RE: How to become a professional penetration tester?

From: Spencer, Ed M. -ND (Ed.M.Spencer.-NDat_private)
Date: Mon Jun 18 2001 - 13:44:57 PDT

  • Next message: Rick Who Else?: "Identifying Machines"

    Just as a side note, I have found more people with degrees in music or
    professional musicians working in IT than people with IT degrees.
    As for becoming a professional penetration tester, I've found that a good
    understanding of the basics, and an ability to explain that information to
    management is important.  All the knowledge, and abilities in the world
    won't do you much good unless you can explain what you've done.
    I agree with the statement below: there are many ways to polish and develop
    the skills needed to do penetration testing.  No matter where you get the
    basics and the skills to do penetration testing, understanding the data
    being protected is invaluable.  It's the 'Security is a process' mentality
    you have to build and pass on to those you work with/for.
    Basically, think of a penetration tester as being part:
    Administrator (Unix and/or NT)
    DBA (You are trying to get data, right?)
    Programmer (especially a little C/C++/Perl)
    Network Admin (a good understanding of IP, Vlan's, etc.)
    Security Admin (firewalls, IDS, sniffers)
    Network Design (gotta be able to design a solution)
    MBA (again, back to the business case)
    Comedian (a good sense of humor always helps keep your sanity)
    Politician (only for Tact - and no one shows it better - except maybe a
    military officer)
    Technical Writer (you have to put together reports when you do the work)
    Hacker (the good kind - you gotta like to tear things apart and see how they
    work... push the envelope and more)
    Priest (ethics - I couldn't think of a better example - I'm sure there's one
    out there somewhere)
    Lawyer (understanding of the basics of law - HIPAA, CIPP (CIAO), state laws
    regarding crime)
    Detective (investigations are part of the job - including forensics)
    Teacher (have to explain things to others/do presentations)
    And while I'm sure there are other things that should be there, you need to
    have a basic sense of everything... while you can specialize in almost any
    area, an overall understanding of everything makes you more valuable.  Think
    of the CISSP - it's a test on 10 areas of knowledge and only 250 questions
    (and 6 hours).  25 questions per area.  It's a broad spectrum of knowledge
    you are expected to know - back to the jack of trades.  You can specialize,
    but then you really need a team to complement your skills in the areas you
    don't have (which is always nice).
    It's hard work staying up to speed on the technology, business, and other
    advancements, but if you really enjoy what you do it all seems worthwhile at
    the end of a long day....
    Good luck in perusing your career!
    Ed Spencer
    Security Analyst - IS Security
    Renaissance Worldwide, Inc. - Walt Disney World
    This communication is confidential, intended only for the named recipient(s)
    above and may contain trade secrets or other information that is exempt from
    disclosure under applicable law.  Any use, dissemination, distribution or
    copying of this communication by anyone other than the named recipient(s) is
    strictly prohibited.  If you have received this communication in error,
    please immediately notify us by calling (407) 566-5195.  The ideas,
    opinions, and information expressed within the above email are the express
    sole opinion of the author and are not the opinion of the Walt Disney World
    Corporation.  Thank you.
    -----Original Message-----
    From: batz [mailto:batsyat_private]
    Sent: Monday, June 18, 2001 12:00 PM
    To: Jim Utkin
    Cc: 'David Fuller'; 'Pen - Test List'
    Subject: RE: How to become a professional penetration tester?
    On Thu, 14 Jun 2001, Jim Utkin wrote:
    :Being a security professional IMHO is the hardest specialty in
    :Information Technology, you have to be good in almost every aspect of
    :IT, but an expert at none.
    Agreed, but with one additional comment. As a security professional, 
    you have to understand the business needs for security. In fact, you
    will probably find more security consultants with business administration
    or even MBA's than you will comp.sci backgrounds.
    Whether this is a detriment to the field is still open to discussion, 
    but as far as how to start; A good (capital 'H') Hacker can be a 
    passable intrusion tester, a good strategist, administrator, or analyst 
    will be a good security professional. 
    It's the difference between a technician and an analyst, which in my
    mind is about $40k. 
    Reluctant Ninja
    Defective Technologies

    This archive was generated by hypermail 2b30 : Mon Jun 18 2001 - 18:07:22 PDT