Re: Just getting started in pen-testing



Thanks for the suggestions everyone, but my original questions remain
unanswered: What advice can you give about _working as a freelancer_,
and what type of _small businesses_ need pen tests? I'm doing other
research into these questions, of course, but it only makes sense to
ask other pen testers.

I know my dark-themed website is untraditional in the pen-testing
industry, but it was a deliberate decision. If I wanted to market
myself differently, I wouldn't have chosen the name Bandit Defense.
I'm also not asking for advice in how to advance my career as a pen
testing, or what other certs to take. I'm just trying to hear from
people who have also worked freelance, and who have had customers that
weren't medium to large corporations.

J, I don't know why you assume that I only use automated tools and
that I'm a scriptkiddy, but I apologize if my website scared you away.

m0rebel
Bandit Defense


On Mon, Nov 10, 2008 at 2:58 PM, J. Oquendo <sil@xxxxxxxxxxxxxxx> wrote:
On Mon, 10 Nov 2008, Matt - MRS Security wrote:

Hey J.

I think that direction towards courses as a recommendation would be
suitable for people so they could launch themselves towards getting
certain qualifications.

I think getting a few people to commit to helping out would be the way
forwards. Thats if Erin wants a FAQ.

Thanks

Matt.


Interesting but I believe it's dual-edged sword - the certificate approach.
I started getting certs recently with an already established background
in infosec. I don't and have never needed them not to mention to be honest
about it the only thing they've gotten me so far is, more email, more
paperwork... With this said there is also the flipside of things - I have
learned to broaden my horizons with them, but this was post-cert.

Pentesting to me as I said before is similar to an art. There are far and
few courses worth looking into as far as certifications go. For example,
my most "coveted" for lack of better terms cert is the OSCP because I
actually re-learned things and saw them from a different angle. This does
not mean it should be viewed as the "de-facto" cert to get however, I'd
personally respect interviewing or meeting another OSCP over a CISSP, C|EH,
etc., and this is not to take anything away from those cert holders so I
don't need CISSP's to come complaining about apples and oranges.

My problem with the cert route is - unless you're going to re-cert with
that body, it will be useless as the industry changes at such a rapid pace.
There would be too much to learn for one sitting period especially in a
year.s time frame. Right now I'm doing CISM studies - which I could care
little for (managerial) however, I enjoy learning the business processes
involved with security governance. There is more to it all than just
tools ;)

Does this mean I want to revamp and push papers (not taking anything away
from security managers)... The answer is no. I study and learn constantly
to understand it all as in-depth as I can. I usually tell others who ask
me to understand network and systems heavily before even focusing on tools.
I believe in doing so, they'll be able to understand the inner workings of
it all and quite possibly create their own tools, methods, etc., so am I
wrong in thinking along these terms.

Now let's go to the working class "Joe the Plumber" - the real "Joe the
Plumber" who doesn't make 200k per year. You expect him to fork over X
amount of money on "recommended" courses? Recommended by whom and why? Do
you believe that everyone can recommend courses without introducing
polit(r)ic(k)s into the mix? I sincerely doubt this.

Also because pentesting is extremely broad, what course if you can actually
find any - would you promote to say pentest a VoIP infrastructure? It's
pretty much non-existent. You either understand the topology, technology,
etc., from the top down, or you'll be lost in the sauce. And no "Hacking
VoIP" (hello Dave/Mark) can only help you so much. However, if you
understood the underlying framework of packets and protocols, you'd be able
to determine what to look for on which layers of the OSI period, no matter
what you're pentesting.

I believe certs can definitely help, but they are of limited use on the
learning phase. So you waste (or spend depending on your view) time learning
about say web application security. You spend/waste time reading and
re-reading Shellcoder's Handbook, learning C or some other language. You
spend or waste time learning about fuzziers and all that you're trying is
failing. You never took the time to learn about the networking side of
things so you're not running tcpdump, snoop or any other sniffer on the wire
to see that you're not trunked in the right VLAN. Then what?

I believe a top down approach to it all - via books, trial and error labs is
the way to go WAY before one invests money in any cert. It's what I believes
separates the pros from the joes. You could tell me you possess all the certs
in the world and unless you really know your stuff, I can point you out to
plenty of "well certified" individuals whom I could mop the floor with on a
CTF on any given day with one hand, no coffee, on a 486 running RH Hurricane.
And I mean this not arrogantly, but I mean it as a matter of factual - truth
is the truth - way. Not bringing any person down, any cert down...

I have a friend (hello RR) who to this day I believe is possibly the best
pentester I've met. Uses no one's tools. Prefers doing things the old school
way. Maybe its how he feels comfortable doing it, maybe it's what he learned
in Indiana (;)) who knows. I respect him for his ability and his very intimate
knowledge. He has zero cert that I'm aware of. In fact, most of the pentesters
I know and respect most... Don't have titles to their names ;) Does this mean
they're cert illiterate, "unschooled", "unreliable" pentesters? Sorry I don't
believe the cert route is necessarily the best route. Just my two cents - alas
I rambled on enough, but if I had to recommend what you asked for, then I would
be telling people to take the following route:

Networking/Design:
CCNA
CCDA
CCNP
CCDP

Systems:
SCSA
Linux+
MCSA

Security:
Security+
C|EH - to become exposed to tools
OSCP
OPSA
CPTE

Web-applications:
What do you suggest here ;)


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"Each player must accept the cards life deals him
or her: but once they are in hand, he or she alone
must decide how to play the cards in order to win
the game." Voltaire

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



Relevant Pages

  • Re: Just getting started in pen-testing
    ... Pentesting to me as I said before is similar to an art. ... my most "coveted" for lack of better terms cert is the OSCP because I ... Security Trends Report from Cenzic ...
    (Pen-Test)
  • Re: Just getting started in pen-testing
    ... On Mon, 10 Nov 2008, Matt - MRS Security wrote: ... I think that direction towards courses as a recommendation would be ... my most "coveted" for lack of better terms cert is the OSCP because I ... I rambled on enough, but if I had to recommend what you asked for, then I would ...
    (Pen-Test)
  • Re: Redhat certification
    ... Enterprise environment as a "senior" because they have a cert. ... work hard and learn jump start their careers. ... going through the courses and learning, to the point where you can ...
    (linux.redhat)
  • Re: Night school.
    ... HNC was usually at the end of a very long sequence of courses. ... CGLI craftsman's cert, ... followed by the intermediate technological certificate cert ...
    (uk.politics.misc)
  • Re: Night school.
    ... HNC was usually at the end of a very long sequence of courses. ... CGLI craftsman's cert, ... followed by the intermediate technological certificate cert (two ...
    (uk.politics.misc)