Re: Starting a Pen-Testing Career

Perhaps my perceptions of the business are a bit naive, I suppose. And
perhaps I was too quick to judge by your own response.

So this is one of those rare occasions on the 'net that anyone will see
an apology in these types of discussions -- Sorry for jumping to my own
assumptions. I suppose we all know where they lead.

So. Perhaps a corporate pen-tester is not the job I'd like to go into,
and I have been mislead. I suppose then, I would rephrase my question.
I like security; I like breaking into networks, and also finding out
how others have broken into mine. I'm a pretty damn good programmer,
and understand low level languages. What _would_ be the career that
would best facilitate that? Perhaps a network forensics consultant?
Something along those lines? Perhaps a vulnerability researcher?

Any direction here would be wonderful.
Thanks, and again, my apologies.

erewhon wrote:
9 times out of 10, though, these people flat out told me they
'didn't care, just fix it'.

That's certainly the case.

Perhaps you have some truth in your inflammatory, pessimistic attitude
of penetration testing/ethical hacking. But I think your opinions are
more wrong than right.

1) Businesses want to know worst case scenario, and to be prepared for
them.

Buinsesses don't care about security and vulnerabilty and exposure. Their
only interest in technology is in making a manual job easier (and therefore
saving cost), or generating revenue. In the process they know they have to
protect their assests (since this impacts their market position, or bottom
line if services are unavailable or compromised), and that they usually know
they have to be compliant with a variety of legal obligations in terms of
data security.

Their driver is not to 'want to know worst case scenario' - they know the
worst case scenario (I might get fucked over). What they want to know is 'am
I up to industry standards & best practice' and 'where are my weaknesses'.
In a large organisation with internal IT, you don't need an external audit
to tell you this - go and ask your existing teams. They'll have a list of
jobs which need doing, from laptop encryption, to improved IDS, to personal
firewalls, to spamware and malware scanners and filters, to better patch
management... the list will be comprehensive, assuming they actually ask!.


2) Sure I can. Will I? No. To assume and lump all penetration testers
into this unethical behavior is a bit narrow minded and immature, imo.

If you are exployed by a large audit firm they will have a standard
approach - investigate their IT by examining all the information obtained
regarding their infrastructure from their IT teams, discuss their processes,
ask questions about the aforementioned areas likely to cause concern
(firewalls, patch, malware, encryption, et al) then present this list of
flaws in an audit report for management.
The managers will expect this - the audit firm knows this, and it will be a
cookbook delivery - the content of which will be obtained from existing IT
teams. How else would they be able to provide such a report in isolation -
audit every single network switch, firewall setting, PC and server? No -
they work from the inside to obtain, the resell back to you your own
information.


3) What is bleeding-obvious to you, may not necessarily be obvious to
others less savvy than yourself. Take my example of spyware, for
instance. Most people don't understand that a free screensaver is chock
full of malware and resource hogging software that is generally bad for
your system. Most people are too busy themselves to sit down and
educate themselves thoroughly enough to become a smart or even savvy
internet user. Case in point, most businesses are busy earning money
and making their business plans work to worry so much about security.
Hence, they hire a pen-tester or ethical hacker to tell them the things
they need.

No they don't. They need to employ a team who can provide rigourous desktop
and server build standards. Someone who can write and enforce policy. They
need to employ someone to install AV, patch management, firewalls, IDS,
packet monitoring, proxy servers, malware and content sweepers at the
gateways et al.

That's why I stated your report needs to contain the obvious."'you need to
patch your systems, have firewalls & IDS, do more monitoring, QA your
software, run up-to-date AV, limit admin accts, enforce password policy,
limit physical access, review security logs....".

It does not require a pen-tester/ethical hacker to provide this analysis. It
needs a compentant and informed IT team. Anyone who's big enough to buy pen
testing, is big enough to have its own IT team provide such a report
detailling areas for improvement.

Having written such a detailled report covering all such exposures, and
mitigating factors, and technology & process required to resolve it, I then
realised big firms think very little of their own skilled IT team. They
ended up paying $200k+ for an audit firm to do a fraction of the analysis I
did, with far fewer practical solutions. It's only by paying third parties
to come in, do the glossy report, that the IT managers can go to the board
and justify the spend on fixing the issues. Third party auditors know this -
your skills on code-exploit writing will not be required for the job of a
pen-tester.

4) Simply because I don't write my own vulnerability scanners doesn't
mean I am somehow less knowledgeable or less of a professional.

Of couse it does. The people who make such tools are obviously better
informed as to how the vulnerabilities exisit, how they can be exploited and
how they can be detected. The user of such tool is just that - a user of
someone elses tool. If they had the abilty they claimed, they would write
their own.

Using
someone's already established tools is far better than reinventing the
wheel.

I never said it wasn't. I said 'can you steer someone else's cleverly
written vulnerability scanner' to produce reports. Any monkey can do this -
you don't need a experienced code head/pen tester/ethical hacker to point
and click these tools.

It's smart. Do I write all of my current software in assembly,
because that would somehow make me a superior coder to those who use
high-level frameworks? No. I use the frameworks given to me to make my
life easier, my software development more efficient and my production
time less. Am I less of a software engineer because I don't write all
my projects in low-level languages? And just because I don't use those
low level languages, does that mean I don't understand what's going on
beneath the hood of my framework?

Most auditors/pen testers who sell their services have little knowledge in
this regard. It's just not required to produce the reports and anaylsis
which is being commissioned. The buisiness needs a report from a tool which
can detect these holes. They don't give a *** if the person steering the
tool actually HAS the expertise to write the exploit code - they only need
to know if the hole exists and therefore the POSSIBILITY exists that someone
could exploit it.

You are making large assumptions that
don't necessarily add up to anything.

I am? Where exactly are my assertions flawed?

On the same token, using someone
else's tools does not mean that I do not understand the
vulnerabilities. I _could_ attempt the vulnerabilities one by one
myself, manually executing them, but that would be tedious and slow.
I'd probably think about automating that, but wait... someone's already
done that! I'm sure you see my point.

And my point is that no-one in the business cares if the employed
hacker/pen-tester/auditer actually has the skills to carry out the attacks
they say they are vulnerable to. They only need to know that such
possibilites exist - and for this you don't need to be a hacker/pen-tester -
just a monkey in a suit, with an arm full of reports and a penchant for
selling them back their own ideas.

As for pointless exercises... I'd beg to differ. If they were so
pointless, perhaps you should tell the CEO that the next time his/her
security is compromised. "Yes, you were compromised because of this
particular insecurity, but checking for that before you had been
attacked would have been pointless in my opinion." Make statements such
as that, and I'd wonder why you even browse this newsgroup...

I never said pen-testing was pointless. I said that the job of a
'professional pen-tester' is not what you would end up doing, since people
would be paying you to deliver to a common set of criteria - none of which
require an in-depth knowledge of exploit code and holes, only the means to
identify where they exisit.

As for substantial contract fees... knowledge is power. The reason
software engineers are paid well (or at least more than average) is
because of their knowledge and experience alone; because many have
devoted their time, effort, and finances to learning their trade. The
same goes with a penetration tester who stays current.

My point is that this task does not require a substantial amount of
knowledge, above and beyond what a competant network or server engineer has
at hand, to deliver the output of such reports.

Lastly... simply because I would work as a penetration tester doesn't
automatically qualify me as a moron in the vulnerability research
department... And quite honestly, I would probably find myself adequate
at doing it, considering my background. I do see your point, though, in
that a truly excellent penetration tester should know these details to
truly understand his job.

Actually, my point is - the best pen testers work in the background, writing
the tools and exploits. Buisness facing pen-testers do not - they steer
tools, & write cookbook reports.

So, with all of this, I'm going to call you out. I am quite sure that
if we were to know your line of business, we could make equally narrow
minded and inflammatory remarks.

I'm a server engineer - I scope, design, & implement solutions, with a
degree of third line support for a multi-billion pound firm I get paid ***
loads cos I'm very good at it.

I know what tools to use, have written best design practice, and how to
deliver a secure, resilent solution on time, within budget and following
process.

I won't, of course, but that was an
attempt to open your mind a bit. And since you posted in this group, on
this particular topic... have you ever written exploit code?

No. I don't claim to have.

Have you
ever contributed fresh ideas to the security community?

Yes.

Or do you
simply deride everyone else's careers, quite likely because of your own
insecurity in your own skillset?

Me - insecure?! I'm not deriding the career path - I'm stating it will not
be what you expect and hope it to be.

Heck, with your mindset, have you
written your own OS?

No.

Or are you just an inferior user? Have you made
your own motherboard? Processor? Memory units? Or are you just a simple
consumer?

I did a smattering of electronics during my degree..

Do you now see how rediculous your claims sound? In retrospect, had you
written something like, "Here's how you can be a horrible
pen-tester..." or perhaps, "These, in my opinion, are great
pen-testers...", I think I wouldn't have had a problem at all with your
post. I'd venture to say that constructive criticism _could_ go a long
way for you. I doubt you'd heed the advice though.

Hey - It's just my perspective based on experience.

erewhon
alt.hacker

.

Loading