I always ask about OSI model in the interview. It just seems like a good way to find a starting place. I don't even necessarily expect people to dig deep, just tell me 7 layers and name them. Once you start discussing TCP/IP and packet structure in depth that is more what I'm interested in than the theory.

tturner - I agree with you on the applicant fail, but it should be both ways. How did this person get the cert? Exactly how you described, paper mill studying got the rubber stamp and now his resume has every CompTIA cert on it.

3xban - I am still LOL about the 3 days per SOHO, you could take one apart, put it back together, and configure it in 2 hours!

This sounds incredible

This is the best path to get into a full time security position. Take over, and the job will come ...

I hate to sound negative because it does look like they're exploring expansion of their current space, but I recently interviewed for a position on my team and two of the candidates who were brought in had A+, Sec+, and Network+, yet were extremely unqualified. Perhaps it's just a caveat emptor for certifications altogether, but if someone has those and can't explain the OSI model (as I always ask in interviews) then clearly a goal has been missed. Perhaps prereqs should be higher?

This issue was finally resolved for anyone interested or not interested.

We ended up working w/ the client and mapped out a plan w/ similar objectives from our preferred pen test contractor and the client accepted this. The test completed today and surprisingly, no high or urgent vulnerabilities were found. I guess my paranoia probably got to me on this one, but at the end of the day, we found no issues, and this particular problem was what caused me to seek out advice from the crew at ethicalhacker.net and become a registered user. Thanks to everyone for commentary and input, it's a wonderful site.

PowerShell is pretty sweet, the Stop-Process cmdlet is the first thing I've seen from MSFT that actually operates the way kill would in *nix.

 I guess I'd suggest just focusing on a few items that need to be scripted, plotting out the logic, then writing them in a different language until you find one you really feel comes naturally to you. Taking that first step into programming/scripting is scary if from a non-dev background but after a few months of doing it you'll look back and be like wtf took me so long 

Have you thought about Ruby?

I am from a vbscript & perl background, then evolved into powershell & perl. I work mainly in Ruby know, it's pretty easy & powerful, and is generally agnostic about OS.

W/o looking I know @ Stanford there were a couple others like game theory, analysis of algorithms, and other really Computer-sciency topics. Not bad for the price

What he said 

This is the only way I can see the comments making sense is if it was served as a warning as opposed to a fact.

Perhaps they mean don't just think that because something has a /24 that means it's a Class C?

Network classes & first octets (for classful networks)
A    0 - 127
B    128 - 191
C    192 - 223

Work is XP, Wife's home is Win7, the geek lab has Fedora, BT5, Ubuntu 11.04, and of course every flavor of VM you can download from vmplanet.net

Similar to what I would suggest, something where you can max the F out on RAM and get BackTrack VM, and 3-4 VMs running at once. I'd say to shop for deals on HP or Dell and find the best deal that has the most RAM.

I think before you just start going through tools, you should map out your plan for the demonstration. As you're using Metasploit ...

Intelligence Gathering
Steps X,Y,Z
Threat model X,Y,Z
Known/Discovered Vulnerabilites X,Y,Z
Exploitation (your Proof of concept) QED

Showing your boss a detailed plan and how you obtained the results would be more beneficial than what has been listed so far. Also, I'd be very careful if this is on a production box. Work in non-prod regions of SDLC if possible.

D'OH

 

Yeah, good stuff right? I don't know if it's just because I'm "into" it or what but it does seem like InfoSec is in the news a lot more, hitting a wider audience can't be a bad thing. The SCADA attacks haven't hurt with recognition either.