From: Mark Teicher (mht3@earthlink.net)
Date: Tue Aug 01 2006 - 15:31:08 EDT
I agree and there has been many boutique consulting service shops that have been attempting to assemble a team of dependable, reliable, self-dressing penetration testers. Many have failed over the years due to scaleability, lack of funding, some have been gobbled up by bigger and bigger corporations for pennies on the dollar due to mis-management, executives attempting to raise mountains out of minor little issues or exploit customers to pay lots of money for pen-tests that do not really address the core of the fundamental issue in the market.
There are still several people out there who 'claim' to be a "hacker" but yet never conducted a pen-test in the life or show up to a customer site late because they couldn't get up in time to make their air travel or show up to a customer looking like they just rolled out of bed or show up to make preso in camouflage pants starting their talk in hax0r language.
I learned so much from organizations and people over the years, of how to screw up a perfect good industry. Hopefully VoIP and Vista security engineers learn something besides downloading eEye Retina and running against their underlying operating system and waving the "It's safe and secure" flag in front of everyone.
Oops, starting to sound like the guy who wrote the first firewall proxy.. Better start introducing myself to some hax0r girls at BlackHat and learn about new hax0r techniques.. Can't wait until they do a preso on basic pen-testing I bet that will be an interesting preso..
-----Original Message-----
>From: FocusHacks <focushacks@gmail.com>
>Sent: Aug 1, 2006 10:07 AM
>To: Erin Carroll <amoeba@amoebazone.com>
>Cc: Paul Melson <pmelson@gmail.com>, rahul.joshi2@googlemail.com, pen-test@securityfocus.com
>Subject: Re: What is being a pen tester really like?
>
>I agree with most of the sentiments of this thread.
>
>Right now, anyone with some mouse skills can perform an assessment.
>Nessus, Retina, Metasploit and friends are making sure of that. That
>isn't to say that automated scanning tools have no place in a
>professional-grade penetration test, but people who simply run
>automated tools, brand the output, and turn it over to the client are
>not penetration testers, nor was that process a penetration test.
>
>Penetration testers are a truly rare breed, and an all-out penetration
>test can even be a simulation of a very real attack. The thing to
>remember is that every client will have different expectations,
>different business politics to deal with, and different opinions on
>what is or is not your responsibility. You must be as flexible as you
>are thorough, and as cordial as you are intelligent.
>
>Verbal and written communication skills are a bonus. You should be a
>good public speaker and an even better technical writer. If you are
>not, then you should work alongside someone who is, and that person
>should be technical enough to understand what you are talking about.
>
>At the most basic level, you should understand that the output from
>automated scanners represents POSSIBLE issues, each of which need to
>be verified by hand. If you can exploit the vulnerability without
>disruption of production service, you by all means should exploit it.
>Furthermore, you should also make every attempt possible to leverage
>any kind of access to gain more access without causing harm. Keep
>track of things that you would like to try that might disrupt
>services. There may be a pre-production environment that you can test
>on, or a maintenance window that you can utilize.
>
>Being a real pen-tester is hard work, and it's much like having 2
>full-time jobs. Nothing stays the same for very long in the info-sec
>world. You spend just as much time researching as you do performing
>the tests. Research usually isn't limited simply to surfing
>SecurityFocus lists, but that can be a significant time sink.
>Research is also testing new methodologies, tools, and exploits on
>your own network as well as trying to find new vulnerabilities that
>have never been made public.
>
>At the end of the day, pen-testing is a very demanding, somewhat
>stressful, highly rewarding, and fast-paced job. If you're doing it
>on your own, it's a hard field to get into initially. If you're
>working for an internal audit group, you will likely be met with
>opposition and animosity (especially if you are part of a company that
>has thus far not HAD an internal audit group). If you're a consultant
>for a company that performs security services, you will be held to a
>very high standard by both your company and your client.
>
>Without getting your feet wet, it's hard to understand exactly what
>the life of a pen-tester entails.
>
>
>On 8/1/06, Erin Carroll <amoeba@amoebazone.com> wrote:
>> Rahul,
>>
>> Sadly, I have to agree with a large portion of what Paul says. Aside from
>> some specialised areas or situations, security assessment and penetration
>> tools have advanced to a point where you could get by with simply taking
>> canned reports and output and presenting it to your clients. IMHO, this
>> narrowly qualifies as true pen-testing but even without those tools
>> pen-testing isn't exactly rocket science.
>>
>> Now being a *good* pen-tester... That's the real distinction. It's one thing
>> to be comfortable and proficient with pen-test tools (nessus, Core IMPACT,
>> Metasploit, webinspect, password tools.. the list is long) so that you can
>> present reliable results and recommendations. It's another thing entirely to
>> take those tools and wring every last ounce of performance and use from
>> them. Paul's Mario Andretti metaphor is a good one. The good pen-testers not
>> only understand and can interpret the information they gather but also
>> understand in detail the underlying processes and implications of what they
>> see (or don't see). Being able to infer from a limited dataset what
>> weaknesses exist and how to fully take advantage of them is not an easy
>> thing to pick up. It requires time, patience, experience, and a healthy dose
>> of paranoia. While your coding background will be of help, especially if you
>> want to code or modify existing exploits or tool modules, it's not as
>> relevant as understanding the tcp/ip stack or other more basic technical
>> knowledge... And being able to see the big picture from the bits and pieces
>> you collect.
>>
>> The really rare pen-tester not only has the technical chops but can
>> communicate them in ways that even a 3yr old (or executive heh) could
>> understand. I've met people with technical depth who can run rings around me
>> but with very few exceptions couldn't communicate their way out of a wet
>> paper bag. I've also met people who are effective communicators but wouldn't
>> know a SYN ACK if it bit them in the nether regions. The ability to take
>> complex data and present it in an easy to understand format is difficult.
>> The fun part of pen-testing is the actual pen-testing itself... The hard
>> part (and the most time consuming) is writing it all down and documenting
>> the findings.
>>
>> In my experience the day-to-day of the pen-tester experience can be summed
>> up pretty easily: "10 minutes of thrills followed by 10 hours of utter
>> boredom."
>>
>> Hope that helps.
>>
>>
>> --
>> Erin Carroll
>> Moderator
>> SecurityFocus pen-test list
>> "Do Not Taunt Happy-Fun Ball"
>>
>>
>> > -----Original Message-----
>> > From: Paul Melson [mailto:pmelson@gmail.com]
>> > Sent: Friday, July 28, 2006 12:28 PM
>> > To: rahul.joshi2@googlemail.com
>> > Cc: pen-test@securityfocus.com
>> > Subject: RE: What is being a pen tester really like?
>> >
>> > -----Original Message-----
>> > Subject: What is being a pen tester really like?
>> >
>> > rahul.joshi2@googlemail.com wrote:
>> > >
>> > > I am currently a Java developer but I'm seriously thinking
>> > of changing
>> > paths to
>> > > a career in security and pen testing.
>> > >
>> > > What I would like to know is what is being a pen tester really like?
>> >
>> > Despite what you may have heard, being a successful
>> > pen-tester (meaning, you get hired and make a living at it)
>> > is not very hard, nor does it require a lot of very deep
>> > technical skill. What it really requires is good verbal and
>> > written communication skills, the ability to work well with
>> > clients, and the ability to explain security (even
>> > inaccurately) in terms of business value. Do those things,
>> > and you can be successful.
>> >
>> > The dirty truth about pen testers is that most of them have a
>> > handful of tools and scripts (like Nessus and Retina) and run
>> > them with the same configs against every customer and have
>> > the same canned recommendations based on the results that
>> > their tools spit out. Hell, most vuln scanners spit out
>> > their own remediation recommendations for the pen tester to
>> > simply hand over to their customers. Additionally, for a pen
>> > test to have the appearance of being successful, it only
>> > needs to find some of the vulnerabilities present on a
>> > network or in an application. Unlike being a network
>> > engineer or an sysadmin where your work has to stand up to
>> > the 24/7 scrutiny of a live environment, being a pen tester
>> > means only needing to be right more often than you're wrong.
>> >
>> > Not to take away from the skills or experience of any
>> > individual pen testers out there. There are some Mario
>> > Andretti's out there driving school busses, if I may.
>> >
>> >
>> > PaulM
>> >
>> >
>> >
>> > --------------------------------------------------------------
>> > ----------------
>> > This List Sponsored by: Cenzic
>> >
>> > Concerned about Web Application Security?
>> > Why not go with the #1 solution - Cenzic, the only one to win
>> > the Analyst's Choice Award from eWeek. As attacks through web
>> > applications continue to rise, you need to proactively
>> > protect your applications from hackers. Cenzic has the most
>> > comprehensive solutions to meet your application security
>> > penetration testing and vulnerability management needs. You
>> > have an option to go with a managed service (Cenzic
>> > ClickToSecure) or an enterprise software (Cenzic Hailstorm).
>> > Download FREE whitepaper on how a managed service can help
>> > you: http://www.cenzic.com/news_events/wpappsec.php
>> > And, now for a limited time we can do a FREE audit for you to
>> > confirm your results from other product. Contact us at
>> > request@cenzic.com for details.
>> > --------------------------------------------------------------
>> > ----------------
>> >
>> >
>> > --
>> > No virus found in this incoming message.
>> > Checked by AVG Free Edition.
>> > Version: 7.1.394 / Virus Database: 268.10.5/403 - Release
>> > Date: 7/28/2006
>> >
>> >
>>
>> --
>> No virus found in this outgoing message.
>> Checked by AVG Free Edition.
>> Version: 7.1.394 / Virus Database: 268.10.5/404 - Release Date: 7/31/2006
>>
>>
>>
>> ------------------------------------------------------------------------------
>> This List Sponsored by: Cenzic
>>
>> Concerned about Web Application Security?
>> Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
>> Choice Award from eWeek. As attacks through web applications continue to rise,
>> you need to proactively protect your applications from hackers. Cenzic has the
>> most comprehensive solutions to meet your application security penetration
>> testing and vulnerability management needs. You have an option to go with a
>> managed service (Cenzic ClickToSecure) or an enterprise software
>> (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
>> help you: http://www.cenzic.com/news_events/wpappsec.php
>> And, now for a limited time we can do a FREE audit for you to confirm your
>> results from other product. Contact us at request@cenzic.com for details.
>> ------------------------------------------------------------------------------
>>
>>
>
>
>--
>http://www.FocusHacks.com - The Ford Focus Modification Site!
>http://www.focushacks.com/focushacks-gpg.txt - My GPG encryption key
>
>------------------------------------------------------------------------------
>This List Sponsored by: Cenzic
>
>Concerned about Web Application Security?
>Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
>Choice Award from eWeek. As attacks through web applications continue to rise,
>you need to proactively protect your applications from hackers. Cenzic has the
>most comprehensive solutions to meet your application security penetration
>testing and vulnerability management needs. You have an option to go with a
>managed service (Cenzic ClickToSecure) or an enterprise software
>(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
>help you: http://www.cenzic.com/news_events/wpappsec.php
>And, now for a limited time we can do a FREE audit for you to confirm your
>results from other product. Contact us at request@cenzic.com for details.
>------------------------------------------------------------------------------
>
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:29 EDT