1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Penetration (Pen) testing

Discussion in 'Computer Security' started by Asterix, Jan 5, 2012.

  1. Asterix

    Asterix Megabyte Poster

    512
    9
    52
    Hi Guys,

    from speaking to some of our clients pen testing is now becoming a quarterly or twice yearly service, and the costing of this is quite considerable. Thinking that we could offer a service like this easily, we are immediately faced with the problem of gauging what is required, and what the client report generally gets from these reports.

    Does anyone have any previous experience of performing pen tests who could give me some pointers, or any old pen test reports (with company details removed) that they could provide me with?

    Kind regards,
    Asterix
     
  2. wagnerk
    Highly Decorated Member Award

    wagnerk aka kitkatninja Moderator

    10,831
    357
    341
    I have to say that this is something else I'm looking into (man, I sound like a broken record) after Computer Forensics.

    You may want to check this site out as it has a free e-book as well as an example of a Pen Test report.

    As for certifications, examples would be:
    GIAC Penetration Tester
    Offensive Security Certified Professional
    CISSP & SSCP
     
    Certifications: CITP, PGCert, BSc, HNC, LCGI, PTLLS, MCT, MCITP, MCTS, MCSE, MCSA:M, MCSA, MCDST, MCP, MTA, MCAS, MOS (Master), A+, N+, S+, ACA, VCA, etc... & 2nd Degree Black Belt
    WIP: PGDip
  3. Asterix

    Asterix Megabyte Poster

    512
    9
    52
    Thanks mate, very useful - although it would still be very useful to get a few real world reports from different resources to review
     
  4. wagnerk
    Highly Decorated Member Award

    wagnerk aka kitkatninja Moderator

    10,831
    357
    341
    Keep your eyes open, every now and again there are companies/organisations that offer a free Pen test against one or two or your servers. Unfortunately I miss the last offer a couple of months ago by 2 weeks :(

    I'll see if I still have their details, if I do I'll PM them over then you can keep your eyes open for their next offer.
     
    Certifications: CITP, PGCert, BSc, HNC, LCGI, PTLLS, MCT, MCITP, MCTS, MCSE, MCSA:M, MCSA, MCDST, MCP, MTA, MCAS, MOS (Master), A+, N+, S+, ACA, VCA, etc... & 2nd Degree Black Belt
    WIP: PGDip
  5. wagnerk
    Highly Decorated Member Award

    wagnerk aka kitkatninja Moderator

    10,831
    357
    341
    You may also want to check out Sec-1 training, my first IT Manager (when I first got into IT) went on their courses and said how good they were.

    PM Sent
     
    Certifications: CITP, PGCert, BSc, HNC, LCGI, PTLLS, MCT, MCITP, MCTS, MCSE, MCSA:M, MCSA, MCDST, MCP, MTA, MCAS, MOS (Master), A+, N+, S+, ACA, VCA, etc... & 2nd Degree Black Belt
    WIP: PGDip
  6. Asterix

    Asterix Megabyte Poster

    512
    9
    52
    Hmmmm i dont think we are at the stage where we are looking for training yet, more investigation, although the course does look interesting thanks

    Thanks for the PM, ill keep my eyes open for any promotions :D
     
  7. Monkeychops

    Monkeychops Kilobyte Poster

    286
    15
    25
    I have been a pen tester until very recently, for a short period, and whilst not currently a tester am still involved heavily. If you have any specific questions then fire away.

    What I will say is that when people are looking for someone to perform tests for them if they are generally looking for the big/main pen testing certs that are recognised by government/cesg, in this country anyway, if you're offering this as a service to customers.

    http://www.cesg.gov.uk/products_services/iacs/check/index.shtml

    You're talking Check, CREST or Tigerscheme which can both get you Check equivalent status. Anything else isn't worth looking at to be taken seriously imho, and even then I know Tigerscheme isn't looked upon too favourably by a lot of the leading companies as you can just go on a course for it, but it's a potentially easier route to Check status....

    Imho CREST is the one to have, start off as a registered tester before moving up to certified tester.

    I was planning on the CREST route until I changed jobs, liked the work though and would still like to be doing it....

    You might struggle finding copies of real tests, not something companies usually want out in the wild ;)

    What I'll say is there's a lot to testing, it's not just running a vuln scanner and nmap :p

    There's more to it than just the technical skills, you've got the whole process from the initial engagement discussions, scoping, testing, reporting. Then depending on what kind of service you're offering you might also be involved in the remediation activities and then retesting.

    As said any specific questions fire away.
     
    Last edited: Jan 19, 2012
    j666gak likes this.

Share This Page

Loading...