audit firm. This would give
    > you access to a wide range of IT environments, allow you to develop your
    > management report writing and board presentation skills, and give you access
    > to IT professionals with a range of backgrounds and skills, and see how good
    > firms do it well, and how bad ones **** it up.
    >
    > As with all jobs, the job you hope it will be is not necessarily the one it
    > actually is.
    >
    > Get some training. Get certified. Apply for the jobs.
    >
    > Then when you get to the interview, ask the questions - what will the job
    > entail, how much training is provided to keep abreast of technololgies and
    > their vulnerabilites, how to you perform the audits, what reports do you
    > produce, who is your client base. This will give you a clear picture of what
    > you are getting yourself into.
    >
    > Don't be surprised if the corporate audit firms are closer to how I describe
    > them than you may hope.
    >
    > > I suppose then, I would rephrase my question.
    > > I like security; I like breaking into networks, and also finding out
    > > how others have broken into mine. I'm a pretty damn good programmer,
    > > and understand low level languages. What _would_ be the career that
    > > would best facilitate that? Perhaps a network forensics consultant?
    > > Something along those lines? Perhaps a vulnerability researcher?

    >
    > Very possibly. As a coder, you could also advertise your skills reviewing
    > other people code to ensure it is not susceptible to exploit - a very
    > important QA function.
    >
    > You could work for a firm which writes anti-virus, anti-malware, or content
    > filterting software - or at their sharp end of exploit / virus analysis and
    > patch management.
    >
    > All vendors need QA and security patches.
    >
    > > Any direction here would be wonderful.

    >
    > Take on board a range of perspectives. You may have to take a leap of faith
    > and learn the pro's and con's of each career prospect. At worse your CV
    > looks stronger for the experience.
    >
    > > Thanks, and again, my apologies.

    >
    > No apologies required. I offer merely one perspective (that of my own).
    >
    > Opinions are like ass-holes. Everyone's got one :)
    >
    > erewhon
    > alt.hacker
     
    , Nov 2, 2006
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?R0FCUw==?=

    IT Security >>> Anti-Virus/Pen Testing

    =?Utf-8?B?R0FCUw==?=, Feb 16, 2006, in forum: Microsoft Certification
    Replies:
    1
    Views:
    629
    The Rev [MCT]
    Feb 18, 2006
  2. Boomer

    testing--news2004--testing

    Boomer, Sep 24, 2003, in forum: Computer Support
    Replies:
    3
    Views:
    500
    William Poaster
    Sep 24, 2003
  3. daniel edwards

    testing testing 123

    daniel edwards, May 20, 2004, in forum: Computer Support
    Replies:
    4
    Views:
    735
    joevan
    May 20, 2004
  4. neville

    testing testing

    neville, May 27, 2005, in forum: Computer Support
    Replies:
    2
    Views:
    482
    neville
    May 27, 2005
  5. Richard Blackwood

    Testing memory on a USB pen?

    Richard Blackwood, Jan 23, 2006, in forum: Computer Support
    Replies:
    5
    Views:
    398
    Richard Blackwood
    Jan 24, 2006
Loading...

Share This Page