Upload
joseph-mccray
View
5.694
Download
6
Tags:
Embed Size (px)
DESCRIPTION
I’ll be covering things like: - Some of the various types of penetration testing jobs - Education/Certification/Experience/Skill requirements - Should I have a degree – if so what type? - Should I have certifications – if so which ones? - Should I have work experience – if so what type? - What skills should I have prior to applying? - Do I need to be a good programmer? - Where can I get these skills if I’m not currently working in the field? - Security clearance requirements - What are good key words to use when searching IT job sites for pentesting jobs? - What to expect during the interview process - I’m not in the US, where can I find pentester work abroad? - How much money can I expect to make as a pentester? - The good the bad and the ugly…what the work is actually like day-in and day-out
Citation preview
Strategic Security, Inc. © http://www.strategicsec.com/
So You Wanna Be A Pentester
Presented By: Joe McCray
[email protected]://www.linkedin.com/in/joemccray
http://twitter.com/j0emccray
Strategic Security, Inc. © http://www.strategicsec.com/
You Wanted To Be A Hacker
Strategic Security, Inc. © http://www.strategicsec.com/
You Found Out You Could Do It Legally
Strategic Security, Inc. © http://www.strategicsec.com/
Now The Only Question Is…
How?
Strategic Security, Inc. © http://www.strategicsec.com/
Ok, so you wanna be a pentester
You wanna know what takes to get into this game
There are 3 major things that you can bring to ANY job
• Education• Certification• Experience
Other intangible factors are relevant (ex: work ethic, willingness to learn, etc)
We’ll be focusing on the first 3 for this presentation, but we’ll cover the other areas as well later
Strategic Security, Inc. © http://www.strategicsec.com/
Education
Strategic Security, Inc. © http://www.strategicsec.com/
Should You Have A Degree?
Short answer – YES
Is it an absolute requirement – NO
Each year it is however getting harder and harder to get into this field without one
My Recommendation:
If you have the resources (time/money) – go for it!
Having it will never hurt you, but there will be cases where not having it will.
Strategic Security, Inc. © http://www.strategicsec.com/
What Kind of Degree?
Short answer – Computer Science Degree
Is it an absolute requirement – NO
Will a degree such as an MIS, BIS, CIS or similar degree work – YES
Will a less technical degree work – YES- but you may have to supplement it with certifications and/or experience
Strategic Security, Inc. © http://www.strategicsec.com/
Do I Need A Degree From A Big Name School?
Short answer – NO
Some companies look highly upon people that have attended high profile schools:(ex: Harvard, Westpoint)
This is usually because they want access to the network you develop while attending that type of school.
They are looking for long term business development opportunities from you because of the network you’ll have developed.
Sometimes its because that’s just where they get most of their candidates.
My Recommendation:As long as it’s not a flat out papermill – you should be fine where ever you go.
Strategic Security, Inc. © http://www.strategicsec.com/
How Do I Know If A School Has A Good Program?
Short answer – Most schools don’t have a good program
Most of the schools claim that their program will help you and often times that is flat out wrong.
Most Computer Science programs are too focused on learning your IDE versus learning to program, and even worse there is little focus if any on IT Security.
A lot of graduates of these “Information Security” degree programs can’t do trivial things such as (yes, these are real examples):
• Install a common server (Web, DHCP, File Server, etc)• Create a simple unprivileged users in Active Directory• Can not perform basic Linux commands (ex: list directories, read a file)
Strategic Security, Inc. © http://www.strategicsec.com/
Can You Be More Specific – about finding a good program
Don’t sleep on Junior/Community Colleges – often times they have VERY technical instructors with real world work experience offering progressive programs at a low cost.
Verify (talk to actual students – not sales people)
Ask if they learned about (meaning actually did something with the following tools):• Nmap• Scapy• Burp Suite• OllyDBG/Immunity Debugger
Ask to sit in on a class, and after the class talk to the instructor.
For good technical courses to use as a reference check out:http://samsclass.info/http://pentest.cryptocity.net/
Strategic Security, Inc. © http://www.strategicsec.com/
Certification
Strategic Security, Inc. © http://www.strategicsec.com/
What Certifications Should I Get?
EC-Council• C|EH, ECSA/LPT
SANS• GPEN, GWPT, GAWN
Offensive Security• OSCP, OSWE, OSCE
The trend in the industry is to go after these certifications listed above
They are good, they are very helpful to have during the interview screening process
Strategic Security, Inc. © http://www.strategicsec.com/
What Certifications Should I Get?
Networking• CCNA, CCNP
Operating Systems• MCITP (formerly known as the MCSE), RHCE, SCSA
Programming• MCPD (formerly known as the MCSD), SCJD, OCA
Although security certs are important, your job will be to help people fix the security problems you find on penetration tests.
You’ll find great value in the certifications above when you actually get to the technical interview.
Strategic Security, Inc. © http://www.strategicsec.com/
What Certifications Should I Get?
Networking• CCNA, CCNP
Operating Systems• MCITP (formerly known as the MCSE), RHCE, SCSA
Programming• MCPD (formerly known as the MCSD), SCJD, OCA
You don’t need to have all of these certifications, but you really need to be able to show that you have these or close to the functional equivalent levels of knowledge of each of these certifications.
Trust me – this background knowledge is indispensable….
Strategic Security, Inc. © http://www.strategicsec.com/
These Types Of Courses Are Expensive
These types of courses are expensive….duh!!!!- Way to go Captain Obvious!
Find schools that teach this and be prepared to open up your or your company’s check book.
If you are disciplined you can home study all of this stuff or build a lab environment at home heavily relying on virtualization to learn this stuff.
I’ll cover building a lab later in the presentation.
Strategic Security, Inc. © http://www.strategicsec.com/
Experience
Strategic Security, Inc. © http://www.strategicsec.com/
Chicken Before The Egg
You don’t have any experience, and because you have no experience no one will hire you.
Deal with it!
This is NOT going to change!
Get some experience or do something else
Yes I know it’s harsh, but it’s true!
Don’t worry…
I’ll give you some tips in a minute…
Strategic Security, Inc. © http://www.strategicsec.com/
What are the most important skills to have or get?
Strategic Security, Inc. © http://www.strategicsec.com/
Important Skills To Have
1. Network Pentesting
2. Web App Pentesting
In the world of pentesters there are a lot more people with “Network” experience, then there are with “Web App & other App Related Experience”.
The web app, and other app related areas of pentesting are growing the fastest.
The network area is quite mature (Nessus is 15 years old), and quite frankly the market for NETWORK Pentesters is shrinking.
My Recommendation:Learn network pen, but focus on Web App.
Strategic Security, Inc. © http://www.strategicsec.com/
What’s A Good Measure Of Important Skills To Have
What’s a good measure of these important skills?
For Network:You should be able to do everything here (and explain it):http://www.offensive-security.com/metasploit-unleashed/Main_Page
For Web App:You should be able to do every webgoat level – and explain it:https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Being able to explain what is going on when performing pentesting tasks is absolutely critical.
Being able to articulate security issues and their respective fixes is a key skill.
Strategic Security, Inc. © http://www.strategicsec.com/
Important Skills To Get
Web 2.0 (Ajax, Web Services, etc)
Mobile (generic mobile technologies, enterprise integration, exploitation, etc)
Cloud (IaaS, PaaS, SaaS and specifically how to interact with these technologies)
If your focus is to be prepared for the future of pentesting then you’ll have to get really comfortable with emerging technologies.
Strategic Security, Inc. © http://www.strategicsec.com/
Where Do I Get Experience
This is the ultimate chicken vs. the egg dilemma
What I recommend you do is to volunteer as a contributor to an Open Source IT Security Project that interests you.
Go to http://sourceforge.net/
Find any IT Security project that interests you and volunteer to assist the developers.
- You can write code for the project- Debug/Test the project for the developers- Write documentation for the project (they will love you for this one)
This will put you in the right circles (networking), and give you some tangible/verifiable experience
Strategic Security, Inc. © http://www.strategicsec.com/
Where Do I Get Experience
Shameless Plug
You can be an intern
Go to: http://it-security-professionals.com/blogs/joemccray/2013/05/cmon-rookies-lets-get-to-work/
http://it-security-professionals.com/become-an-intern/
Strategic Security, Inc. © http://www.strategicsec.com/
How To Build A Home Security Lab To Get Experience
Build A Lab
1. Start with a virtualization platform (VMWare, VirtualBox, etc)2. Install the most common OSs
• XP/Vista/Win7/2K8/Win8/2K12/Ubuntu/CentOS3. Install the most common apps
• Java/Adobe/QuickTime/Flash• Wordpress• Joomla• Drupal
4. Build an IDS (you’ll learn a lot doing this)• Snort• Surricatta
5. Build a SIEM (you’ll learn a lot doing this)• AlienVault• RazorBack
Strategic Security, Inc. © http://www.strategicsec.com/
What Should I Be Doing In The Lab
Foundation (Network/Web)• Start with the SecurityTube.net megaprimers for Metasploit and Wireless• Go through all of the levels in WebGoat
Weekly workGoto the following websites each week. Download the latest tools and exploits each week and try them against hosts in your lab network• Exploit-db.com• Packetstormsecurity.org
Know that you may have to build new virtual machines just so you can attempt to run these new tools and exploits each week.
This is an important thing to do because this is what you’ll need to know when you are actually pentesting. What are the latest or most popular attacks, what apps or platforms do they target, and what do they look like on the wire (IDS).
Strategic Security, Inc. © http://www.strategicsec.com/
What Programming Languages Do I Need To Know/Learn?
• An Interpreted Language • Perl• Python• Ruby
• Some exposure to modern enterprise development languages• .NET• Java
• I would recommend more focus on the interpreted languages (at least initially) because you’ll make your own life easier automating testing tasks.
• As you get more experience then yeah I’d say to transition to .NET/Java because you’ll bring more value to your customers
Strategic Security, Inc. © http://www.strategicsec.com/
What Programming Languages Do I Need To Know/Learn?
• If you are new to programming – start with an interpreted language first
• Perl, Python, Ruby
• Youtube is your friend – the best I’ve seen is from ‘thenewboston’
• Python: https://www.youtube.com/watch?v=4Mf0h3HphEA
• Ruby: https://www.youtube.com/watch?v=WJlfVjGt6Hg
• Perl used the be the exploit and tool development language of choice
• Now it’s Python and Ruby
My Recommendation:Do 2-3 videos 3 or 4 times a week
Strategic Security, Inc. © http://www.strategicsec.com/
Security Clearance
Strategic Security, Inc. © http://www.strategicsec.com/
Do I Need A Security Clearance
Short Answer – NO
Will it help – YES
There is significantly more pentesting related work in the cleared space than outside of it. Something ridiculous like 5-8 times as much.
Easier to get/maintain if you are prior US military.
Difficult to get if you are regular civilian. You will generally have to come to the table with significant skillsets for organizations to submit you for a clearance as apart of the hiring process.
Basically, you’ll have to come in with a significant amount of (Education, Certification, Experience) that I’ve listed in the previous slides.
They will have to wait close to a year to get you – so you have to be worth it in their eyes.
e
Strategic Security, Inc. © http://www.strategicsec.com/
I’ve Got An Issue – Not Too Sure I Can Get Cleared
Maybe you’ve done drugs in the past
Maybe you’ve been arrested before
Maybe you’ve had financial issues
Maybe you are not a US citizen yet
Although these are things that WILL raise issues during the clearance processthey are not flat out show stoppers
The key to the clearance process is they are looking for things in your background that someone may use against you to coerce you to give up secret information.
With the first 3 issues I listed – you are usually ok if that kind of stuff happened at least 5 years prior to your applying for a clearance.
Strategic Security, Inc. © http://www.strategicsec.com/
What If The Security Clearance Includes A Polygraph
Generally your higher levels of security clearances will often require you to take a polygraph.
The types of questions they ask you get more intrusive the higher level of clearance you are applying for.
My Recommendation:Don’t lie – no matter how bad what ever you did is, or how bad you think it is.Don’t lie!
They aren’t hiring for the boy scouts – having a checkered past won’t necessarily disqualify you, but lying about it will.
e
Strategic Security, Inc. © http://www.strategicsec.com/
Where & How To Look For Work
Strategic Security, Inc. © http://www.strategicsec.com/
Where Do I Go To Look For Pentest Work
Start with IT job sites• Dice.com• Monster.com• Computerjobs.com• http://it-security-professionals.com/jobs/
Important Lesson: Job Titles Vary Greatly
You may see titles like: IT Security Consultant, Information Security Engineer, Network Security Analyst, and many many more…
My recommendation: Keyword search for pentester tools
Metasploit, Canvas, Core Impact, Burp Suite, nmap, scapy
Strategic Security, Inc. © http://www.strategicsec.com/
I’m not in the US – Where do I find jobs abroad
Finding Pentesting work outside of the US is much more difficult- Much more who you know than in the US
Each country will have its respective IT Jobs sites and you should have a look there first, but nothing will be as fruitful as attending International IT Security and HackerCons
Check sites like:• SECore.info• http://infosecevents.net/calendar/
Strategic Security, Inc. © http://www.strategicsec.com/
What Kinds Of Companies Can I Expect To Be Hiring Pentesters?
Defense Contractors
Federal Government (Department of <insert entity here>)President Obama recently signed an executive order mandating more comprehensive IT Security programs for the federal sector (that means more pentesting in the coming years)
Financial Entities
IT Consultancies
Fortune 1000 companies often have an internal pentest group
Strategic Security, Inc. © http://www.strategicsec.com/
Even After Doing Everything You Say I Don’t Meet The Job Quals
You need to understand that most of these job reqs are basically wish lists
Taken from real job posting:10 Years experience in IT7 Years experience in IT Security5 Years experience as a Penetration TesterCCIE, RHCE, MCSE, C|EH, GPENTop Secret ClearanceJava, C#, Ajax, XML
For $85,000 a year….gimmie a break
As a team lead - If I can find this guy the only thing I can offer him is my job.
I can’t give this applicant top money, and if he is that qualified…HE ALREADY HAS A JOB!
Strategic Security, Inc. © http://www.strategicsec.com/
Even After Doing Everything You Say I Don’t Meet The Job Quals
You need to focus on what you bring to the table
Technical knowledge• It doesn’t matter if it came from your home network• It doesn’t matter if it came from volunteering to help an open source project• It doesn’t matter if it came from being an intern• It doesn’t matter if it came from playing in CTFs
Certifications• It doesn’t matter if you took courses, or home studied them
Education• It doesn’t matter if you didn’t go to a big name school• It doesn’t matter that it’s not a CS degree
My Recommendation:Focus on how you can help the company hiring you. Work ethic, documentation, willingness to learn, etc.
Strategic Security, Inc. © http://www.strategicsec.com/
Even After Doing Everything You Say I Don’t Meet The Job Quals
We’ve all worked somewhere either for or with someone that wasn’t qualified to be there.
Obviously having the right qualifications isn’t a show stopper when it comes to finding employment.
How well you sell yourself is often more important.
Strategic Security, Inc. © http://www.strategicsec.com/
What Should I Expect During The Interview
You can generally expect something in the area of 1-4 interviews
The most common process is something similar to:• Initial Phone Screen• Generic Interview• Technical Interview• On-Site Interview
Strategic Security, Inc. © http://www.strategicsec.com/
What Should I Expect During The Interview?
People are generally most apprehensive about the technical interview
The biggest thing people need to understand is that you don’t need to get everything right.
If don’t know the answer to a question – SAY YOU DON’T KNOW THE ANSWER
Interviewers usually just need to know where you are technically.
If you do know all of the answers – don’t be a jerk
Strategic Security, Inc. © http://www.strategicsec.com/
What Are Some Questions I Should Expect On An Interview?
How do you get to Google.com – be as explicit and detailed as possible?
Interviewer is looking to see you explain how an endpoint connects to a host somewhere on the internet.
Everything from ARP for the default gateway, to local resolver, to dns lookup, to redirection from http to https, to SSL session setup, to data transfer, to termination of the session.
If you want to see some sample pentester interview questions:http://strategicsec.com/PentesterInterviewQuestions.pdf
Strategic Security, Inc. © http://www.strategicsec.com/
How much money can I expect to make
How much you can make is heavily dependent upon:• Job Location• Job Title (level of seniority)
In most cases non-senior positions will range from $60-$80K USD
Senior positions can range anywhere from $120-$150K USD
Strategic Security, Inc. © http://www.strategicsec.com/
How About Freelance Work
Freelancing as a pentester is even more difficult to get into (very who you know)
There is a lot of this kind of work, but you really have to know people.
Several IT/IT Security Consultancies get overloaded with work and will contract out to subs (usually 1099-self employed status)
They often need someone with the experience that can represent their company well so they generally hire other people that the pentesters already know.
You can also look on outsourcing websites• Odesk.com• E-lance.com• Vworker.com
Know that the security testing projects on these websites tend to be very small, and often offer very very very very very very very very low pay.
Strategic Security, Inc. © http://www.strategicsec.com/
I Want To Start My Own Pentest Complany
I strongly recommend that you work at a consulting firm before you attempt this!
This is NOT for the faint at heart – you need to understand that you are running a business and all of the things associated with running a business must be down well to have a prayer at success:• Sales• Marketing• Finance• Research & Development• Operations
Most businesses fail because there is too much focus on Operations – the actual doing the work, and not really that much thought is put to the other equally important areas
Strategic Security, Inc. © http://www.strategicsec.com/
The Good, The Bad, & The Ugly
Strategic Security, Inc. © http://www.strategicsec.com/
The Good
You get paid to hack!You get paid to hack!You get paid to hack!You get paid to hack!You get paid to hack!You get paid to hack!You get paid to hack!You get paid to hack!You get paid to hack!You get paid to hack!
Did I mention - You get paid to hack!
Strategic Security, Inc. © http://www.strategicsec.com/
The Good, The Bad, and the Ugly
Documentation
Travel
Lack of training
Crazy Learning Curve
Going through the motions
Strategic Security, Inc. © http://www.strategicsec.com/
The Bad
Documentation
As a pentester you will often find that nearly 1/3 of your time will be devoted to documentation.
For every 1 week pentest, there is usually 1-2 full days of the assessment dedicated solely to documentation
Strategic Security, Inc. © http://www.strategicsec.com/
The Bad
Travel
This really depends on the person, and where you work.
Consultants tend to travel a lot. Often times more than 50% of the time.
Staff penetration testers don’t usually travel very much
Web Application Penetration Testers don’t usually travel very much
Strategic Security, Inc. © http://www.strategicsec.com/
The Bad
Lack of Training
The industry moves so fast – you have to keep up an industry that changes daily.
Even if you do receive a training class (ex: EC-Council, SANS, Black Hat) once a year
You’ll very quickly find out that this isn’t enough training – not even close
You’ll have just get used to building/testing/practicing in your home lab
Strategic Security, Inc. © http://www.strategicsec.com/
The Bad
Crazy Learning Curve
Even with all of the stuff that I’ve told you to in this presentation when you actually start working as a penetration tester you’re going to feel like you’ve been thrown to the wolves.
The first few months will be straight hell (especially if you are working for a consulting firm).
The work load is usually pretty heavy, and the learning curve is through the roof.
Strategic Security, Inc. © http://www.strategicsec.com/
The Bad
Going The Motions
One of the complaints from long time pentesters is the going through the motions.
Telling the customers the same things over and over and over:• Use strong passwords• Patch both system and 3rd party vulnerabilities• Be sure to do input validation• Be sure to do output encoding
Strategic Security, Inc. © http://www.strategicsec.com/
The Ugly
The Ugly – Honestly there is no ugly
Honestly, I love the job. I’d be working at McDonalds if I wasn’t a pentester.
I’m pretty good at incident response, malware analysis, and several other IT Security skills, but at the end of the day I love pentesting.
Strategic Security, Inc. © http://www.strategicsec.com/
Questions?
Strategic Security, Inc. © http://www.strategicsec.com/
Contact Me....
Toll Free: 1-866-892-2132
Email: [email protected]
Twitter: http://twitter.com/j0emccray
LinkedIn: http://www.linkedin.com/in/joemccray