.

Pen-Testing Career?

<<

p0et

User avatar

Full Member
Full Member

Posts: 197

Joined: Thu Nov 02, 2006 4:38 pm

Location: Victoria, Canada

Post Thu Dec 14, 2006 6:29 pm

Pen-Testing Career?

Has anyone here actually went out and became a consultant in which the majority of what you do are pen-tests?  This is my ultimate career goal.  I'm just finishing up my SANS GCIH and you can probably already see what other certs I have.  I'm taking my CEH after the SANS one.

Anyways, just wanted to get some thoughts on starting out in this specialized field and if any of you are already here.

Thanks!  ;)
GCIH, Security+, Network+, A+, MCP, DCSE
<<

Cutaway

User avatar

Jr. Member
Jr. Member

Posts: 96

Joined: Mon Nov 20, 2006 5:02 pm

Post Fri Dec 15, 2006 11:12 am

Re: Pen-Testing Career?

There are plenty of consulting businesses that use pentesting as one of their tasks.  Usually with a specific person assigned to it.  This is mainly so that the person can properly represent themselves when speaking about techniques and findings.  Also, the time that is usually involved with pentesting (also depends on the depth of assignment) usually requires that this be the only task for the length of the assignment.  As a person gets more experience then they can usually include assessment work but now we are really talking about a team effort.

Currently you are on the right track.  Getting your certifications means that you have the basics.  Getting real world experience can be a bit of a problem.  Do the hacking challenges and keep reading.  If you can do some local consulting then start working on it but be careful and ALWAYS get written permission with detailed specifics as to what the job entails (and stick to the specifics outlined in the documents).  I am sure that you are currently working some where so see how you can start integrating assessment and penetration testing into their environment (but if they say no then they mean no).

Lastly, really start working on your writing skills.  How you write and how you present technical information is key.  You may consider finding a college with a masters degree program.  SANS offers one but it is not currently an accredited university.  You can check the NSA's site as they have certified several programs http://www.nsa.gov/ia/academia/caemap.cfm?MenuID=10.1.1.2.

Also remember that networking is the key.  Getting to know people in the field.  Making a name for yourself as a person who is trustworthy, smart, honest, and hard working will get you far.  Remember, the majority of the people in this field (or who have gone far in it) are workaholics and tenacious.

Hang in there and good luck.

ADDITION:  I also just found this at CIRT.net http://www.cirt.net/cgi-bin/jobs.pl?method=showjobs&product=Metasploit.  Hope that helps.
Last edited by Cutaway on Fri Dec 15, 2006 11:53 am, edited 1 time in total.
Go forth and do good things,
Cutaway
<<

Kev

Post Thu Feb 08, 2007 10:09 am

Re: Pen-Testing Career?

  I think its important to be aware of both the good things and some of the bad things that are involved in being a pentester. Some schools make it seem like all you do is try and break into a system using some cool hacks and then you get paid and go off to your next client and hack his network, all the while wowing them with your amazing hacking genius.  Well, its not like that. 

  First of all, you need to be good at paperwork. Sometimes lots of paperwork! Corporations respond only to very well constructed reports.  I have seen really good pentesters get hurt by this.  On the other hand I have seen poor testers impress their clients with some very well done reports.

  Also, you need to be a very skilled diplomat. If the client you are dealing with has their own Admin, it can be a little uncomfortable sometimes.  Often they are scared to death you are going to make them look bad and don’t want you there. It can be a little stressful if you are conducting an onsite security audit and have all the Admin glaring at you and trying to sneak and see what you are doing.  The trick is getting them to feel you are not against them and anything presented will be done in a way as to not make them look bad. You are there to “tweak” the security. If you do find someone has been terribly incompetent, then you need to be prepared for the possibility you have just caused that person to lose their job.  Are you comfortable with that? You need to be, because often there is a lot at stake.

So why would someone want to have to deal with all that? For 2 reasons. One is it does give you the chance to legally hack!  The other reason is if you feel what you are doing is positive. You sometimes are helping to protect a lot of innocent people from things like identity theft, etc... 
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Thu Feb 08, 2007 2:16 pm

Re: Pen-Testing Career?

Kev you brought up a great point. Pen Testing is one area where you can make a big positive difference. You are helping companies better secure their network and it makes you feel that you are doing something worthwhile. Versus being a security person at an enormous company with so much red tape you can't accomplish anything meaningful. The only downside I see is the travel, which can be difficult if you have a family depending on the situation.

Return to Career Central

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software