Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Recruiters' guide to hire an Ethical hacker

672 views

Published on

a general knowledge you need to know if you wanna make sure this one is a penetration tester or an Ethical hacker to recruit him

Published in: Business
  • Login to see the comments

Recruiters' guide to hire an Ethical hacker

  1. 1. Ethical Hacking & Penetration testing General Knowledge Ayman Mohammed – CEH http://www.AymanMohammed.com
  2. 2. Outline • Introduction • Certificates • Keywords • Questions • References
  3. 3. General tips about information security career
  4. 4. Introduction to Ethical Hacking • Ethical hackers ▫ Employed by companies to perform penetration tests • Penetration test ▫ Legal attempt to break into a company’s network to find its weakest link ▫ Tester only reports findings • Security test ▫ More than an attempt to break in; also includes analyzing company’s security policy and procedures ▫ Tester offers solutions to secure or protect the network
  5. 5. The Role of Security and Penetration Testers • Hackers ▫ Access computer system or network without authorization ▫ Breaks the law; can go to prison • Crackers ▫ Break into systems to steal or destroy data ▫ U.S. Department of Justice calls both hackers • Ethical hacker ▫ Performs most of the same activities but with owner’s permission
  6. 6. Penetration-Testing Methodologies • White box model ▫ Tester is told everything about the network topology and technology ▫ Tester is authorized to interview IT personnel and company employees ▫ Makes tester job a little easier • Black box model ▫ Company staff does not know about the test ▫ Tester is not given details about the network  Burden is on the tester to find these details ▫ Tests if security personnel are able to detect an attack • Gray box model ▫ Hybrid of the white and black box models ▫ Company gives tester partial information
  7. 7. Ethical Hacking in a Nutshell • What it takes to be a security tester ▫ Knowledge of network and computer technology ▫ Ability to communicate with management and IT personnel ▫ Understanding of the laws ▫ Ability to use necessary tools
  8. 8. Known certificates in cyber security field
  9. 9. Most famous certificates • EC-Council ▫ CEH(Certified Ethical Hacker) ▫ ECSA (EC-Council Certified Security Analyst) ▫ LPT(Lice sensed Penetration Tester) • SANSGIAC (Global Information Assurance Certification) ▫ GPEN(GIAC Certified Penetration Tester ) ▫ GWAPT(GIAC Web Application Penetration Tester) • OSSTMM (The Open Source Security Testing Methodology Manual) ▫ OPST (OSSTMM PROFESSIONAL SECURITY TESTER ACCREDITED CERTIFICATION) ▫ OPSA (OSSTMM PROFESSIONAL SECURITY ANALYST ACCREDITED CERTIFICATION) ▫ OPSE (OSSTMM PROFESSIONAL SECURITY EXPERT ACCREDITED CERTIFICATION) • Mile2 ▫ CPTEngineer(Certified Pen Testing Engineer)
  10. 10. Keywords you need to know , and search inside the resume
  11. 11. Top Keywords • Certificates : ▫ CEH , ICSSP , LPT , CPTEngineer , ECSA , GPEN, OPST ,OPSA ,OPSE , CISM, CISA • Tools: ▫ Kali , Metasploit , sqlmap , Burp Suite , Acunitix ,IBM Appscan ,Nmap ,Cain & Able ,WireShark ,Nessus ,snort ,OpenSSH ,BackTrack ,Brutus ,John the Ripper. • Methodologies : ▫ OWASP Top 10 , PCI-DSS • Vulnerabilities : ▫ XSS , Sql injection , CSRF , session hijacking , ....
  12. 12. Some questions to assess the Penetration testing knowledge
  13. 13. Questions & answers • Q. What is XSS or Cross Site Scripting? Ans. XSS or cross site scripting is type of vulnerability  that hackers used to attack web applications. • It allows hackers to inject HTML or JAVASCRIPT code  into a web page which can steal the confidential  information from the cookies and returns to the hackers.  It is one of the most critical and common technique  which needs to be prevented. • Q. What is a honeypot? Ans. Honeypot is fake computer system which behaves  like a real system and attracts hackers to attack on it.  Honeypot is used to find out loop holes in the system  and to provide solution for these kinds of attacks.
  14. 14. Questions & answers (cont.) • Q. What type of tools are there out there for packet sniffing? Ans.  Wireshark is probably the most common  packet sniffing tool. This program can help you find  odd traffic across the network or identify a program  that is sending traffic silently from a host.  • Q. Which tools are you using in Performing automatic vulnerability testing? Ans. There are many tools to do so , the most  famous tools are Acunitix , IBM Appscan , Burb  suite , ZAP.
  15. 15. Where to start gain more knowledge
  16. 16. • http://www.softwaretestinghelp.com/interview- questions/security-testing-interview-questions- and-answers/ • http://www.eccouncil.org/Certification/professi onal-series/ceh-course-outline • http://www.zdnet.com/article/10-things-you- need-to-know-before-hiring-penetration- testers/ • https://www.owasp.org/index.php/Top_10_201 3-Table_of_Contents

×