Separating the Men from the Boys

Viewing 10 reply threads
  • Author
    Posts
    • #3378
      timmedin
      Participant

      What is the mojo that separates the good from the great in Pen Testing/Ethical Hacking? How do you know the difference between the two?

    • #22245
      Dark_Knight
      Participant

      OSCP vs CEH for starters  ;D ;D

    • #22246
      KrisTeason
      Participant

      Good question, correct me if I’m wrong but I think one thing that separates the good from the great in Pen Testing / Ethical Hacking is that Pen Tester who’s willing to go that extra mile. What I mean by this is that Pen Tester that’s involved in a Pen Test and actually goes to that extra step and possibly develops an exploit that a possible attacker could develop and launch it to penetrate a machine. An ethical hacker who holds a CEH certification on the other hand might just run through and perform your usual Pen Test. Not saying C|EH’s don’t know how to develop their own exploits, I’m just randomly saying based on another user who would have knowledge of a person who holds the CEPT Certification, etc. It’s that person’s experience in the field that I think makes the difference. I don’t exactly think there’s too big of a large difference between the two (Ethical Hacking / Pen Testing), I’d say it all depends on how qualified the guy / girl is your hiring and how into it they are.

    • #22247
      jason
      Participant

      I’d say that its less about the particular cert that you hold and more about the skill thats behind it.

    • #22248
      timmedin
      Participant

      @jason wrote:

      I’d say that its less about the particular cert that you hold and more about the skill thats behind it.

      But that is what I mean, what do you think those mad skillz are that are the differentiator?

    • #22249
      Jhaddix
      Participant

      @timmedin wrote:

      But that is what I mean, what do you think those mad skillz are that are the differentiators?

      Right now, i’d say webapp hacking, exploit writing, and policy review are the major ones. if you look at the big break ins this year they are all related to these. New certs  are coming out for these every six months, and existing courses expanded.

    • #22250
      Xen
      Participant

      @timmedin wrote:

      But that is what I mean, what do you think those mad skillz are that are the differentiator?

      For me. the difference lies in using and creating.
      By using I mean someone who  uses pre-made exploits and steps to hack an application. His knowledge is confined to this area only and becomes helpless if the system is fully patched.
      On the other hand a creator makes his own exploits, finds his own vulnerabilities and sometimes makes his own tools.
      The difference between a hacker and a good hacker is great but there is a thin line between a good hacker and an excellent hacker.

    • #22251
      timmedin
      Participant

      @Jhaddix wrote:

      Right now, i’d say webapp hacking, exploit writing, and policy review are the major ones.

      Policy review, that is one I wouldn’t have expected to see. Exploit writing is pretty tough. I tried it a bit, but it isn’t my area of expertise.

      I was thinking that a big differentiator would be adding to the community. If you develop an exploit, process, or new tool giving it to the community.

    • #22252
      jadyason
      Participant

      For me. the difference lies in using and creating.
      By using I mean someone who  uses pre-made exploits and steps to hack an application. His knowledge is confined to this area only and becomes helpless if the system is fully patched.
      On the other hand a creator makes his own exploits, finds his own vulnerabilities and sometimes makes his own tools.
      The difference between a hacker and a good hacker is great but there is a thin line between a good hacker and an excellent hacker.
      [/quote]

      I agree with Xen on this. It doesn’t take anyone special to use all the tools and known exploits already documented. It does take someone with a talent not only to create them, but to document them also. To me it’s about someone who can think outside the square and walk the talk. No good only been able to tick boxes on a checklist and get it signed off. Certs are irrelevant to great skill – They can document that someone has good skill but not not necessarily that they have great skill.

    • #22253
      Anonymous
      Participant

      not to discount exploit writing as a good skill to have but I dont think the inability to write an 0day forbids someone from being a “good” pentester.  I know plenty of good pentesters that dont write exploits.

      here are few things that I think make good pentesters

      1. the knowledge/ability to use the right tool for the right situation, nessus/core/metasploit is not always the best tool for a job

      2. having a network of people to call on for assistance when you get stuck

      3. the mental ability to think through problems, networks, defenses to try to find the one thing the admin missed

    • #22254
      RoleReversal
      Participant

      Whilst not entirely in the spirit of all things geeky, a major difference between technically good, and great pen-testers is the ability to relate the technical findings to business speak.

      You could develop the worlds greatest exploit, but unless you can portray the information in terms of hard cash, risk and ROI then the situation isn’t going to get the funding or political backing within the organisation that is required to improve and protect the business.

Viewing 10 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?