.

High barrier for entry to career X

<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Wed Dec 22, 2010 11:07 am

High barrier for entry to career X

There seems to be a trend at EH.net where an experienced member will indicate what a world class pentester, malware analyst, etc needs to do their job. For the newbies here, of which I sometimes qualify, it can be very easy to get discouraged at the mountain of knowledge necessary that seems insurmountable. Sure, those lists are ideal but there are hundreds if not thousands of people working in these fields with a small subset of this entire knowledge and many of them are providing excellent value for their customers. And yes, some of them are charlatans. I was talking to an IBM ISS pentester the other day who told me many of the people on his team don't write exploits. they have people who can of course, but not everyone on the team has those skills and quite often the engagement does not allow time for it anyway. The point here is that in many cases it's a team environment. Not every person has to be able to be a ninja in every area. I think it's helpful to define a bare minimum baseline and I have seen some posts that do that and appreciate that but sometimes I think even that baseline gets set a little high.

The purpose of this post is not to discourage these "end game" threads or criticize those who have compiled these lists because that information is extremely valuable, but more to provide some encouragement to our less experienced folks. You have to start somewhere. Don't be scared. Take the leap!
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Dec 22, 2010 12:11 pm

Re: High barrier for entry to career X

tturner makes some excellent points. You don't have to know the industry full circle (writing exploits, AND exploiting machines, AND analyzing the post forensics, AND etc, etc,) but it will help you understand as much as you can, which 1) makes you more valuable to a company 2) helps make your own job easier

On my RWSP review, I believe I pointed out the need for "teamwork" in order to pass that exam. There can BE NO all inclusive expert however, there can be those who are versatile. This is one of the reasons I'm a stickler for understanding things from the ground up (http://www.ethicalhacker.net/component/ ... /#msg34503). The more you know, the better prepared you will be.

It all boils down to "determine what it is you want to do." If you want to focus on exploit writing, so be it, as I explained in the Assembly post (http://www.ethicalhacker.net/component/ ... /#msg34507) there is A LOT of overlap in many fields. Certainly understanding as much as you can from the core level will help you. NO ONE and I mean NO ONE I have come across is an expert in all levels of security. While I may know some bad ass exploit writers, fact is, they'll often suck initially at response/forensics because they haven't been exposed. However, they do have the capacity to figure things out if they understand other aspects of the OSI (networking, process intercommunications, etc)

So tturner makes some excellent points to those in this arena. I'm always (rinse and repeat... ALWAYS) trying to learn something, anything while ALWAYS retaining knowledge of the underlying scope...

SOAP, XML, JAVA, ASP, C# do you think I know these areas enough to make a career in the field, heck no. But I do know enough to state they all have the same fundamentals: they're networked and they either receive or send data somehow. Now I need to figure out how and why. Forget trying to program in the language, I just need a bare understanding of the interprocessing of the application from the host and network layers. The rest is what Google is for.

To add more to tturners excellent post, I will say this... DO NOT BE INTIMIDATED BY ANYONE or ever feel "I will never get to that level." 1) There is no level, there is only what you're willing to learn - with that said, you are either your best friend or your own anchor. 2) Read, read, read, break break break and FIX FIX FIX. In doing so, you're exposing yourself to many processes in the mix. Even purposefully misconfiguring machines is a learning experience! 3) Have fun. When you view the field as a fun, challenging game, it becomes more interesting. I play Chess against myself... I do my best not to deceive myself but play as I were competing against myself. It's a PITA but the experience allows me to go back and remember what I was thinking at the time, what I intended on doing, how I would have done things differently.

So when I POST something like: "This is what I would do..." it's a suggestion based on experience I may have in the industry. What worked for me. I in no shape form or fashion try to discourage anyone in fact, I would hope that I do the opposite (encourage) those to look at things differently from the ground up.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Dec 22, 2010 1:04 pm

Re: High barrier for entry to career X

I totally agree with tturner too!

Baby steps are the key of every big successes. I rate myself about 4/10 on where I want to be, but last year, I was at 2/10, so I am happy!

That being said, I and many others on this forum try to ask newcomers to be a little bit more precise. Like in the Assembly post mentioned by sil above, we asked the guy what he really wanted to do. Then we try to adapt our language and help him as much as we can.

But that being said, we are all grown adults here. If someone's goal is to reverse-engineer malware, learning these skills will not happen overnight. Same as forensic investigator, like it has been posted on this site about a month ago, when you bring someone to court, you better know what you are doing. Samething with a pen test, before you can feel confident that the server/network/application cannot be hacked, you need a lot of experience.

Maybe it is because I have been in tne infantry, but I am more for telling the plain truth BUT doing so by being encouraging and by helping and guiding people. I myself really want to know what I am against to before starting...

Also, to me, it depends on the topic the thread is about. Questions like "I am new to the field and want to get advice on getting prepared for CEH" is not the same as "I have written about 20 exploits so far and I need advice on creating a new Metasploit payload". The answers will be totally different on this forum.

So my view on this is like you tturner, jump in and discover this fascinating world, on step at the time. But at the same time, I feel that this forum is probably the "easiest" at newcomers on the entire web. Anyway, when I started posting here a year ago, I didn't felt discouraged at all. In fact, I was (and still) saying "thanks a lot for this awesome response" all the time!

But being a consultant, the barrier to me is VERY high!

So let's keep this site like it is, ok?  ;)
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Wed Dec 22, 2010 1:53 pm

Re: High barrier for entry to career X

NO ONE and I mean NO ONE I have come across is an expert in all levels of security.

I don't think we have met kind sir  ;D

DO NOT BE INTIMIDATED BY ANYONE or ever feel "I will never get to that level."

Now he tells me. Too late :)


Great posts though guys. All very well said.
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com

Return to Career Central

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software