RoleReversal

Forum Replies Created

Viewing 15 posts - 1 through 15 (of 887 total)
  • Author
    Posts
  • #53952
     RoleReversal 
    Participant

    Hi lorddicranius (and thanks to Mowgli for the prod),

    You’re not alone these are/were the bane of my life whilst working in DCs.

    I think the QA database and portal are the ideal process, but in practice real world application doesn’t deliver on the promise (in my experience). Especially if you’re handing the process of to a sales or other employee who couldn’t complete the questionnaire in the first instance, the answers database may not help them unless the questions in questionnaire and your FAQ are exact, or very close matches. Or worst case scenario, the sales guy misinterprets the content and you either end up having to rapidly backtrack with the (potential) client and explain why the original answer is incorrect (and why despite that they should still use your services), or the error gets missed entirely and you end up contracted to something that you don’t (or can’t) deliver.

    Probably best left developing the silo for some quick cut&paste turnaround, but keep as a tool for someone who at least understands the content at a high level.

    Unfortunately (and I’ll gladly take suggestions if anyone can help prove me wrong), the best/quickest way to complete the flood of questionnaires is simply to have a knowledgeable security body complete the questionnaires. It’s not fun (at all) but over time you do get quicker and more accomplished, reducing the pain needed.

    Long term, we’ve found that having equal or higher compliance certifications yourselves to that requested of the client can reduce your burden, if the assessment of your own facility and services becomes a quick review that your certs are correctly scoped to client requirements and valid. You still need to go through the pain and cost of the audit process, but this is reduced to once for yourself, not multiplied by every client that needs answers to the same questions.

    Sorry for not being able to point you to the holy-grail of checkbox-checking prowess, but that’s been my experience from the same position.

    It’s not necessarily all doom and gloom though (especially if anyone reading this is looking for a foot in the door to step into a security role): NO ONE likes completing these audits, if you show the slightest interest and capability you WILL get given the task, giving you a chance to gain experience, and proven capability to perform, within the infosec side of a business. Or on the flipside; if you have an eager young PFY eager to prove themselves…… At the very least that’s how I gained the opportunity to move out of the hosting team (started at bottom rung as an intern/work placement during uni) and ‘graduate’ to the security team proper (though I’m still stuck completing audit questionnaires for my old Hosting team, I missed a trick there somewhere……

    Hope this is of some help, at the very least may provoke a flood of people to suggest I’m completely wrong and get you some actual usable advice from those with better answers 😉

    Andrew

  • #51189
     RoleReversal 
    Participant

    t3st,

    assuming by wifi analyser you mean the wireless tool by Farpoc?

    I use the same tool, as it’s essentially a wireless spectrum analyser similar to aircrack/kismet/etc, My guess is CandC is merely a SSID of a neighbouring AP and (hopefully) not a direct threat to your environment.

  • #51114
     RoleReversal 
    Participant

    @cyber.spirit wrote:

    im not new on linux

    Hence my attempted caveat. But you are having problems, and you did ask for help; which I was trying to provide. Won’t bother next time.

  • #51110
     RoleReversal 
    Participant

    Could be many things, have you checked all the usual candidates? download checksums? File/user permissions? etc?

    Possible stupid (and/or insulting – not intended) question, you are in same directory as the *.run installer when issuing the ./*.run command?

    I’m running on 12.10 and MSF running perfectly my end…..

  • #51091
     RoleReversal 
    Participant

    Sorry, should have been clearer: my experience is with the Team Member level certs.

    Team Lead on old the to-do list (which I believe is far harder). Robin Wood has a good right up of his experiences with the TL level exams

  • #51083
     RoleReversal 
    Participant

    I’ve not taken a good look myself, only ran across them myself a couple of days ago, but Risk.io may do what you need.

    It is a commercial service, but there is a free/limited option, and all new accounts start with a 30day Pro trial.

    Hopefully it might solve your issues, either way I’d be interested in your thoughts and experiences if you do give them a go.

  • #51089
     RoleReversal 
    Participant

    They both have their uses, and having done both I’d strongly suggest doing both (if UK based).

    OSCP will develop a deep technical understanding, CHECK/CREST will help get you the work to put that understanding to the test.

    That’s not to say the CHECK/CREST isn’t technically challenging, but having done OSCP first CHECK certification was a challenge, but not on the Bob/Pain/Sufferance scale.

    My route: I self funded OSCP (cheaper of the two) to prove ability/commitment, then put CHECK through work’s budget 😉

  • #51071
     RoleReversal 
    Participant

    Hi Ender,

    welcome to EH-Net.

    Depending on your location you could look to local security businesses who may be willing to assist in return for a share in the publicity, or to local groups (DC#, 2600, etc.) for individuals.

    Only concern I’d have, is I’ve seen the same marketing spin tried over the years, often resulting in some very bright individual finding a flaw, leaving the ‘bragging’ company with egg on their face. Before you start the PR exercise I’d suggest that your client hires multiple, VERY good pentesters to put the systems through it’s paces first…..

  • #51013
     RoleReversal 
    Participant

    Hi Hudson,

    welcome to EH-Net 🙂

    Not wanting to pull your first post apart, but this seems to be computing for the truely paranoid. Whilst most of it is good advice, in the real world you’ve got zero chance of getting standard users to take this precautions; I’m an overly paranoid infosec guy and the only step I follow is checking the hash sums of downloaded files – and my machines are malware free (ignoring the malware there deliberately…).

    And if you’re running a ‘nix OS, why run winmd5Free under wine when you’ve (usually) got md5sum on the commandline as standard?

    Oh, and one of my primary malware-free machines? Running Windows….

  • #50968
     RoleReversal 
    Participant

    If you’ve already got a virtual environment for your server/app lab set-up take a look at Vyatta’s open source edition.

    They’ve got some fairly powerful network kit available as virtual images. I’ve got one running as a router handling the core of my lab environment without issue.

    If you’ve got some experience with other network kit (Cisco et al) it should be fairly intuitive to pick up.

  • #50819
     RoleReversal 
    Participant

    @artistic wrote:

    @SecurityMonkey wrote:

    Sounds like someone is trying to get his homework done by others… lol

    something like that 😛 but i have already submitted mine. just wanted to know different thoughts. 🙂

    OK, I’ll give benefit of the doubt; you start first, as you already have an answer.

  • #50833
     RoleReversal 
    Participant

    From my limited understanding of the situation I also called BS.

    But I also believe (can’t find my sources, sorry) that several big names have already paid up to avoid the legal costs, so TQP must have something with a legal foundation to it.

    Time to grab the popcorn and see how this one plays out.

  • #50808
     RoleReversal 
    Participant

    Interesting looking script, thanks for sharing.

    I’ll definitely keep it in my bag of tricks for a rainy day and let you know how it goes.

  • #50744
     RoleReversal 
    Participant

    @maxe wrote:

    @andrew Waite wrote:

    Regardless of opinions of particular certs, surely having a questionable (in some people’s eyes, discussion for another thread) cert like C|EH is still better than an empty space in it’s place?

    I would say it depends on the company you are applying at, if you only got CEH, and it’s a highly technical and very serious company, they might think you’re joking. No offence intended.

    If you’ve not got the certs/experience/skills for any position, your application won’t be successful, that’s true of any industry. What I don’t understand is people that have C|EH and higher/more advanced certifications dropping C|EH.

    At a minimum it shows your development path to get to where you are now. All else being equal I’d hire a CHECK/CREST and C|EH applicant over ‘just’ a CHECK/CREST applicant.

    Root, as Maxe states be aware of non-technical workload if working alone. A general truism for consultancy type roles seems to be 1/3 of your time chasing new work, 1/3 doing admin/paperwork and a 1/3 actual billable work. Just make sure you work the excess into your billable prices 😉 Good luck

  • #50741
     RoleReversal 
    Participant

    Not wanting to hi-jack the thread but I’m not sure I understand the logic behind removing certifications from CV’s or LinedIn. I’ve achieved more respected and advanced certifications since gaining C|EH, but C|EH still holds a mention on my resume.

    Regardless of opinions of particular certs, surely having a questionable (in some people’s eyes, discussion for another thread) cert like C|EH is still better than an empty space in it’s place?

    Admittedly I sat C|EH with it’s reputation in mind as a way to bypass HR filters rather than ‘prove’ technical capabilities, but I still sat the cert for a purpose. If you’re not going to display a cert, why take in the first place?

    To answer Root’s original question: you don’t necessarily need certs to to be a pentester, but if you want to find work you will likely need to be able to by-pass HR filters and pass minimum requirements in particular industries. Using the UK as an example, C|EH can often achieve the first, with CREST/CHECK providing the second (as MaXe has already stated). YMWV depending on location/business sector though.

Viewing 15 posts - 1 through 15 (of 887 total)

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?