Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Businesses Security IT

Ask Slashdot - Breaking Into Penetration Testing At 30 205

An anonymous reader writes I currently work for a small IT MPS in the Southern USA. Recently, my boss approached me about offering security evaluation and penetration testing to customers in our area due to the increasing number of regulations companies area are having to meet. My role in the company is that of a proactive systems administrator. I have strong troubleshooting skills, a moderate knowledge of Linux, and a strong grasp on Windows systems. My working knowledge of networks is a bit rusty, but I've started working on my CCNA again, and skill/knowledge of any kind of programming language is extremely lacking as I have slacked off in that department. However, I've been working with Powershell scripting, and have picked up some resources on Python. Where would a guy like me start? What can I do, as far as personal development, to give me a shot at building this "new department" within my company? Am I beyond hope?
This discussion has been archived. No new comments can be posted.

Ask Slashdot - Breaking Into Penetration Testing At 30

Comments Filter:
  • NMAP (Score:3, Insightful)

    by HornWumpus ( 783565 ) on Wednesday March 11, 2015 @01:35PM (#49235673)

    Have you run Nmap.exe ever? If yes, you are a fully qualified security expert.

    Seriously, nmap should let you find an unpatched internet facing system. Then you have a vulnerability to point at. Instant cred.

    Enough for you to learn while being paid.

    • Re:NMAP (Score:4, Insightful)

      by Anonymous Coward on Wednesday March 11, 2015 @02:09PM (#49235977)
      What parent said. Infosec, despite pretending to be this invite only club for h4x0rr k1dz 0n1y is anything but. Just get your cert (OWASP+CISP) and you're good to go. Literally just script kiddy stuff, ./metasploit and ./nmap and shitton of standardised process/good practice stuff.

      Most of actual h4x0rs are too much of primadonas to ever get employed and (somewhat rightfuly) despise certs as corporate snake oil. Still, having a sysadmin certed to have at least vague idea about keeping boxes patched/default passwords of appliances changed/not exposed open is a good thing.
      • Re:NMAP (Score:5, Informative)

        by valdezjuan ( 83925 ) on Wednesday March 11, 2015 @02:38PM (#49236173)

        And this is why there are a ton of shitty 'pentesters' out there who seem to mistake running nessus or nmap scripts as a penetration test. No, it's not 'secret' knowledge and can easily be learned if want to spend the time but running metasploit doesn't make you a pentester.

        Like defenders, pentesters generally need to find all the vulnerabilities (sadly many customers accept the first one which ends up being a scoping issue) and understand how to mitigate anything that was discovered/exploited. That requires an understanding of protocols, networking, applications, web frameworks, etc.. I have found that the best tend to have the capacity to think maliciously. IMO, that is a critical skill. I have seen far too many people that just don't understand why anyone would want to abuse a protocol, which makes them substandard pentesters.

        As for the original question, there are plenty of tools out there that can help you learn. Metasploitable, WebGoat, Kali, SamuraiWTF (disclosure, I am good friends with the lead for that), ZAP, Burp Suite (pro is great and super reasonable). If you have corporate funding, there are some decent trainings out there Offensive Security has their classes (and certs, I have heard mixed results). There is also SANS, which I have been increasing disappointed with but if you want a bunch of knowledge shoved in your head (at a pretty high dollar cost), they tend to do it. Also, some drift more towards network pentesting or application, personally, I think people should be versed in both (leveraging a remote code execution bug in a webserver is great unless you have no clue what to do within the OS).

        For cheaper options there are bunch of books that can teach you a ton of 'tips and tricks' around pentesting (web Hackers Handbook 2nd Edition is particularly good). Having a solid background as a sysadmin makes it much easier IMO (my background is similar), since you are most likely familiar with troubleshooting, networking, multiple OS's and what not.

        • Re:NMAP (Score:5, Insightful)

          by TheCarp ( 96830 ) <sjc@car p a n e t . n et> on Wednesday March 11, 2015 @03:02PM (#49236303) Homepage

          > leveraging a remote code execution bug in a webserver is great unless you have no clue what to do within the OS

          Time for a car analogy.... because otherwise you are like a carjacker who can't drive stick.

        • This

          Once we had a security audit, though I know I shouldn't have I ran a man in the middle on them and watched their packets, as I'd see them going places if I thought it was insecure I'd either bring the service offline or make it report garbage on their scans, to my knowledge they were never aware. They ended up dinging us on something stupid that wasn't even a vuln we had an out of date resource that was intranet facing and you'd have had to have physical network access to exploit it.
          • Re: (Score:2, Informative)

            by Anonymous Coward

            if I thought it was insecure I'd either bring the service offline or make it report garbage on their scans

            That is like hiding broken parts from your mechanic.

            • by cjb658 ( 1235986 )

              Sometimes companies have to have an audit done (e.g. PCI or HIPAA), so they'll just disable vulnerable services while the audit is being done and re-enable them. I've seen it happen.

        • Re: NMAP (Score:5, Insightful)

          by Redmancometh ( 2676319 ) on Wednesday March 11, 2015 @07:34PM (#49237911)

          I think these days the big security risk is layer 7. SQLi is still very common...especially 2nd order injection and injection into GET parameters. Admins know they need to sanitize POST/update/insert but they miss get/select.

          Wordpress is generaly run without htaccess rewrites on WP-plugins..an attacker enumerates your plugins and finds an exploit.

          Ive seen get parameters with filenames..oh yes thanks for letting me change that to web.config or ../../etc

          Client side filtering is another, equally hilarious issue. As joe mccray says "youre putting the filtering in the hackers browser which he controls...does that pass the common sense test?"

          The list goes on and on...its easy to patch everything else. Web apps on the other hand...are often written by the people in charge of the site.

          Nikto, BURP as you said; and ZED are faar more useful than metasploit now. Novices just dont know what to do with the info.

          And lets not forget sqlmap ;)

          • by ls671 ( 1122017 )

            You need a WAF these days. I use mod_security. It can save your arse from zero days sometimes.

            • I've actually gotten to the point where I think WAFs are absolutely useless. As far as WAFs go though I would recommend against mod_security, as fingerprinting it via it's helpful errors is a cakewalk.

              The upside to WAFs is that they prevent automated attacks...buuut snort's dynamic preprocessors seem to do this FAR better.

              Either way an IDS/IPS/WAF just isn't enough. In a non-automated attack bypassing them is trivial. Half the time I can simply use URL encoding for an attack string. Some poor WAFs don't eve

          • I think these days the big security risk is layer 7.

            Nope, that would be layer 8.

        • Spend some time viewing Defcon videos. If you don't understand everything, you may need training. If you don't know about attacking network printers or VOIP phone systems to get inside access from outside, study up.

      • Just download and install Kali Linux [kali.org] on a computer. If you get a laptop and want to test wireless, make sure to do a little research for the wireless chip in there to make sure you can put it into full promiscuous mode so you can sniff traffic. If it isn't built in you can buy usb ones that will work but do some research first.

        But seriously, this is one of the BEST ways to start learning pen testing, all the tools you need in one place.

        Install it and start testing on your own home network first to lea

      • by s.petry ( 762400 )

        Go ahead and run NMAP against a company. Even worse, go ahead and attempt to exploit what you find. After you get out of jail we can discuss why you were wrong in your advice and actions. Simply running nmap against someone is enough to result in at least one felony charge.

        If you ever bothered to read the preface to the CEH course, CISSP course, or any other certification for hacking you would this exact thing spelled out very clearly. White Hat hacking is mostly paperwork to cover your ass, not just ha

        • Against your own employer after being asked to? Coming from an internal IP address? RTFS

          I would get the order in writing.

          • From TFA Recently, my boss approached me about offering security evaluation and penetration testing to customers in our area due to the increasing number of regulations companies area are having to meet

            Does not appear to be internal testing from internal IPs that is the question now does it?

    • For the most part nmap and metasploit will not suffice to pentest corporate networks.

      Slightly less obvious things like WGETting wp-config.php, web.config, WebDAV methods enabled on the wrong dirs, using csrf+social engineering, fuzzing proprietary apps for stack overflows, etc.

      That part is a little hard...exploit development is the REAL hard part though.

      "Did this code get written into thr EIP register?" is hard to anwer remotely.

      --- security SME at a consulting firm

  • Seriously? (Score:5, Insightful)

    by Anonymous Coward on Wednesday March 11, 2015 @01:37PM (#49235693)

    At 30?
    You're young.
    Do whatever you want.

  • by ruir ( 2709173 ) on Wednesday March 11, 2015 @01:37PM (#49235705)
    If you a sysadmin have to ask that question, and as you say lacking in network skill, are you the most appropriate for that role?
    • Pretty much the general profile of an infosec...no programming experience, and a meager grasp of infrastructure.

      • Sadly this is too true. A lot of the shops out there don't understand mitigating controls or 'we tweaked a configuration so we aren't vulnerable, despite what the banner says and here's output from us actually using the exploit....see not vulnerable'. That's one of the major issues I have with PCI, it's far to common for the auditors to not understand the context of the controls, let alone how the network is configured. I remember having to argue with an auditor about how umask worked and sudo.

        When we evalu

        • by ruir ( 2709173 )
          Translated into layman terms, the tool gives you the output, the real knowledge is to contextualise it into the current ecosystem and knowing when it does not makes sense/is a false positive. Any monkey can run the tool.
  • by Muros ( 1167213 ) on Wednesday March 11, 2015 @01:39PM (#49235717)
    If you don't know where to start, try something like Kali [kali.org]. Have a play around with Metasploit as well.
    • If you don't know where to start, try something like Kali.

      Yes, exactly. Kali Linux has a huge load of tools. You might have to find information about how to use some of them elsewhere, but the tools are good.

  • Get certified (Score:5, Interesting)

    by xxxJonBoyxxx ( 565205 ) on Wednesday March 11, 2015 @01:40PM (#49235725)

    Get certified.

    >> my boss approached me about offering security evaluation and penetration testing to customers in our area

    Because it might at least mitigate the damage after your company get sued by customers who get hacked after you tried to learn on their dime. (Google "Target Trustwave"...)

    Seriously, if there's a real business opportunity in your market, your management should either hire an experienced guy/gal and/or partner with an existing firm. Then, you'd have the opportunity to learn along them...while picking up the certs you'll need to be credible when talking to other companies. (And if your management is too cheap to buy your security certs, that's a BIG red flag!)

    • Re:Get certified (Score:4, Informative)

      by jeffmeden ( 135043 ) on Wednesday March 11, 2015 @02:11PM (#49235989) Homepage Journal

      Get certified.

      >> my boss approached me about offering security evaluation and penetration testing to customers in our area

      Because it might at least mitigate the damage after your company get sued by customers who get hacked after you tried to learn on their dime. (Google "Target Trustwave"...)

      Seriously, if there's a real business opportunity in your market, your management should either hire an experienced guy/gal and/or partner with an existing firm. Then, you'd have the opportunity to learn along them...while picking up the certs you'll need to be credible when talking to other companies. (And if your management is too cheap to buy your security certs, that's a BIG red flag!)

      That's a bit overgeneralized. Trustwave is under fire because the breach in question was of a (supposedly) PCI-DSS compliant system, which Trustwave was partly responsible for setting up and validating, a basically impossible task when the system has that much surface area. So, the lesson learned is don't work on PCI-DSS unless the system is so small that you can personally verify each component yourself. I really doubt this anonymous company is going to be winning a contract with a major national retailer to install/validate a PCI-DSS network, considering many larger companies are already in that market with, you know, actual credentials.

      The takeaway should also be, before selling your service, get a lawyer (or a bunch of them) to draft a very detailed customer agreement to protect you. Also, get insurance just in case.

    • He has a point... chances are businesses asking for those services are looking at certification in a specific standard do to a contractual obligation. If you are not certified, then you shouldn't be offering that service.

    • I really don't see age as a qualifier for the question. If you want to be a MD at 60 go for it, let alone a Pen tester at 30. The biggest thing is to get certified. Personally I recommend CEH (Certified Ethical Hacking). Why? Because it will beat into your head how many laws you potentially break every time you do something, provides a rigid set of guidelines to follow to stay out of jail, and additionally demonstrates to potential customers that you have a clue.

      CISSP is usually better for Auditors, no

    • Do you ask a deer how to hunt deer? No, you ask a hunter.

  • by Fire_Wraith ( 1460385 ) on Wednesday March 11, 2015 @01:43PM (#49235749)
    One thing you need to keep in mind is that Penetration Testing isn't just about the technical aspects. You need to be up to speed on all the legal aspects, not just in terms of know what laws govern the particular industry/company you happen to be conducting a test for, but in terms of liability. You really don't want to wind up finding yourself accused of breaking the law, whether state or federal, in the course of your job - and without a degree of caution, that's certainly not an impossible thing.

    Remember, most of what gets done in any penetration test worth a damn would otherwise be illegal on any number of levels if you were doing it without the express authorization of the owner of those systems. Make sure you know what you're doing, and that the lawyers sign off on it first so that your company is covering your butt if anything goes bad.
  • by phantomfive ( 622387 ) on Wednesday March 11, 2015 @01:44PM (#49235761) Journal

    Where would a guy like me start? What can I do, as far as personal development, to give me a shot at building this "new department" within my company? Am I beyond hope?

    Learn to program, learn to hack. There are resources [amazon.com] available [amazon.com] for both. It will take years and it's hard work, but without that, you'll just be another consultant following a script.

    If you're not willing to take time and work hard, then yes, you are beyond hope for reaching this goal. Your best option in that case is to continue your current career path and just enjoy what you can of life.

  • by Anonymous Coward on Wednesday March 11, 2015 @01:46PM (#49235785)

    http://www.cybrary.it/course/advanced-penetration-testing/

  • Liability (Score:3, Insightful)

    by Anonymous Coward on Wednesday March 11, 2015 @01:54PM (#49235845)

    Your employer is going to be held liable/accountable if you miss a glaring hole in their information security infrastructure. I'm not saying you can't train to do this but I don't necessarily know that it's the kind of thing you can pick-up on the side or over a few weekends. I've dabbled in security over the years, am very familiar with *nix, worked in infrastructure as a sysadmin, am a fulltime well paid programmer and I am familiar with the variety of tools out there and I wouldn't consider myself for a role like this one. Too much risk.

  • If I asked you how you would send me a file over a public network and keep it secret, would your first question be; what type of file do you want to send?
  • OSCP Cert (Score:4, Informative)

    by Anonymous Coward on Wednesday March 11, 2015 @01:57PM (#49235865)

    I would say look at a cert like Offensive Security Certified Professional (Penetration testing with Backtracks) It's been a while since I did the curriculum I think it was worth it and learned a lot.

  • by the_B0fh ( 208483 ) on Wednesday March 11, 2015 @02:00PM (#49235905) Homepage

    If you do, take SANS 560. It's a good start, helps provide a framework, and fills in gaps in your knowledge.

    If you don't have funding, why bother (for your company - since you'll be making them more money).

    However, I'd recommend doing it on your own - learning is always good. But if your company won't fund your education, you shouldn't put in all that work to do it for them. If they will let you learn on company time, then, that's a different discussion (but that means part of your 40 hours will be dedicated to learning and breaking shit). And it will take months to get up to speed, since you won't have a mentor to help point things out to you.

    Ethical Hacker and all those other cheap certs are worthless. Books can be useful, but again, sometimes you need someone to point out the pitfalls, etc.

  • Its Never Too Late (Score:5, Informative)

    by Anonymous Coward on Wednesday March 11, 2015 @02:03PM (#49235931)

    Hi, I work in the general cyber security industry. I would advise against heading this type of project given your current lack of experience. Penetration testing largely involves running scripts and tools that are mostly automated, and then interpreting the results to determine how to proceed (running the scripts and tools again but against a more well defined target) and repeating until you are in. That is one part of it. A second part is analyzing a company's complete security posture, this involves more than the technical systems, it involves the people that run/maintain/protect the technical systems and analyzing how well they do (or dont) do that (how easy they fall victim to social engineering, who has a level of access that is unwarranted, where the weak points are in terms of people/policy/implementation, etc.

    I would not go into this with little previous experience. I would definitely hire someone with experience to be a part of this before proceeding.

    Now, on to learning. If you want to be competent in cyber security, you should know the following (this is my opinion, don't take this is gospel, compare my suggestions to others):

    Networking. Be intimately familiary with layers 1-4 of the stack. Know all aspects of TCP/IP (V4, V6 is still not widespread and will not be too hard to learn if you master V4). All aspects, not the basics, this is a necessity. You will not be able to identify that one odd TCP packet with a weird flags set or the malformed DNS request if you don't know what a normal TCP packet looks like.
    As a test, answer this question with an essay: "What happens when I open up a browser and type google.com and hit enter." (assume all caches are flushed on all devices, your own equipment and the network equipment you are traversing). If your answer is not very long, then you most likely are missing some of the interactions that took place)

    Tools. You need to know tools for analyzing network traffric, and diving deep into network traffic. Wireshark is one of the most popular programs for inspecting pcaps, get very familiar with this tool. Learn how to do the same sort of searching and poking about you do in wireshark with command line tools. Learn what BPF's are. Most useful security tools are *nix based. You absolutely need to become at least comfortable with operating out of the *nix command line (no gui) and know basic *nix tools. There is no way around this.

    Knowledge of python and shell scripting has been very helpful to me. You do not necessarily need to know how to program in python or in the shell script of your choice (though it helps bunches) but you do need at a minimum to be able to read and figure out what code is doing, and to make minor modifications to get programs to do what you need.

    Hacking. You need to know how hacking takes place. Not at the script-kiddie level of "run this and the system is hacked" but closer to the hardware level. Know how different hack attacks work, know what features or lack of features of the hardware/OS (things like DEP, ASLR, protectected memory pages/ring 0-3, userspace vs kernelspace) make the hacks even possible (buffer overflow, stack smashing, heap sprays, unsanitized inputs, etc). This requires some understanding of computer architectures.

    Become familiar with internet RFCs. Know what the popular options are for intrusion detection. Learn how to read snort signatures since there are many of them (when I say learn to read the snort sig, that means you can take a snort signature,understand what it is trying to detect, and then be able to write a rule or signature based off of that in whatever IDS system you are using, if you have something different/in addition to snort).

    Read alot. Do whatever work in the field you can. Learn. Don't stop learning, because the adversaries are not, and your intimate knowledge of computer security Circa 2014 is not going to protect you or your organization from the new hacks happening now. (lots of hacks are recycled and reused long after they have been patched/mitigated (due to poor patch managment/security procedudes), so knowing what was happening in previous years does help alot, but still never stop learning)

    • by Minupla ( 62455 )

      A good coverage of the technical stuff, I'll add some of my personal thoughts on "how to get there".

      1) There is a community out there, find your place in it. Go to conferences, look for local meetup groups.

      2) Become comfortable with PEOPLE. Many technical people are not, but you will be a LOT better at your job if you are. People build systems, people break them. A computer never wakes up in the morning and decides to hack something. If you understand people, you can guess what shortcuts they'll take a

  • Ignore them people saying your lack of programming "freshness" is a barrier. You could be the best/most productive programmer around here and still have no clue where to start digging for useful, relevant exploits you could abuse in any particular system you seem to be an expert in.

    With that said, what you want to do is get yourself involved in the latest articles about zero day exploits, trojan horses, patch fixes, heartbleed, so on a so forth. You can get started right here on slashdot: any single search

  • by bsDaemon ( 87307 ) on Wednesday March 11, 2015 @02:05PM (#49235951)

    SANS training is pretty good, if you have the money (or can get work to pay for it). They start at the very basics and go up to advanced pen testing, reversing, etc.

    Offensive Security has some good free tutorials and paid training, including lab work, for their OSCP/OSCE series of certifications.

    Skip the CEH. I don't know anyone who takes that seriously, even if they have one. It's basically just an expensive way to prove you know netcat.

    • CEH is only a couple hundred bucks. Sure, having it doesn't mean you are an expert, but lots of paying "customers" like to see that kind of thing. And you can pass it in an afternoon if you have the skills.

  • by mean pun ( 717227 ) on Wednesday March 11, 2015 @02:06PM (#49235959)
    It's already started, but you could try 'Software Security' from the University of Maryland: https://www.coursera.org/cours... [coursera.org]. At least it gives a solid foundation.
  • You have limitations. Bad. You're aware of them. Good. Better than good, top quartile.

    When you put the scare quotes round "new department" is that meant to imply that you're expected to do it all yourself? Hoping that's not the case, then the question comes down to what kind of person to recruit. If you're a Rolls, find a Royce. You'll get some management experience if nothing else.

  • Jeezus, you're 30 and you're thinking you're too old to learn something new? WTF??? That's the wrong attitude dude!

    I'm not going to entirely out my age, but I began my pen-testing career at age 42 - you must think I'm a wrinkled old grandpa; but I'm not.... :P

    Tell your boss you'll do it, but only if he sends you to several SANS training events, or at least coughs up for some SANS Ondemand training, then do the trainings, get the CERTS and rock and roll baby! SANS will get you up to speed on what yo
  • Mindset (Score:4, Insightful)

    by Bender0x7D1 ( 536254 ) on Wednesday March 11, 2015 @02:48PM (#49236207)

    Probably the most important thing is to have the mindset for penetration testing.

    You are no longer trying to keep things up and running, and making systems usable; you are looking for all of the ways to make things break in new and interesting ways. You have to think creatively - you have to think about what the system/network admin missed and/or how "best practices" fail in a given situation/on a specific system.

    That's why a deep technical understanding in a lot of areas is very helpful - you learn how things interact, and how failures can occur in different areas. For example, does a software package add a user? Does it open a network port? How does it handle permissions? How is authentication done? How do systems rely on the network? How does the network rely on various systems (like a DNS server)? The more you know about all of the interactions between the system(s) and the network, the more attack vectors you can come up with.

  • If you think your career is finished at 30 you either don't have the technical savvy to succeed or need to get a little self confidence

    I'm a 29 year old non-OS programmer who is learning Linux device drivers. My boss didn't ask me to learn it -- I told him I had to in order to continue doing my job. Get some textbooks, create a test/development environment you can use where you won't break anything, and go buckwild.
  • The Open Web Application Security Project [owasp.org] website is a great place to start browsing from, to investigate both pen testing and secure development.

    I would also recommend getting some familiarity with the PCI DSS standard [pcisecuritystandards.org]. It is aimed at companies involved in online payments (and a bitch if you have to prove compliance.) However when used as a descriptive framework rather than a prescriptive one, it's great foundation for planning a company's IT security aspect.

    I'm sure there's a bunch of other security stand

    • I would also recommend getting some familiarity with the PCI DSS standard.

      PCI DSS is full of bad advice. Codifying specific technical measures, going off the deep end with dual control and unrealistic password management begging 4 proliferation of sticky notes and even promulgating dangerous advice on application of one way algorithms with inherently low entropy data.

      It reads like a book of common wisdom written by someone who read security for dummies and now thinks they know everything.

      Security standards for specific purposes tend to be so soaked in political calculations the

  • by engineerErrant ( 759650 ) on Wednesday March 11, 2015 @04:10PM (#49236725)

    The software industry just isn't a place for changing direction or starting new things. I mean, come on - learning a new skill is disloyal to the older skills. If everyone just learned things willy-nilly, who would sort the punch cards anymore?

    Just keep your head down - you probably only have 2 or 3 more good typing years left before you're too old to sit up or retain bowel control.

  • by tlambert ( 566799 ) on Wednesday March 11, 2015 @05:19PM (#49237075)

    It's useless to learn pen testing... unless you also learn "pen fixing".

    It's totally useless to know that there are problems there, but now how to fix them.

    It's like going to a doctor, they tell you they have bad news and good news. The bad news is that you have cancer. The good news is that they scored 5 under par during their last round of golf. The second piece of information doesn't help resolve the first one. Unless you treat any disease you find, you haven't helped them, you've only made them feel like crap about something they can't do anything about on their own.

    Typically, you want a "defense in depth" strategy, which means firewalls, DMZs, the whole nine yards. But learning how to use script kiddy tools to get in is not going to teach you the skills you are going to need if you want to keep someone else using those same script kiddy tools out.

    It takes an almost entirely different mindset, and it does, in fact, take real skills -- almost the same skills you'd need to write those tools yourself, in order to write the code necessary to fix the problem so it can no longer happen. In other words, you not only have to know how the tool is getting in, to keep the tool from getting in. This can require substantial knowledge in systems and network architecture, and, if the way the tool happens to get in is via SQL injection, cross-site scripting, etc., etc., you will likely have to *minimally* know enough about the technology that's being exploited that you can fix it.

    This is not the job for a single individual; it's a job for a team of at least several people (if they are incredibly good), or potentially a *lot* of people, if they are individually specialized to the point of being narrowly focussed in being able to go deep in only one or two areas.

    The best advice I could give you is advice you are no longer able to take: learn this stuff while you are a minor, and unlikely to be put away for a felony, or learn this stuff prior to the electronic trespass laws going into effect in the mid to late 1980's. Both of these mean you've missed your window on getting a broad base of experience on a lot of disparate systems, of the type you'd be asked to pen test (or subsequently "pen fix").

    Unless you are really wealthy - or your company is - and you are able to set up a lot of systems which, when you hack them, there's no risk that you'll end up in jail.

    Other than that - there's some training available, but if you want to fix the problems you find, you have to think about systems as a gestalt, and you'll have to learn about networking and at least some types of programming, probably in considerable depth, to make up for your inability to legally acquire breadth, and then hire people to get breadth on your team.

    Alternately, realize what I did the first day of kindergarten: I didn't want to go back after the first day "because they would not give me reading, writing, and arithmetic". In other words, this is not knowledge that someone can gift you with, it's knowledge that you'll have to fight to acquire, and it's not going to be easy for you.

  • First off, start playing. Grab a free VM tool like VirtualBox, load up some raw Linux and Windows VMs in it, launch Kali, and start poking around. Break things, but in a manageable, recoverable, legal way. Never, ever, ever poke at something where you don't have written permission from the owner. If you want something a little less random, Lamp Security had some guided CTF exercises out there a few years ago that took you through the pen test process.

    Look into formal training. In my experience, SANS has som

  • Just do what everybody else does.

    Run Nessus on their stuff, put your name in the report, re-arrange a few things, and charge them $2500 for the "penetration test scan"

    For extra bonus points, let it get caught in an infinite loop and submit the contact-us form 543,200 times before noticing it.

  • by Tom ( 822 ) on Wednesday March 11, 2015 @06:27PM (#49237487) Homepage Journal

    Am I beyond hope?

    Yes.

    But not because you lack technical skills, those can be learnt. You're seriously working for a boss who thinks that he can turn a sysadmin into the head of a pentesting department by telling him to make it happen?

    There's a lot that goes into a good pentest, and a reason that there are entire companies staffed with people who do essentially just that. It's not something you learn with a book on a few weekends. If your boss doesn't understand that, the result will be a disaster. And we already have too many people out there selling the printout of a Nessus scan as a penetration test.

    What other comments said is spot on. Your boss needs to hire an experienced pentester, period. If he doesn't want to do that, there's no chance you'll be heading a pentesting department anytime soon.

  • Have you considered offering PCI Compliance rather than pen testing? While there are guidelines its a lot easier of an industry to break into without prior experience. A good pentesting service can test a really wide variety of things - a company that I used to work for would not only do the standard scans/attacks with ~40 different commercial and free tools, but also social engineering tests, mailing people usb sticks with autorun exploits, and stuff like that. I didn't get the specifics, just kind of the
  • Python is a good language to start with. There are some Python books for pen test you should look for. It would be best to get a full grasp of the language with the ORiley tome. As you are Windows-centric, you have the best development environment available to you: Visual Studio. Download the free version and then install Python Tools for Linux. There is a Microsoft Virtual Academy (MVA) course to get you started.
  • If you are passionate about the subject, it shouldn't take more than half a year to come up to speed. You will not be doing original research, just using existing tools. Your scripting background should come handy here. Furthermore, satisfying legal regulations may be more about ensuring patches are installed and best practices are followed. Again, not too far from system administrations. Relax and go for it.

  • Your company needs to have proper penetration testing done. Hire/contract someone to do it.

    This is one of those areas of computing where it is not a good idea to learn as you go and build up the skills and experience in-house, because any mistakes you make are going to leave the company liable and possibly cost them some serious money.

    If you want to learn about it on your own time and play with the corporate systems to do it, and they have no problem with you doing that, then by all means go ahead and

  • It may not necessarily be easy, but if it's something you really want to do, don't let the naysayers dissuade you.
  • Penetration testing and vulnerability scanning are not the same thing.

    It's not difficult to make vulnerability scanning a "value add", and then consult on how to fix the issues found. It's also a way to get your foot in the door to do more work, if you can create a good relationship with the client. Vulnerability scanning is reasonably easy (there are online services that you can resell). It's a good place to start, while you ramp up your skills.

    Penetration testing is considerably more technical, and it

"I don't believe in sweeping social change being manifested by one person, unless he has an atomic weapon." -- Howard Chaykin

Working...