Just as a side note, I have found more people with degrees in music or professional musicians working in IT than people with IT degrees. As for becoming a professional penetration tester, I've found that a good understanding of the basics, and an ability to explain that information to management is important. All the knowledge, and abilities in the world won't do you much good unless you can explain what you've done. I agree with the statement below: there are many ways to polish and develop the skills needed to do penetration testing. No matter where you get the basics and the skills to do penetration testing, understanding the data being protected is invaluable. It's the 'Security is a process' mentality you have to build and pass on to those you work with/for. Basically, think of a penetration tester as being part: Administrator (Unix and/or NT) DBA (You are trying to get data, right?) Programmer (especially a little C/C++/Perl) Network Admin (a good understanding of IP, Vlan's, etc.) Security Admin (firewalls, IDS, sniffers) Network Design (gotta be able to design a solution) MBA (again, back to the business case) Comedian (a good sense of humor always helps keep your sanity) Politician (only for Tact - and no one shows it better - except maybe a military officer) Technical Writer (you have to put together reports when you do the work) Hacker (the good kind - you gotta like to tear things apart and see how they work... push the envelope and more) Priest (ethics - I couldn't think of a better example - I'm sure there's one out there somewhere) Lawyer (understanding of the basics of law - HIPAA, CIPP (CIAO), state laws regarding crime) Detective (investigations are part of the job - including forensics) Teacher (have to explain things to others/do presentations) And while I'm sure there are other things that should be there, you need to have a basic sense of everything... while you can specialize in almost any area, an overall understanding of everything makes you more valuable. Think of the CISSP - it's a test on 10 areas of knowledge and only 250 questions (and 6 hours). 25 questions per area. It's a broad spectrum of knowledge you are expected to know - back to the jack of trades. You can specialize, but then you really need a team to complement your skills in the areas you don't have (which is always nice). It's hard work staying up to speed on the technology, business, and other advancements, but if you really enjoy what you do it all seems worthwhile at the end of a long day.... Good luck in perusing your career! Ed Spencer MCSE/MCT/CNA/A+/Network+ Security Analyst - IS Security Renaissance Worldwide, Inc. - Walt Disney World This communication is confidential, intended only for the named recipient(s) above and may contain trade secrets or other information that is exempt from disclosure under applicable law. Any use, dissemination, distribution or copying of this communication by anyone other than the named recipient(s) is strictly prohibited. If you have received this communication in error, please immediately notify us by calling (407) 566-5195. The ideas, opinions, and information expressed within the above email are the express sole opinion of the author and are not the opinion of the Walt Disney World Corporation. Thank you. -----Original Message----- From: batz [mailto:batsyat_private] Sent: Monday, June 18, 2001 12:00 PM To: Jim Utkin Cc: 'David Fuller'; 'Pen - Test List' Subject: RE: How to become a professional penetration tester? On Thu, 14 Jun 2001, Jim Utkin wrote: :Being a security professional IMHO is the hardest specialty in :Information Technology, you have to be good in almost every aspect of :IT, but an expert at none. Agreed, but with one additional comment. As a security professional, you have to understand the business needs for security. In fact, you will probably find more security consultants with business administration or even MBA's than you will comp.sci backgrounds. Whether this is a detriment to the field is still open to discussion, but as far as how to start; A good (capital 'H') Hacker can be a passable intrusion tester, a good strategist, administrator, or analyst will be a good security professional. It's the difference between a technician and an analyst, which in my mind is about $40k. -- batz Reluctant Ninja Defective Technologies
This archive was generated by hypermail 2b30 : Mon Jun 18 2001 - 18:07:22 PDT