Penetration Testing mailing list archives
Re: Need Some Guidance Please
From: Matt Gardenghi <mtgarden () gmail com>
Date: Mon, 20 Apr 2009 09:51:21 -0400
Elizabeth,To specifically answer your question: Individuals do work for hire as Pen Testers. I know because I do; I also contract with another company and work as a contract employee. So, while the guy you read about might be blowing smoke, he might also be telling the truth.
Also, I would recommend that you look into SANS' GPEN (being offered right now @home with some fantastic bonuses like a free Dell Mini iirc). Then, if you can work with a company even as a side job performing pen tests, you can gain some experience and determine how much you like the field.
As to all of the other stuff being said on the list:- The tools used in a pen test are just that: tools. A hammer can be used to build or destroy. It's all in the skill and intentions of the carpenter. - The tools only give you the first stage; without verification plenty of false positives and false negatives will end up in the report. A good pen test will verify each finding (or most) and provide you a sanitized list of the results so you know what you are dealing with. That *is* why you are paying them so much money after all: a good report with actionable elements.
anyway, that's my 2 cents. Matt Gardenghi Elizabeth Tolson wrote:
Hi Everyone: I am finishing up my Master's Degree in Information Assurance from Capitol College. I had one Penetration Testing Classes which I really enjoyed. I have done some research on Pen Testing and this seems to be something that I might be interested in doing. During my research, I saw someone who was a Licensed Pen Tester/Consultant. Basically, he was hired by companies -- anywhere from banks, law firms, accountants, merchants, etc --- to conduct pen testing. He would "ethically hack" without the employees knowing it. He would also do some pen testing via social engineering. He would conduct Pen Testing during different hours of the day and night to discover vulnerabilities, etc. After the testing, he would submit a report to the president/owner of the company with suggestions on making his network a stronger, more secure network. Does anyone do this as a consultant? Or, is this guy blowing smoke and this is not a "real job". I have seen some companies that do this, but have not seen any individuals who do this. Also, if I am interested in pursing Pen Testing, what certs would you recommend. What additional training would you recommend. What books would you recommend? Thanks a lot. Elizabeth ------------------------------------------------------------------------ This list is sponsored by: InfoSec InstituteLearn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience.http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: InfoSec InstituteTired of using other people's tools? Why not learn how to write your own exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well.
http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- Re: Need Some Guidance Please, (continued)
- Re: Need Some Guidance Please Micheal Cottingham (Apr 18)
- Re: Need Some Guidance Please Michael Boman (Apr 21)
- Re: Need Some Guidance Please Nate (Apr 18)
- Need for Intrusion/Infection Data Baykal, Adnan (CSCIC) (Apr 21)
- Re: Need for Intrusion/Infection Data Jon Janego (Apr 21)
- Re: Need for Intrusion/Infection Data Leonardo Cavallari Militelli (Apr 21)
- RE: Need for Intrusion/Infection Data Honer, Lance (Apr 21)
- Re: Need Some Guidance Please Micheal Cottingham (Apr 18)
- Re: Need Some Guidance Please Elizabeth Tolson (Apr 21)
- Re: Need Some Guidance Please Stephen Mullins (Apr 21)
- Re: Need Some Guidance Please Aarón Mizrachi (Apr 30)
- Re: Need Some Guidance Please Matt Gardenghi (Apr 21)
- Re: Need Some Guidance Please Pete Herzog (Apr 21)
- Re: Need Some Guidance Please Todd Haverkos (Apr 23)