Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Need Some Guidance Please

From: Matt Gardenghi <mtgarden () gmail com>
Date: Mon, 20 Apr 2009 09:51:21 -0400
Elizabeth,
To specifically answer your question: Individuals do work for hire as Pen Testers. I know because I do; I also contract with another company and work as a contract employee. So, while the guy you read about might be blowing smoke, he might also be telling the truth.
Also, I would recommend that you look into SANS' GPEN (being offered right now @home with some fantastic bonuses like a free Dell Mini iirc). Then, if you can work with a company even as a side job performing pen tests, you can gain some experience and determine how much you like the field. 

As to all of the other stuff being said on the list:
- The tools used in a pen test are just that: tools. A hammer can be used to build or destroy. It's all in the skill and intentions of the carpenter. - The tools only give you the first stage; without verification plenty of false positives and false negatives will end up in the report. A good pen test will verify each finding (or most) and provide you a sanitized list of the results so you know what you are dealing with. That *is* why you are paying them so much money after all: a good report with actionable elements. 

anyway, that's my 2 cents.

Matt Gardenghi

Elizabeth Tolson wrote:

Hi Everyone:

I am finishing up my Master's Degree in Information Assurance from
Capitol College.  I had one Penetration Testing Classes which I really
enjoyed.

I have done some research on Pen Testing and this seems to be
something that I might be interested in doing.

During my research, I saw someone who was a Licensed Pen
Tester/Consultant.  Basically, he was hired by companies -- anywhere
from banks, law firms, accountants, merchants, etc --- to conduct pen
testing.  He would "ethically hack" without the employees knowing it.
He would also do some pen testing via social engineering.  He would
conduct Pen Testing during different hours of the day and night to
discover vulnerabilities, etc.  After the testing, he would submit a
report to the president/owner of the company with suggestions on
making his network a stronger, more secure network.

Does anyone do this as a consultant?  Or, is this guy blowing smoke
and this is not a "real job".  I have seen some companies that do
this, but have not seen any individuals who do this.

Also, if I am interested in pursing Pen Testing, what certs would you
recommend.  What additional training would you recommend.  What books
would you recommend?

Thanks a lot.

Elizabeth

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute
Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. 

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute
Tired of using other people's tools? Why not learn how to write your own exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well. 
http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: