.

Why employ a graduate?

<<

skitch

User avatar

Newbie
Newbie

Posts: 5

Joined: Thu Oct 23, 2008 10:17 pm

Location: Southsea

Post Thu Feb 17, 2011 7:45 pm

Why employ a graduate?

Graduation is near and I am looking to get the ball rolling in the private sector. However as of late I am starting to become worried about why a pen testing company would want to take me on as a junior.

While I have short term work experience in IT security and my core skillet is healthy in regard to this field (OSCP, CEH + required fundamentals), I struggle to see why I am of value in relation to the available pool of CV's (cost aside). This alone may make one seem unemployable but I am trying to be realistic..

For example, on one of my test labs I was struggling with linux local privilege escalation.. Now I know the box is weak in terms of user credentials so I wanted to take another route..I dug up poc for a kernel based pe exploit however I struggled to truly understand its inner workings, even with my intimidate programming skills and ability to write various exploits..

I guess what I'm trying to say is that the gap between my knowledge and those with years of experience in the field seems so vast.. I understand that graduates are thought to possess accelerated learning capabilities and remain cheap but if the knowledge gaps are so wide, what is their applicable value? While I'm sure there are employed pen testers out there with a lesser knowledge base than my own, I just don't feel as attractive as I'd like to the employer.

So to reform as a question, can those with experience see a flaw in my thinking in regard to entry level positions? Why if at all are young graduates who meet set requirements attractive to pen testing employers?

I'm aware this wall of text is frightful so any responses would be truly appreciated.

Kind regards,
Ben
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Thu Feb 17, 2011 8:34 pm

Re: Why employ a graduate?

Obviously you cant go out and buy experience. With that said, you're better off than most graduates if you've already nailed a couple certs in addition to your degree. Not to mention a very technical, hands on cert as in OSCP. That can kind of replace your lack of experience at this stage of the game. That cert means you dont just know how to memorize information and take a test. It took creativity and skill to accomplish. That has value in and of itself.

Stay positive and understand that this is a long road, experience builds over time and the next thing you know, you'll have 10 years under your belt. Good employers will recognize talent (assuming you interview well) so hang in there and keep making the right moves, it will pay off.

Also keep in mind you may not be able to walk right out of school into a pentesting gig. You may need other experience first and then move into that role. However, like I said before, if you interview well and can communicate your value and skills, you could bypass someone who has more experience.
<<

hell_razor

User avatar

Jr. Member
Jr. Member

Posts: 90

Joined: Wed Jul 14, 2010 10:44 am

Post Fri Feb 18, 2011 11:20 am

Re: Why employ a graduate?

I would emphasize your ability to function within organizational constraints, ability to work well with others and in a team environment, and the patience you have learned.  Look for things you have experienced in a non-technical way and point those out to potential employers.  If nothing else, you can prove that you learned how to play by a set of rules and have the follow through needed to complete your degree.
A+, Network+, Server+, CISSP, GSEC, GCIH, GPEN, GCIA, GISP, GCFW
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Feb 18, 2011 1:52 pm

Re: Why employ a graduate?

Hey skitch,

Don't give up! You are going through what most people go through after they graduate, regardless of the field they are in.

I had several students and graduate people working with me in the past and you know what, they are really useful. First they are cheap :D and second, they don't mind doing the more "boring" job. But when I say "boring", I really mean tasks that become repetitive after a while that guys with more than 5 years experience can do in their sleep. These tasks are generaly a challenge for "beginners" so the balance is found right there.

So don't try to be a consultant first but try to get your feet in a network or server admin team. You will be able to build your experience while making $$$ and getting closer to your goal. In addition, you will learn a lot of useful stuff!

So don't worry, you are not the only one going through this.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Feb 18, 2011 2:31 pm

Re: Why employ a graduate?

skitch wrote:For example, on one of my test labs I was struggling with linux local privilege escalation.. Now I know the box is weak in terms of user credentials so I wanted to take another route..I dug up poc for a kernel based pe exploit however I struggled to truly understand its inner workings, even with my intimidate programming skills and ability to write various exploits..

I guess what I'm trying to say is that the gap between my knowledge and those with years of experience in the field seems so vast.. I understand that graduates are thought to possess accelerated learning capabilities and remain cheap but if the knowledge gaps are so wide, what is their applicable value? While I'm sure there are employed pen testers out there with a lesser knowledge base than my own, I just don't feel as attractive as I'd like to the employer.


Experience will always trump a cert and education so here are my two cents on this matter. You state: I understand that graduates are thought to possess accelerated learning capabilities and I beg to differ completely. Because technology is ever rapidly changing, there can NEVER be an educational institution capable of teaching you "real world" security. It just can't work that way. By the time you graduate, most of what you have learned will be obsolete or just baseline to reality.

Trial and error come a long way in this industry and it takes a lot of practice, creative thinking and a certain level of "obscure thinking (outside the box)" to become really good at penetration testing.

So while cd1zz states: "With that said, you're better off than most graduates if you've already nailed a couple certs in addition to your degree. Not to mention a very technical, hands on cert as in OSCP. That can kind of replace your lack of experience at this stage of the game. That cert means you dont just know how to memorize information and take a test. It took creativity and skill to accomplish. That has value in and of itself.

While there is some merit to his comment, the fact is, many organizations don't know of the OSCP enough to compare them with say the GPEN, CPT, CEPT. You also have to understand that in taking the OSCP, there is nothing on the exam, that wasn't mentioned or expounded upon in the video training. At the end of the day, if someone paid enough attention and had ZERO experience, they'd be able to pass the exam following simple instruction. They passed an exam, but it was not a real world penetration test.

When pentesting is performed, there is a lot more involved than firing off tools, enumerating machines, digging out SQL/webapp vulnerabilities. Most pentesters I've come across look at me like deer in headlights when I ask them about topics such as SOW, insurance, etc. and the reality is that, for a business, this makes more sense to them. Not the fact that you exploited a local machine. From their POV, that local machine wasn't visible to the world. The risk is minimized.

So there is a lot more to understand in the arena than just a cert or education. Understanding the business aspects of security helps a lot more.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Fri Feb 18, 2011 3:28 pm

Re: Why employ a graduate?

While there is some merit to his comment, the fact is, many organizations don't know of the OSCP enough to compare them with say the GPEN, CPT, CEPT. You also have to understand that in taking the OSCP, there is nothing on the exam, that wasn't mentioned or expounded upon in the video training. At the end of the day, if someone paid enough attention and had ZERO experience, they'd be able to pass the exam following simple instruction. They passed an exam, but it was not a real world penetration test.


I beg to differ. If he were trying to become a pentester, the company would certainly be aware of OSCP. I don't think that anyone is going to argue that the offsec labs are real world examples, but its a close as any other cert can get for learning fundamental skills. Also, those labs don't require you to just "fire off tools" either. Did you take v3 of the course? I also wouldn't diminish the fact that this kid in college obtains that cert while he is going through school. That is an accomplishment and something to be proud of.

I also think that college gives you a framework on how to think. It's not really the content, rather the thinking methods that college teaches you. I use about 1% of what I learned in college but I certainly use that way of thinking on a regular basis.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Feb 18, 2011 4:34 pm

Re: Why employ a graduate?

cd1zz wrote:I beg to differ. If he were trying to become a pentester, the company would certainly be aware of OSCP. I don't think that anyone is going to argue that the offsec labs are real world examples, but its a close as any other cert can get for learning fundamental skills. Also, those labs don't require you to just "fire off tools" either. Did you take v3 of the course? I also wouldn't diminish the fact that this kid in college obtains that cert while he is going through school. That is an accomplishment and something to be proud of.

I also think that college gives you a framework on how to think. It's not really the content, rather the thinking methods that college teaches you. I use about 1% of what I learned in college but I certainly use that way of thinking on a regular basis.


You assume too much. The OSCP is just making headway over the past 2 years into the "must have" certs when it comes to pentesting. Now the harsh reality of it is, for "pentesting companies" (not just being a security analyst/admin/engineer/insert_title_here) most won't even care about whether or not you have certs, it helps, but name recognition helps a lot more believe it or not. Most of these companies want to see proven expertise and that does not come via class whether in college or from a certifying body. As for certs, I have enough to know but w/e not relevant here. You miss the point I was trying to make here. 1) OSCP really means less to a company looking to hire when it comes to experience. 2) You state OSCP are "real world examples... close ... learning fundamental" and I could offer the following: "they're staged examples based on what you learned how to break during the OSCP training."

Which makes me do a double take here... RWSP was as real world as you could get because you had to actively attack while actively being blocked. On REAL world machines with REAL world policies and REAL world security counterparts/peers. You know... Windows 2008 servers being defended by your peers while you're actively attacking it. Should I post "no the RWSP is the must have cert... Its real world attack and defend!" I think its a great cert and certain validates more than the OSCP does. Anyhow, a cert and or education will NEVER trump experience when it comes to penetration testing.

Of all the scariest/most lethal/most experienced pentesters I know, none have an OSCP and NONE would have a problem getting a foot in the door anywhere

http://au.linkedin.com/in/christianheinrich
http://www.linkedin.com/pub/chris-gates/4/32b/613
http://www.linkedin.com/pub/oliver-grus ... /0/4a0/461
http://www.linkedin.com/in/kevinhorvath
http://www.linkedin.com/in/erikpacebirkholz
http://www.linkedin.com/in/dinodaizovi

Don't mistake what I'm stating here, the OSCP was fun for me, but it definitely is not the "must have cert to show you have a clue" especially when someone's passed the exam and is having problems with local execution. See how things play out here?
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Fri Feb 18, 2011 4:53 pm

Re: Why employ a graduate?

Dude, no one is saying the OSCP is the end all be all. It cant hurt the guy for doing it. Certifications can get your foot in the door sometimes but you can quickly become exposed if you don't really know what you're doing.

You're taking the gloom and doom approach to this post. I'm trying to keep the kid positive but keeping things in perspective. Sounds like you're telling the guy to just go to work, don't get any certs because they all suck and nothing is replaced by experience. I think he certainly understands that experience is necessary, but why diminish what he's accomplished?

For a lot of people who want to get into this stuff, something like the OSCP can show you things that are possible and help you see things outside of what you saw before. "Broaden your horizons" if you will.

Of course seasoned pentesters wont have OSCP, why would they? It's too new. They dont need to have it, they already have the job and the valuable experience. They have no need to get their foot in the door as he would since he's just starting out.

I think you forgot that this is someone that is just starting out. It's not like he can put on his resume that he hacks his home lab and practices all the time and anyone will give a crap. But, he can put letters on his resume that might get a hiring manager to take a look at his resume.

I think its foolish to say that for someone just starting out that a certificate wont help them, even if its just from a knowledge perspective and not a professional perspective.
Last edited by cd1zz on Fri Feb 18, 2011 4:55 pm, edited 1 time in total.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Sat Feb 19, 2011 8:51 am

Re: Why employ a graduate?

@cd1zz and @sil: What about my post?!? It looks like I haven't said a thing on the topic... :D

You are obviously both right. But like cd1zz said, we are here to motivate someone who is starting. While he needs to know the truth that cert isn't everything, it is a good start nevertheless.

I see myself a bit like skitch. I started getting involve in IT security only 20 months ago. So I am still very new to the field and I am pretty humble. To me, certs are the way to go to structure my learning. With an exam, I would go out in my lab and play with many tools, trying to understand what they are used for.

Different certs help me open my eyes on things I would normal totally miss. CISSP isn't OSCP. They almost don't overlap at all! And CEH is also totally different than OSCE. So without certs, I would have gone the CEH-OSCP-OSCE route and missed a great deal of subjects.

But being a consultant, I found that having one or two certs + doing what I call "Lunch and Hack" sessions (free training session during lunch time to my fellow co-workers) are extremely good for me.

But, I am still primary a web application developer, trying to get into the security field, doing little contracts here and there. But I know that, within two years time, I will be working full time in the security field. Again, I am patient and humble.

BUT, studying about 2 hours a day, 5 days a week for the last 20 months will lead me somewhere. I have planted seeds and it is growing. OSCP is one seed for sure, but not the entire field...

So all that to say that you are both right. Oh and Sil, once I feel like I know enough, you can be sure I will go after RWSP. You got me interested!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Sun Feb 20, 2011 7:44 pm

Re: Why employ a graduate?

cd1zz wrote:You're taking the gloom and doom approach to this post. I'm trying to keep the kid positive but keeping things in perspective. Sounds like you're telling the guy to just go to work, don't get any certs because they all suck and nothing is replaced by experience.

I think its foolish to say that for someone just starting out that a certificate wont help them, even if its just from a knowledge perspective and not a professional perspective.


Sorry, had to edit to keep a focus. You're 100% wrong when you state I'm taking a gloom and doom approach. On the contrary, I offered an olive branch that you didn't even see in linking those I respect in the industry.

Ask yourself what makes some of these guys stand out, how did they get there and what did they do that's different. I'll focus on Chris Gates for a few reasons 1) he is a well known and respected security "fellow" 2) he's also a member here 3) he's become an SME for things metasploit. So if I had to guess what Chris did to build up his experience here's how I think it went. (and the specific reason I chose Chris is in hopes that if he reads this he can chime in and or correct me).

1) Find a specific arena in security, stick to it and learn it in and out
2) Blog, blog, blog... Trial and error trial and error

Skitch: You stated you were struggling with a kernel based exploit... Did you document anything, did you speak to anyone about it. Blogging would have given someone of lesser experience than you the ability to learn via trial and error. It could have also given you the opportunity to have someone with MORE experience than you assist you in understanding what you were missing

So what does this have to do with ChrisG thusfar, Chris is by far one of the most followed bloggers for security with a huge focus of those following him learning metasploit. I'm sure Chris learned through trial and error and he has taken the time to share with the community his findings for years now. I'm sure he wasn't born with metasploit in a hidden laptop somewhere. Its something he built... EXPERIENCE... There is more to experience than working a nine-to-five.

Volunteer... Got OWASP? Pick a subject that interests you and focus on it... Then see if there is anything you can contribute add benefit to it. For this OWASP is a great route to go. OWASP, even SourceForge or Google Code projects can help.

Do you think that say release exploits and gather CVEs under your belt doesn't count as experience? I know security people who wouldn't make it past certification filters but their CVEs would get them top dollar. There is a lot more to my post than what you took it as cd1zz.

Anyhow, off to being sick again, right after I schedule a proctor for the GREM
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Feb 21, 2011 8:15 am

Re: Why employ a graduate?

@sil - <nod> in agreement.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Feb 21, 2011 3:53 pm

Re: Why employ a graduate?

You know... So I just starting reading Grey Hat Hacking 3rd Edition and noticed there is a chapter on VoIP (Chapter 18), so I went straight there... Lo and behold on page 387, the authors are talking about a tool I wrote called Asteriod (search packetstorm). Case in point, when I started the tool, I started it to tinker with Asterisk on my own leisure, to learn what was happening with SIP from an attackability perspective, something that just interested me. Was pure hobby. During my creation of Asteroid, it led me to security vulnerabilities in Asterisk (hence the play on words, Asterisk - Asteroid) ... CVE-2006-5444 and CVE-2006-5445 and FRSIRT ADV-2006-4098 ... At the time, I was just learning the intricacies of SIP messaging (5 years ago)... Counted for something as many people have actually used Asteroid including professors at Columbia University.

So skitch, back to my original posting, think outside of the box when it comes to experience. It doesn't only come from "working nine to five" everything is an experience, what you make out of that experience is what counts. I just wanted to share that since I found it interesting that a tool I wrote over 5 years ago is still sort of relevant enough for someone to write about. (Mind you I have another tool 12 years old people still comment on/study, but that's another story altogether)
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Mon Feb 21, 2011 6:12 pm

Re: Why employ a graduate?

Ask yourself what makes some of these guys stand out, how did they get there and what did they do that's different. I'll focus on Chris Gates for a few reasons 1) he is a well known and respected security "fellow" 2) he's also a member here 3) he's become an SME for things metasploit. So if I had to guess what Chris did to build up his experience here's how I think it went. (and the specific reason I chose Chris is in hopes that if he reads this he can chime in and or correct me).

1) Find a specific arena in security, stick to it and learn it in and out
2) Blog, blog, blog... Trial and error trial and error


That a great piece of concrete advice for someone trying to make a statement in the industry. I agree. The rest of your posts were negative for my taste and if you had a positive/constructive message you were trying to convey, I didn't understand it until now. You've got a different style than I do. To each their own. Good luck skitch.
Last edited by cd1zz on Mon Feb 21, 2011 6:34 pm, edited 1 time in total.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Feb 21, 2011 6:54 pm

Re: Why employ a graduate?

@cd1zz: Sil is probably the most experience guy on this forum. We all like reading is posts. However, since he spends most of is time in front of a screen or reading a book, he sometimes acts like a caveman.  ;)

So don't take it personel, he will probably be on your side on the next topic...

But guys, I really feel like I wrote a few posts that nobody read!  :-\
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Feb 21, 2011 8:09 pm

Re: Why employ a graduate?

H1t M0nk3y wrote:But guys, I really feel like I wrote a few posts that nobody read!  :-\


You're spot wrong ;) I read your post in fact I read everyone's comment before I post my own just in case I want to add more than one response. The fact is, I was going to add your initial comment in as well but it would have been an extremely long thread. I also wanted to avoid "adding to SOMEONEs" comment so no one feels that I'm singling them out or correcting them since I can be misunderstood. Meaning, I wouldn't have wanted you to think I was disagreeing or singling your comment out as being wrong/inconsistent/incorrect/etc. So here goes...

You gave solid advice that you followed that has helped you so far: studying about 2 hours a day, 5 days a week for the last 20 months will lead me somewhere. I have planted seeds and it is growing. OSCP is one seed for sure, but not the entire field You too have realized that there really isn't a definitive beginning nor path. There are different routes one *can* take in an effort to get closer to a destination. That destination however is something that only the person posting a question can answer.

I posted a summary (a long one) about my foray into security when I won the GIAC last year and rather than repost it all, I will submit the link so that hopefully, cd1zz, skitch and others can get an idea of my background http://www.ethicalhacker.net/component/ ... /#msg31286 ... Experience boils down to what you GAIN from something you have done and or learned. Collectively I STILL spend way too much time in front of a machine (almost 14 hours solidly per day). When I first started getting heavily involved in security, there were times I would spend an entire 24 hours or more in front of a machine learning. The difference between say when I started and now is, now it is much easier to do things... This does not equate to understanding what you are doing.

For example, ask any 10 network admins or engineers with 5-10 years experience immediately in your range to explain what's a NAT tuple or how is aggressive mode BETTER for networking, yet worse for security and I guarantee you the likelihood of any one of them truly understanding it is zero (you MIGHT find one.) Does this mean they're dumb or less experienced, no, just means they've learned differently at a more rapid pace overlooking the intricacies which sometimes make or break a "senior" versus regular engineer or admin.

So to everyone here who takes the time (and aspirin) to read my posts, I'm no better than anyone here. I may have more experience in certain arenas and I certainly enjoy sharing an alternative point of view. This is what dialogue is all about, learning from one another. Never take any of my posts as "demeaning" or trying to lessen either experience or an area. I offer an opinion as does everyone else. Everyone has an experience to share however, not everyone knows the route which is proper for one another, else we'd all be mind reading millionaires bored out of our mind.

My suggestion skitch, is that of Offensive Security... Try harder ... Not to crack, but at opening up your mind because at the end of the day, your mind is the greatest tool. Not some cert, not some tool, not someone's advice or opinion. Remember in school, they always taught you that 1 + 1 = 2 yet when you got into programming that whole framework was shatter when you realize that 1+1=1 ... One drop of water plus one drop of water equals one BIGGER drop of water. Its all about interpretation and creativity.
Next

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software