.

Contract Positions That Will Lead to Pentesting

<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Sun Dec 04, 2011 1:08 am

Contract Positions That Will Lead to Pentesting

Lately, I've been getting a number of calls about various security-related contract positions, mostly policy or audit-type jobs.  Now my goal is to get a full-time pentesting position, so I haven't really given these policy contract positions much thought since I don't think they'll give me the experience needed to be a pentester (and by that I mean, they won't give me the knowledge needed to pass a pentesting interview).

Some background on me, I have a master's in information security, a great GPA, and over 10 years of IT and software development experience.  My security-related experience is limited to one internship, and my current position of doing part-time, unpaid website pentesting for a small startup company.  My resume is good enough that I receive callbacks for 80% of the jobs I apply for, but my problem is actually passing the subsequent interview rounds as I don't know the answers to certain technical questions due to my lack of experience.  So my idea for the past year has been to work on various certifications and classes like eCPPT and HackingDojo to try to gain knowledge so I can pass the technical parts of the interview.

As a result, I haven't really considered these audit or policy positions as I don't think they'll provide me with the answers to questions like "How many IPs are on a /23 network?" or "Where is Libc located in Linux?"  I'd rather work on certifications and teach myself various things instead of working on policy stuff I don't care about.  Are there any types of contract positions (besides the obvious like network security, intrusion analysis, etc), that I should be on the look out for that would help me start a career as a pentester?

Thanks. 
Sec+, eCPPT
<<

El33tsamurai

User avatar

Full Member
Full Member

Posts: 220

Joined: Sat Feb 03, 2007 4:01 pm

Post Sun Dec 04, 2011 6:42 am

Re: Contract Positions That Will Lead to Pentesting

Check out OSCP its hands on pentesting cert I am currently taking the class and I am learning so so much from the class.  What books have you read on pentesting?  What sites do you visit on a daily basis about pentesting?
CCENT, A+, Network+, Security+
<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Sun Dec 04, 2011 6:29 pm

Re: Contract Positions That Will Lead to Pentesting

I've read Web Application Hacker's Handbook (1st ed), which I didn't find all that useful.  Most of the concepts I'd already learned in my master's program.  I'm currently starting the Art of Exploitation and the Metasploit Penetration Tester's Guide, these books are more up my alley, with hands-on examples of the topics.

Besides EH, I visit Packet Storm and ExploitDB regularly.

I really wanted to take OSCP after I finished eCPPT in August, but these past few months have been busy, and I didn't think I'd have the time to properly focus on OSCP since I hear it is so intense.  I've just started working on my CCNA, and once I finish that, I plan to start on OSCP.  Plus I'll have finished the Metasploit and Art of Exploitation books by then, which should help in the class.

I also submitted an application to be a volunteer for SANS here in Phoenix in February so I can take GWAPT for a cheap price.  I doubt I'll get it, but it can't hurt to try
Sec+, eCPPT
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Mon Dec 05, 2011 9:47 am

Re: Contract Positions That Will Lead to Pentesting

Hey Seen, some thought for the samples of questions you received, those are not necessarily direct Pen Testing security questions.  Those are basic knowledge of networks and linux.  In most of these classes and books you are reading, the author assumes you have the basic concepts of networking and OS related material. 

The first step to pen testing is know what you are attempting to break into.  Knowing basic network concepts will allow you to better understand the network you will be testing against.  If you pop a box and notice that it has an IP of 192.168.40.10 with a subnet of 255.255.255.248 and a gatway of 192.168.40.14, you will know that there are at least 4 other hosts on that subnet that may be accessible.  Best bet for learning networking concepts is pick up a CCNA book.  Cisco will have you jumping through subnetting hoops until you can see something like 192.168.40.8/29 and know that it is the network explained above. 

Most really good pen testers have come up the ranks either from Web App developers (Web App Pen Testers) or Sys Admins who work every day with servers, workstations, routers, switches etc..  You will have guys that can perform a flawless SQLi injection but may not be able to bypass some networking controls on an internal network and vice versa.  So focus on what you are strongest in and start there. 

As for the positions with Audit/policy jobs, well yes some of those might not be that fun.  It won't generally get you too much direct experience, but it will get you experience knowing the policies and procedures that might help you understand what controls may be in place during a pen test.  Compliance != Security.  Knowing what is required for compliance is valuable since many companys/organizations will not go beyond the base requirements.  Plus the work is not too stressful since you are not the one required to fix the issues, you just need to report them.  You may also work along side a pen tester will be called in by request for additional testing of the findings. 
Certs: GCWN
(@)Dewser
<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Mon Dec 05, 2011 5:15 pm

Re: Contract Positions That Will Lead to Pentesting

3xban wrote: As for the positions with Audit/policy jobs, well yes some of those might not be that fun.  It won't generally get you too much direct experience, but it will get you experience knowing the policies and procedures that might help you understand what controls may be in place during a pen test.  Compliance != Security.  Knowing what is required for compliance is valuable since many companys/organizations will not go beyond the base requirements.  Plus the work is not too stressful since you are not the one required to fix the issues, you just need to report them.  You may also work along side a pen tester will be called in by request for additional testing of the findings. 


I'm just worried that not only will the boring policy job cut into my time to learn the fun stuff, but also I don't know if I'll want to come home and learn more on my own after doing boring work all day ;)

I've just started working on my CCNA, so now I know the answer to that question.  I actually like it when I get asked interview questions that I don't know the answers to, it gives me new topics to study.  So the more interviews I fail, the smarter I'll become...
Sec+, eCPPT

Return to Career Central

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software