Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

So you wanna be a pentester - free webinar to show you how


Published on

I’ll be covering things like:

- Some of the various types of penetration testing jobs
- Education/Certification/Experience/Skill requirements
- Should I have a degree – if so what type?
- Should I have certifications – if so which ones?
- Should I have work experience – if so what type?
- What skills should I have prior to applying?
- Do I need to be a good programmer?
- Where can I get these skills if I’m not currently working in the field?
- Security clearance requirements
- What are good key words to use when searching IT job sites for pentesting jobs?
- What to expect during the interview process
- I’m not in the US, where can I find pentester work abroad?
- How much money can I expect to make as a pentester?
- The good the bad and the ugly…what the work is actually like day-in and day-out

Published in: Technology, Education

So you wanna be a pentester - free webinar to show you how

  1. 1. Strategic Security, Inc. © You Wanna Be A PentesterPresented By:Joe McCrayjoe@strategicsec.com
  2. 2. Strategic Security, Inc. © Wanted To Be A Hacker
  3. 3. Strategic Security, Inc. © Found Out You Could Do It Legally
  4. 4. Strategic Security, Inc. © The Only Question Is…How?
  5. 5. Strategic Security, Inc. ©, so you wanna be a pentesterYou wanna know what takes to get into this gameThere are 3 major things that you can bring to ANY job• Education• Certification• ExperienceOther intangible factors are relevant (ex: work ethic, willingness to learn, etc)We‟ll be focusing on the first 3 for this presentation, but we‟ll cover the otherareas as well later
  6. 6. Strategic Security, Inc. ©
  7. 7. Strategic Security, Inc. © You Have A Degree?Short answer – YESIs it an absolute requirement – NOEach year it is however getting harder and harder to get into this field without oneMy Recommendation:If you have the resources (time/money) – go for it!Having it will never hurt you, but there will be cases where not having it will.
  8. 8. Strategic Security, Inc. © Kind of Degree?Short answer – Computer Science DegreeIs it an absolute requirement – NOWill a degree such as an MIS, BIS, CIS or similar degree work – YESWill a less technical degree work – YES- but you may have to supplement it with certifications and/or experience
  9. 9. Strategic Security, Inc. © I Need A Degree From A Big Name School?Short answer – NOSome companies look highly upon people that have attended high profile schools:(ex: Harvard, Westpoint)This is usually because they want access to the network you develop whileattending that type of school.They are looking for long term business development opportunities from youbecause of the network you‟ll have developed.Sometimes its because that‟s just where they get most of their candidates.My Recommendation:As long as it‟s not a flat out papermill – you should be fine where ever you go.
  10. 10. Strategic Security, Inc. © Do I Know If A School Has A Good Program?Short answer – Most schools don‟t have a good programMost of the schools claim that their program will help you and often times that isflat out wrong.Most Computer Science programs are too focused on learning your IDE versuslearning to program, and even worse there is little focus if any on IT Security.A lot of graduates of these “Information Security” degree programs can‟t do trivialthings such as (yes, these are real examples):• Install a common server (Web, DHCP, File Server, etc)• Create a simple unprivileged users in Active Directory• Can not perform basic Linux commands (ex: list directories, read a file)
  11. 11. Strategic Security, Inc. © You Be More Specific – about finding a good programDon‟t sleep on Junior/Community Colleges – often times they have VERY technicalinstructors with real world work experience offering progressive programs at a lowcost.Verify (talk to actual students – not sales people)Ask if they learned about (meaning actually did something with the following tools):• Nmap• Scapy• Burp Suite• OllyDBG/Immunity DebuggerAsk to sit in on a class, and after the class talk to the instructor.For good technical courses to use as a reference check out:
  12. 12. Strategic Security, Inc. ©
  13. 13. Strategic Security, Inc. © Certifications Should I Get?EC-Council• C|EH, ECSA/LPTSANS• GPEN, GWPT, GAWNOffensive Security• OSCP, OSWE, OSCEThe trend in the industry is to go after these certifications listed aboveThey are good, they are very helpful to have during the interview screening process
  14. 14. Strategic Security, Inc. © Certifications Should I Get?Networking• CCNA, CCNPOperating Systems• MCITP (formerly known as the MCSE), RHCE, SCSAProgramming• MCPD (formerly known as the MCSD), SCJD, OCAAlthough security certs are important, your job will be to help people fix thesecurity problems you find on penetration tests.You‟ll find great value in the certifications above when you actually get to thetechnical interview.
  15. 15. Strategic Security, Inc. © Certifications Should I Get?Networking• CCNA, CCNPOperating Systems• MCITP (formerly known as the MCSE), RHCE, SCSAProgramming• MCPD (formerly known as the MCSD), SCJD, OCAYou don‟t need to have all of these certifications, but you really need to be able toshow that you have these or close to the functional equivalent levels ofknowledge of each of these certifications.Trust me – this background knowledge is indispensable….
  16. 16. Strategic Security, Inc. © Types Of Courses Are ExpensiveThese types of courses are expensive….duh!!!!- Way to go Captain Obvious!Find schools that teach this and be prepared to open up your or your company‟scheck book.If you are disciplined you can home study all of this stuff or build a lab environment athome heavily relying on virtualization to learn this stuff.I‟ll cover building a lab later in the presentation.
  17. 17. Strategic Security, Inc. ©
  18. 18. Strategic Security, Inc. © Before The EggYou don‟t have any experience, and because you have no experience no one willhire you.Deal with it!This is NOT going to change!Get some experience or do something elseYes I know it‟s harsh, but it‟s true!Don‟t worry…I‟ll give you some tips in a minute…
  19. 19. Strategic Security, Inc. © are the most important skills to have or get?
  20. 20. Strategic Security, Inc. © Skills To Have1. Network Pentesting2. Web App PentestingIn the world of pentesters there are a lot more people with “Network” experience,then there are with “Web App & other App Related Experience”.The web app, and other app related areas of pentesting are growing the fastest.The network area is quite mature (Nessus is 15 years old), and quite frankly themarket for NETWORK Pentesters is shrinking.My Recommendation:Learn network pen, but focus on Web App.
  21. 21. Strategic Security, Inc. ©‟s A Good Measure Of Important Skills To HaveWhat‟s a good measure of these important skills?For Network:You should be able to do everything here (and explain it): Web App:You should be able to do every webgoat level – and explain it: able to explain what is going on when performing pentesting tasks isabsolutely critical.Being able to articulate security issues and their respective fixes is a key skill.
  22. 22. Strategic Security, Inc. © Skills To GetWeb 2.0 (Ajax, Web Services, etc)Mobile (generic mobile technologies, enterprise integration, exploitation, etc)Cloud (IaaS, PaaS, SaaS and specifically how to interact with these technologies)If your focus is to be prepared for the future of pentesting then you‟ll have to getreally comfortable with emerging technologies.
  23. 23. Strategic Security, Inc. © Do I Get ExperienceThis is the ultimate chicken vs. the egg dilemmaWhat I recommend you do is to volunteer as a contributor to an Open Source ITSecurity Project that interests you.Go to any IT Security project that interests you and volunteer to assist thedevelopers.- You can write code for the project- Debug/Test the project for the developers- Write documentation for the project (they will love you for this one)This will put you in the right circles (networking), and give you sometangible/verifiable experience
  24. 24. Strategic Security, Inc. © Do I Get ExperienceShameless PlugYou can be an internGo to:
  25. 25. Strategic Security, Inc. © To Build A Home Security Lab To Get ExperienceBuild A Lab1. Start with a virtualization platform (VMWare, VirtualBox, etc)2. Install the most common OSs• XP/Vista/Win7/2K8/Win8/2K12/Ubuntu/CentOS3. Install the most common apps• Java/Adobe/QuickTime/Flash• Wordpress• Joomla• Drupal4. Build an IDS (you‟ll learn a lot doing this)• Snort• Surricatta5. Build a SIEM (you‟ll learn a lot doing this)• AlienVault• RazorBack
  26. 26. Strategic Security, Inc. © Should I Be Doing In The LabFoundation (Network/Web)• Start with the megaprimers for Metasploit and Wireless• Go through all of the levels in WebGoatWeekly workGoto the following websites each week. Download the latest tools and exploitseach week and try them against hosts in your lab network•• Packetstormsecurity.orgKnow that you may have to build new virtual machines just so you can attempt torun these new tools and exploits each week.This is an important thing to do because this is what you‟ll need to know whenyou are actually pentesting. What are the latest or most popular attacks, whatapps or platforms do they target, and what do they look like on the wire (IDS).
  27. 27. Strategic Security, Inc. © Programming Languages Do I Need To Know/Learn?• An Interpreted Language• Perl• Python• Ruby• Some exposure to modern enterprise development languages• .NET• Java• I would recommend more focus on the interpreted languages (at least initially)because you‟ll make your own life easier automating testing tasks.• As you get more experience then yeah I‟d say to transition to .NET/Javabecause you‟ll bring more value to your customers
  28. 28. Strategic Security, Inc. © Programming Languages Do I Need To Know/Learn?• If you are new to programming – start with an interpreted language first• Perl, Python, Ruby• Youtube is your friend – the best I‟ve seen is from „thenewboston‟• Python:• Ruby:• Perl used the be the exploit and tool development language of choice• Now it‟s Python and RubyMy Recommendation:Do 2-3 videos 3 or 4 times a week
  29. 29. Strategic Security, Inc. © Clearance
  30. 30. Strategic Security, Inc. © I Need A Security ClearanceShort Answer – NOWill it help – YESThere is significantly more pentesting related work in the cleared space thanoutside of it. Something ridiculous like 5-8 times as much.Easier to get/maintain if you are prior US military.Difficult to get if you are regular civilian. You will generally have to come to the tablewith significant skillsets for organizations to submit you for a clearance as apart ofthe hiring process.Basically, you‟ll have to come in with a significant amount of (Education,Certification, Experience) that I‟ve listed in the previous slides.They will have to wait close to a year to get you – so you have to be worth it in theireyes.
  31. 31. Strategic Security, Inc. ©‟ve Got An Issue – Not Too Sure I Can Get ClearedMaybe you‟ve done drugs in the pastMaybe you‟ve been arrested beforeMaybe you‟ve had financial issuesMaybe you are not a US citizen yetAlthough these are things that WILL raise issues during the clearance processthey are not flat out show stoppersThe key to the clearance process is they are looking for things in yourbackground that someone may use against you to coerce you to give up secretinformation.With the first 3 issues I listed – you are usually ok if that kind of stuff happened atleast 5 years prior to your applying for a clearance.
  32. 32. Strategic Security, Inc. © If The Security Clearance Includes A PolygraphGenerally your higher levels of security clearances will often require you to take apolygraph.The types of questions they ask you get more intrusive the higher level ofclearance you are applying for.My Recommendation:Don‟t lie – no matter how bad what ever you did is, or how bad you think it is.Don‟t lie!They aren‟t hiring for the boy scouts – having a checkered past won‟t necessarilydisqualify you, but lying about it will.
  33. 33. Strategic Security, Inc. © & How To Look For Work
  34. 34. Strategic Security, Inc. © Do I Go To Look For Pentest WorkStart with IT job sites•••• Lesson: Job Titles Vary GreatlyYou may see titles like: IT Security Consultant, Information Security Engineer,Network Security Analyst, and many many more…My recommendation: Keyword search for pentester toolsMetasploit, Canvas, Core Impact, Burp Suite, nmap, scapy
  35. 35. Strategic Security, Inc. ©‟m not in the US – Where do I find jobs abroadFinding Pentesting work outside of the US is much more difficult- Much more who you know than in the USEach country will have its respective IT Jobs sites and you should have a lookthere first, but nothing will be as fruitful as attending International IT Security andHackerConsCheck sites like:••
  36. 36. Strategic Security, Inc. © Kinds Of Companies Can I Expect To Be Hiring Pentesters?Defense ContractorsFederal Government(Department of <insert entity here>)President Obama recently signed an executive order mandating morecomprehensive IT Security programs for the federal sector (that means morepentesting in the coming years)Financial EntitiesIT ConsultanciesFortune 1000 companies often have an internal pentest group
  37. 37. Strategic Security, Inc. © After Doing Everything You Say I Don‟t Meet The Job QualsYou need to understand that most of these job reqs are basically wish listsTaken from real job posting:10 Years experience in IT7 Years experience in IT Security5 Years experience as a Penetration TesterCCIE, RHCE, MCSE, C|EH, GPENTop Secret ClearanceJava, C#, Ajax, XMLFor $85,000 a year….gimmie a breakAs a team lead - If I can find this guy the only thing I can offer him is my job.I can‟t give this applicant top money, and if he is that qualified…HE ALREADY HAS A JOB!
  38. 38. Strategic Security, Inc. © After Doing Everything You Say I Don‟t Meet The Job QualsYou need to focus on what you bring to the tableTechnical knowledge• It doesn‟t matter if it came from your home network• It doesn‟t matter if it came from volunteering to help an open source project• It doesn‟t matter if it came from being an intern• It doesn‟t matter if it came from playing in CTFsCertifications• It doesn‟t matter if you took courses, or home studied themEducation• It doesn‟t matter if you didn‟t go to a big name school• It doesn‟t matter that it‟s not a CS degreeMy Recommendation:Focus on how you can help the company hiring you. Work ethic, documentation,willingness to learn, etc.
  39. 39. Strategic Security, Inc. © After Doing Everything You Say I Don‟t Meet The Job QualsWe‟ve all worked somewhere either for or with someone that wasn‟t qualified tobe there.Obviously having the right qualifications isn‟t a show stopper when it comes tofinding employment.How well you sell yourself is often more important.
  40. 40. Strategic Security, Inc. © Should I Expect During The InterviewYou can generally expect something in the area of 1-4 interviewsThe most common process is something similar to:• Initial Phone Screen• Generic Interview• Technical Interview• On-Site Interview
  41. 41. Strategic Security, Inc. © Should I Expect During The Interview?People are generally most apprehensive about the technical interviewThe biggest thing people need to understand is that you don‟t need to geteverything right.If don‟t know the answer to a question – SAY YOU DON‟T KNOW THE ANSWERInterviewers usually just need to know where you are technically.If you do know all of the answers – don‟t be a jerk
  42. 42. Strategic Security, Inc. © Are Some Questions I Should Expect On An Interview?How do you get to – be as explicit and detailed as possible?Interviewer is looking to see you explain how an endpoint connects to a hostsomewhere on the internet.Everything from ARP for the default gateway, to local resolver, to dns lookup, toredirection from http to https, to SSL session setup, to data transfer, to terminationof the session.If you want to see some sample pentester interview questions:
  43. 43. Strategic Security, Inc. © much money can I expect to makeHow much you can make is heavily dependent upon:• Job Location• Job Title (level of seniority)In most cases non-senior positions will range from $60-$80K USDSenior positions can range anywhere from $120-$150K USD
  44. 44. Strategic Security, Inc. © About Freelance WorkFreelancing as a pentester is even more difficult to get into (very who you know)There is a lot of this kind of work, but you really have to know people.Several IT/IT Security Consultancies get overloaded with work and will contractout to subs (usually 1099-self employed status)They often need someone with the experience that can represent their companywell so they generally hire other people that the pentesters already know.You can also look on outsourcing websites••• Vworker.comKnow that the security testing projects on these websites tend to be very small,and often offer very very very very very very very very low pay.
  45. 45. Strategic Security, Inc. © Want To Start My Own Pentest ComplanyI strongly recommend that you work at a consulting firm before you attempt this!This is NOT for the faint at heart – you need to understand that you are running abusiness and all of the things associated with running a business must be downwell to have a prayer at success:• Sales• Marketing• Finance• Research & Development• OperationsMost businesses fail because there is too much focus on Operations – the actualdoing the work, and not really that much thought is put to the other equallyimportant areas
  46. 46. Strategic Security, Inc. © Good, The Bad, & The Ugly
  47. 47. Strategic Security, Inc. © GoodYou get paid to hack!You get paid to hack!You get paid to hack!You get paid to hack!You get paid to hack!You get paid to hack!You get paid to hack!You get paid to hack!You get paid to hack!You get paid to hack!Did I mention - You get paid to hack!
  48. 48. Strategic Security, Inc. © Good, The Bad, and the UglyDocumentationTravelLack of trainingCrazy Learning CurveGoing through the motions
  49. 49. Strategic Security, Inc. © BadDocumentationAs a pentester you will often find that nearly 1/3 of your time will be devoted todocumentation.For every 1 week pentest, there is usually 1-2 full days of the assessmentdedicated solely to documentation
  50. 50. Strategic Security, Inc. © BadTravelThis really depends on the person, and where you work.Consultants tend to travel a lot. Often times more than 50% of the time.Staff penetration testers don‟t usually travel very muchWeb Application Penetration Testers don‟t usually travel very much
  51. 51. Strategic Security, Inc. © BadLack of TrainingThe industry moves so fast – you have to keep up an industry that changes daily.Even if you do receive a training class (ex: EC-Council, SANS, Black Hat) once ayearYou‟ll very quickly find out that this isn‟t enough training – not even closeYou‟ll have just get used to building/testing/practicing in your home lab
  52. 52. Strategic Security, Inc. © BadCrazy Learning CurveEven with all of the stuff that I‟ve told you to in this presentation when you actuallystart working as a penetration tester you‟re going to feel like you‟ve been thrownto the wolves.The first few months will be straight hell (especially if you are working for aconsulting firm).The work load is usually pretty heavy, and the learning curve is through the roof.
  53. 53. Strategic Security, Inc. © BadGoing The MotionsOne of the complaints from long time pentesters is the going through the motions.Telling the customers the same things over and over and over:• Use strong passwords• Patch both system and 3rd party vulnerabilities• Be sure to do input validation• Be sure to do output encoding
  54. 54. Strategic Security, Inc. © UglyThe Ugly – Honestly there is no uglyHonestly, I love the job. I‟d be working at McDonalds if I wasn‟t a pentester.I‟m pretty good at incident response, malware analysis, and several other ITSecurity skills, but at the end of the day I love pentesting.
  55. 55. Strategic Security, Inc. ©
  56. 56. Strategic Security, Inc. © Me....Toll Free: 1-866-892-2132Email: joe@strategicsec.comTwitter: