I know lots of people are asking how to get into EH. We have spoken a lot about the training and such but how did you get your first break in to Pen Testing?

I'll start...

Prior to my first gig I did the things suggested by everyone else, set up a lab, lots of reading, and took some training.

I had friend who had a worked for a company and they provide a nice little web site and community related to their industry. The community around his site was something that is line with my company's business so I joined. When I setup my account I put some funky characters in my name to see how it would be rendered and found that there was an XSS vulnerability. I promptly change my name to something normal and I let my developer friend know there was an issue.

They weren't totally sure of the risk but I informed him of XSS and its dangers. I told him that, among other things, XSS would allow me to steal his session cookie and interact with the site as him. I got the written go ahead from his company to do a POC (Proof of Concept) and hijacked his session. I send a message to me from him to show that I had been in. I promptly deleted my cookies and all such information.

There were intrigued with this and we had a phone conversation. They asked that I submit a proposal. I worked for a consulting business before so I had experience with proposals, but not of this nature. Off to google I went to research. I spend a lot of time making sure that I got everything down including the rules of engagement and get out of jail free card. At this point I didn't do insurance or the other legal stuff since it was rather informal (benefits of dealing with a smaller company). However, I do recommend getting legal paperwork in order to protect yourself and to make sure that everything is defined in writing.

After a few conversations and iterations of the proposal they hired me to do a test of the site and internet facing devices. I did it at a lower rate since this was going to be my first formal pen test outside of my day job. I just wanted to be able to add it to my resume and get some more experience. I slightly underbid on hours and spent extra hours to make sure it was the best I could possible do. I delivered the report to them with findings in the web app and their internet facing devices.

I made sure that the report was the best I could do. If you can't communicate the risk and mitigation strategies then the whole test is not going to be help to the business. All my internal experience had been with less formal reports. Getting this down was the one part I didn't practice. Seriously, who practices writing reports? I spent a lot of time researching report formats and such. After all that work I submitted the report. I spent three times as many hours on the project as I had bid, but I knew that going in. (BTW, bidding is a tough thing to get down, but I had experience with that. Rule of thumb take a guess, then double it.)

All in all they were very pleased. I got paid, had lots of fun, and have been able to leverage that into additional gigs.

Google took a while to find the relevant info but it was a great help. It will take lots of digging to find the relevant structure. Ultimately, the GPEN training from SANS was able to help validate my report structure, negotiation and the other non-technical portions. The class also gave me some additional tools to put under my belt. (I highly recommend it)

Sorry, but I can't post the proposal or report.

Hope that helps.

I agree. Fantastic addition to the community to get them to start talking more about the process.

Much appreciated,
Don

I talk about this a lot in DIY Career in Ethical Hacking and how there is an entire industry for pen testing. An industry can't survive on tech gurus alone. We need execs who own businesses, sales people to bring in the job that the tech guys work on, marketing to bring those leads to the sales force... and just like any other industry, there's press. That's where EH-Net comes in.

Imagine the other duties required to make this site what it is. Of course there's a technical component, but what about writing, editing, advertising, getting all those monthly giveaways, keeping up with all those damned 2.0 technologies to keep the site growing, contracts, plagiarism, forum spammers, speakers, venues, more contracts... the tech part of my brain is being overrun by business needs.

But what must be understood is that although I am not HD Moore or Dan Kaminski, it is OK. I truly feel I have a valuable place in the industry and that I'm contributing greatly to its maturity. That makes it sustainable for the next crop, who are just interested in the tech, to do only what they love before they too end up on the business side of the equation.

The rewards are different, but there are rewards. I work more hours than if I still just had my kushy government job, but I wouldn't have it any other way.

Hope that wasn't too off-topic.

Don

Timmedin,

nice post, thanks for taking the time to share.

The aspect with not practising writing reports was interesting, and I can imagine a lot of new entrants get caught with the same problem (I did first time round and I'm still not entirely comfortable with this aspect of the role). Don't know if you came across this in your research (it's been discussed in these forums before) but Offensive Security have released a sample pen test report which may be of use.

We do both Vulnerability Assessments and Pen tests here. There is no end to the documentation that goes into either event. The actual time to collect data on an event is nothing next to the time to actually write the report. With that said, we have developed in-house tools using COTS to help us. As far as reports go, you are right on that there are many different formats, Our largest customer falls under DIACAP while others fall under HIPPA. Great post Tim.

Here are two random thoughts Ive had about pen testing in general.  I think I spoke about them before…but oh well, you guys get what you pay for:)

One of the biggest things that can happen is to form a comfortable name for the profession with an identifiable purpose.  Meaning, if I talk about Hacking to my 10 year old nephew he thinks “cool, you get to be a clever bad guy!  Neat!”  And he knows exactly what that word means.  If I talk about security analysis or penetration testing his eyes glaze over and he giggles at the word penetration.  So what happens when you try to sell to a CEO and add words like Ethical Hacker.  It is just plain difficult to explain our world.  But if we had some type of easily identifiable person, organization or something that is identifiable in pop culture, it would be so much easier.  The mafia has Elliot Ness and the FBI.  Cops have Robbers.  Yin has Yang.  Hackers have “well were kinda like hackers, but don’t call us hackers we are info sec professionals and kinda….blah” 

And what does this have to do with this post?  Who knows…I just felt a rant coming along.  But one thing I think would be interesting is to set up a sales section that can define who needs what types of testing (PCI needs….HIPPA needs….), ideas and other things surround how to approach these companies.  And maybe even a reference part were companies that are doing research can find people they are looking for.  This site may already have these things, I just don’t remember seeing them…sorry if it is here:)

I think you've hit the biggest problem on the head right there.

I struggle to explain most of this to other IT people, when it comes to non-technical folk I've often gone back to 'play with computers' when someone asks what I do, it just makes life simpler...

I describe it as being paid to break into someone's network and computer systems. That usually clears things up a little.