Summary - How to become a professional penetration tester?

["David Fuller" <burchoff2000 () yahoo com>]

For the past two to three weeks I have received about 15 emails asking me to
post or send a summary or what I received off list unfortunately every time
I try to post the replies I received it gets rejected by the list moderator.
So I have chosen to give a break down of what I received.

I received emails from three companies informing me of the availability of
Internships and summer jobs at there company. There names are Fishnet
Security (www.fishnetsecurity.com), Spidynamics (www.spidynamics.com) and
Ncider (www.ncider.com). Where my question about courses that I could take
in university are concerned Brian Joseph gave a very nice reply which you
will see below:

Brian Joseph's Email

> David,

> You should look at courses that focus on networking and system OS's.  It
seems
> that schools are very affraid to teach their students how to become good
> hackers, but if you are smart and put it all together, you will realize
that
> they are giving you the tools to do so.

> I recently graduated from the Rochester Institute of Technology.  During my
> last quarter there, I developed a class called "System Security," which
> focused on Windows and Unix OS security.  I wrote the labs for this course,
> and compiled a list of texts.  I recommend the book "Steal This Computer
Book
> 2" by Wallace Wang, and all the O'Rielly books you can afford (actually,
you
> should be able to get them for free off the web).  In my research I
realized
> that the information you are asking about is out there.  You may want to
start
> by learning how to keep people out... firewalls, routing ACL's, intrusion
> detection systems, etc.

> RIT also offers a distance learning class called "Computer Crime"... you
can
> take this class anywhere in the world, as long as you have internet access.
> It is a good class because you will learn the laws.  There are very few
> institutions that offer Information Technology as a degree, and I recommend
> RIT not only because I went there, but because they were one of the first
> schools to offer IT.

> If you are new to hacking, try starting by researching a ton of resources.
> Don't just jump into it without understanding the laws and ethics.  People
who
> do this are called "script kiddies," and they get no respect from the
> community.

> Learn programming (especially C) and shell scripting.  Take a look at some
> hacking scripts that are available, and rip them apart.  See how they work,
> and then realize that they are nothing more than manipulating what you
> probably already know.  These codes are usually brute force attackers (such
as
> "CrackWhore", "BackOrifice", etc.).

> Another idea would be to set up a honey pot and allow people to break into
> your stuff.  You will be able to see how they do it.

> As for an internship, it is hard to find one in what you described.  I
guess
> look on Monster.com and places like that.  You may want to try to start by
> getting on a firewall team or network security team for a large company
like
> Sun, EDS, M$, Cisco, IBM, or the like... a company that has a lot of money
and
> can train you.  My advice is don't limit yourself.

> Hope this helps.

> -Brian


Also, on the  subject of university courses professor Larry Leibrock at The
University of Texas at Austin (http://praetor.bus.utexas.edu) teaches a
short course on penetration testing, Outside of university course I was told
that I could look into the courses offered at www.sans.org. That was all the
information I received from my post to the list hopefully the moderator will
let this message be posted so that I don't have to find another way to get
it out to those people who are very interested in the information I
received.

David.


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com