.

Separating the Men from the Boys

<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Fri Feb 13, 2009 7:53 pm

Separating the Men from the Boys

What is the mojo that separates the good from the great in Pen Testing/Ethical Hacking? How do you know the difference between the two?
twitter.com/timmedin | http://blog.securitywhole.com
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Fri Feb 13, 2009 7:57 pm

Re: Separating the Men from the Boys

OSCP vs CEH for starters  ;D ;D
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 531

Joined: Sat Sep 08, 2007 7:48 pm

Post Fri Feb 13, 2009 8:02 pm

Re: Separating the Men from the Boys

Good question, correct me if I'm wrong but I think one thing that separates the good from the great in Pen Testing / Ethical Hacking is that Pen Tester who's willing to go that extra mile. What I mean by this is that Pen Tester that's involved in a Pen Test and actually goes to that extra step and possibly develops an exploit that a possible attacker could develop and launch it to penetrate a machine. An ethical hacker who holds a CEH certification on the other hand might just run through and perform your usual Pen Test. Not saying C|EH's don't know how to develop their own exploits, I'm just randomly saying based on another user who would have knowledge of a person who holds the CEPT Certification, etc. It's that person's experience in the field that I think makes the difference. I don't exactly think there's too big of a large difference between the two (Ethical Hacking / Pen Testing), I'd say it all depends on how qualified the guy / girl is your hiring and how into it they are.
<<

jason

User avatar

Hero Member
Hero Member

Posts: 1013

Joined: Sat Jun 21, 2008 6:23 pm

Location: USA

Post Fri Feb 13, 2009 8:56 pm

Re: Separating the Men from the Boys

I'd say that its less about the particular cert that you hold and more about the skill thats behind it.
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Sat Feb 14, 2009 1:44 pm

Re: Separating the Men from the Boys

jason wrote:I'd say that its less about the particular cert that you hold and more about the skill thats behind it.


But that is what I mean, what do you think those mad skillz are that are the differentiator?
twitter.com/timmedin | http://blog.securitywhole.com
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Sun Feb 15, 2009 4:45 am

Re: Separating the Men from the Boys

timmedin wrote:But that is what I mean, what do you think those mad skillz are that are the differentiators?


Right now, i'd say webapp hacking, exploit writing, and policy review are the major ones. if you look at the big break ins this year they are all related to these. New certs  are coming out for these every six months, and existing courses expanded.
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Sun Feb 15, 2009 5:07 am

Re: Separating the Men from the Boys

timmedin wrote:But that is what I mean, what do you think those mad skillz are that are the differentiator?

For me. the difference lies in using and creating.
By using I mean someone who  uses pre-made exploits and steps to hack an application. His knowledge is confined to this area only and becomes helpless if the system is fully patched.
On the other hand a creator makes his own exploits, finds his own vulnerabilities and sometimes makes his own tools.
The difference between a hacker and a good hacker is great but there is a thin line between a good hacker and an excellent hacker.
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Sun Feb 15, 2009 12:11 pm

Re: Separating the Men from the Boys

Jhaddix wrote:Right now, i'd say webapp hacking, exploit writing, and policy review are the major ones.


Policy review, that is one I wouldn't have expected to see. Exploit writing is pretty tough. I tried it a bit, but it isn't my area of expertise.

I was thinking that a big differentiator would be adding to the community. If you develop an exploit, process, or new tool giving it to the community.
twitter.com/timmedin | http://blog.securitywhole.com
<<

jadyason

Newbie
Newbie

Posts: 7

Joined: Tue Feb 10, 2009 9:50 pm

Post Sun Feb 15, 2009 10:26 pm

Re: Separating the Men from the Boys

For me. the difference lies in using and creating.
By using I mean someone who  uses pre-made exploits and steps to hack an application. His knowledge is confined to this area only and becomes helpless if the system is fully patched.
On the other hand a creator makes his own exploits, finds his own vulnerabilities and sometimes makes his own tools.
The difference between a hacker and a good hacker is great but there is a thin line between a good hacker and an excellent hacker.
[/quote]

I agree with Xen on this. It doesn't take anyone special to use all the tools and known exploits already documented. It does take someone with a talent not only to create them, but to document them also. To me it's about someone who can think outside the square and walk the talk. No good only been able to tick boxes on a checklist and get it signed off. Certs are irrelevant to great skill - They can document that someone has good skill but not not necessarily that they have great skill.
<<

LSOChris

Post Mon Feb 16, 2009 8:38 pm

Re: Separating the Men from the Boys

not to discount exploit writing as a good skill to have but I dont think the inability to write an 0day forbids someone from being a "good" pentester.  I know plenty of good pentesters that dont write exploits.

here are few things that I think make good pentesters

1. the knowledge/ability to use the right tool for the right situation, nessus/core/metasploit is not always the best tool for a job

2. having a network of people to call on for assistance when you get stuck

3. the mental ability to think through problems, networks, defenses to try to find the one thing the admin missed
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 929

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Tue Feb 17, 2009 12:27 pm

Re: Separating the Men from the Boys

Whilst not entirely in the spirit of all things geeky, a major difference between technically good, and great pen-testers is the ability to relate the technical findings to business speak.

You could develop the worlds greatest exploit, but unless you can portray the information in terms of hard cash, risk and ROI then the situation isn't going to get the funding or political backing within the organisation that is required to improve and protect the business.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software