tag:blogger.com,1999:blog-8539880144347728238.post6624159074804729336..comments2024-01-24T04:15:08.086-05:00Comments on Carnal0wnage Blog: CEH/CPTS Certification != competent pentesterUnknownnoreply@blogger.comBlogger4125tag:blogger.com,1999:blog-8539880144347728238.post-65339739958191509832008-04-14T09:42:00.000-04:002008-04-14T09:42:00.000-04:00As much as it pains me, I agree with Dean. I don’t...As much as it pains me, I agree with Dean. I don’t mind agreeing with Chris though :)<BR/><BR/>If you're under-experienced get someone who isn’t to help. I think that goes for anything, no matter what it is. InfoSec, development, site design, film making, drawing, whatever you're contracted for.<BR/><BR/>Now the hard part is making people do this. If someone can get a gig doing a pen-test, and then has to get in help his take-home cash goes down. Not everyone is willing to take that hit, just so that the client can get a good job. The client doesn’t know better (generally), that's why you're called in there in the first place. Greed is a good motivator. And if you go to someone and say “I have this and that cert” then they’re going to think that you’re pretty competent. Even if you’re not especially competent, it’s easy enough to throw lots of buzz words at people and blind them with a science they don’t understand – and they think you know exactly what you’re doing. <BR/><BR/>The problem then is that they can get a service which is unprofessional, but they don’t know any better. Your chosen tool might not be able to find a hole which someone writing their own custom one or doing manually would turn up. So then in that scenario the client thinks that all is well, they had a pen-test and it was fine, no problems, when in actual fact they could be sat on a big hole in their system. A bit extreme I know, but it could happen.<BR/><BR/>Basically certs just mean you can remember things and write them down in an exam, that doesn’t mean that you can actually do real-world things, or that you can even remember them for a long time. Just that you can cram things in your head to spew out in a few hours’ worth of exams. Unfortunately a lot of people don’t seem to realise this. It doesn’t just cover InfoSec, this is all certs. Just having a computer degree doesn’t mean that I would employ someone in my team, I’d want to check out their skills first. Great you have a degree/cert/whatever you can research and learn stuff, but what can you actually do?<BR/><BR/>How you can get a client to only employ people who have a proven history, or how you can get every contractor to be professional is a big feat. I cant think of an answer. It’s not like how if you want a tradesmen (plumber, brick layer, plasterer, whatever) you ask your mates or colleagues who they used for their jobs and if they were any good. Companies generally don’t talk between themselves to recommend things. If they did you’d have to be a little suspicious of whether or not your competitor was trying to stitch you up, this could be the competitive edge between companies.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-80832050500031801442008-04-12T17:30:00.000-04:002008-04-12T17:30:00.000-04:00Chris/DeanBoth of you are so right I don't know wh...Chris/Dean<BR/><BR/>Both of you are so right I don't know where to begin! Now that InfoSec is "sexy" everyone with an IT background wants to be doing it. It seems this comes up about once a week when I'm on the phone with Joe McCray talking shop. <BR/><BR/>What we always are bewildered about is how do these guys find business in the first place? I just can't call it, perhaps someone else can shed a little light on the subject?<BR/><BR/>Dean, great suggestion concerning if you are light on skills but heavy on ambition then get some assistance from an expert who you can learn from. I would even extend this concept to different disciplines within the field, i.e., wireless, web applications, vpn assessments, etc. If you are skill light in that area don't hesitate to bring in someone with more experience to assist and provide guidance.Anthony Williamshttps://www.blogger.com/profile/02720356501218887018noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-49685482567330922782008-04-11T23:34:00.000-04:002008-04-11T23:34:00.000-04:00Amen! Raise the roof!Amen! Raise the roof!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-43788250669926648312008-04-11T14:54:00.000-04:002008-04-11T14:54:00.000-04:00As Chris said we have had this conversation a LOT....As Chris said we have had this conversation a LOT. I'm sure others have too. I really don't see anything wrong with certs but they DO NOT make a pentester or [insert career here].<BR/><BR/>It seems that security in general is 'cool' now and everyone wants to be doing it. This happens in a lot of professions I guess, but the issue is that instead of gaining experience or interning or even understanding that the cert does NOT give then the skills to perform a pentest these folks are heading out and 'performing' these services for clients. Not only does this dilute the quality of professionals in this arena but, and more importantly, it does an incredible disservice to the client. They are approaching us to provide valuable data to them regarding their security posture and are walking instead with a false sense of security. <BR/><BR/>If a person who is just starting out is able to land a contract then great but rather than do the work alone, hire or contract with someone else with a proven track record to do the work. That person may make less initially but their client will be happy and likely come back again. The novice pentester gains valuable experience and everyone is happy.<BR/><BR/>deandean de beerhttps://www.blogger.com/profile/13744345182407258839noreply@blogger.com