August 23rd, 2004, 09:34 PM
What is this job title? (look inside)
What would you call a person who is "breaking" (with authorization) into companies to show exploits and weaknesses? I've kind of read that it is associated with forensics. But anyways, I work for a network product reseller and we are looking to expand more into the network security realm. What kind of training, schooling or certifications would this title need/require? The plan is to certify one of our guys so we can provide this service. I know there are alot of professionals on this site and would appreciate any guidance or info you could provide on this specific subject. Thanks in advance.
August 23rd, 2004, 09:46 PM
In my view, no certification is required for being a white hat! What you need a battle lab and a lot of time to learn! If you want to take a look at some certification, here a quick list of my personal favorite!
CERT : http://www.cert.org/nav/index_gold.html
Comptia Security+ : http://www.comptia.com/certification...y/default.aspx
Cisco : http://www.cisco.com/en/US/learning/...aths_home.html
MSCA : http://www.microsoft.com/learning/mcp/mcsa/default.asp
August 23rd, 2004, 09:50 PM
The title is Penetration Tester or words to that effect.....
The concept of "breaking into the security world" by getting someone "trained" is a little like taking a guy off a consruction site and making him into a world renowned artist.... Your chances are slim to none. Pen testers aren't just people who get shown how to use a few "tools", at least the good ones aren't.... They are people who, through their own love of "playing" with the system as a whole have an intimate understanding of it and from there can use imagination to find the holes that someone else might.... before they do.
Please rethink your companies direction.... You will be doing a dis-service to your future clients if you claim anything more than finding the "obvious" holes in their network......
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
August 23rd, 2004, 10:08 PM
Great information and links! This was an idea we were playing with and I understand your reasoning Tiger Shark. This is definitely something we need to rethink and find the right person, if it's possible. Thanks again for the quick and very helpful replies. Keep up the great work!
August 23rd, 2004, 10:51 PM
I second Tiger Shark. The primary title is Penetration Tester. It could also fall under Vulnerability Scanning / Management.
There are plenty of certifications. I am not sure that any one is better than another or "proves" that an individual knows something. I would maybe look for CISSP and/or CEH (certified ethical hacker) for starters. SANS has a whole slew of GIAC certifications:
In the end, I think you really need to do some due diligence and make sure that you have references of some sort to validate the skill set of the individual. Plus, there is always the trust thing. Before you hire someone to intentionally break in to your network you want to make sure you can trust them to stay within the scope of their assignment and not walk away with company trade secrets and such.
GIAC Security Essentials Certification (GSEC)
GIAC Certified Firewall Analyst (GCFW)
GIAC Certified Intrusion Analyst (GCIA)
GIAC Certified Incident Handler (GCIH)
GIAC Certified Windows Security Administrator (GCWN)
GIAC Certified UNIX Security Administrator (GCUX)
GIAC Systems and Network Auditor (GSNA)
GIAC Certified Forensic Analyst (GCFA)
GIAC Information Security Fundamentals (GISF)
GIAC IT Security Audit Essentials (GSAE)
GIAC Certified ISO-17799 Specialist (G7799)
GIAC Security Leadership Certification (GSLC)
GIAC Certified Security Consultant (GCSC)
EDIT : I just re-read the original post and I see I am off base a tad. You aren't trying to hire a penetration tester, you're trying to "be" one. Well, I have to go back and agree again with Tiger- a CEH certification might prove a little something in this regard, but very good hackers / crackers / penetration testers / vulnerability researchers / etc. have a passion and curiosity to match their intelligence and skill set. It isn't something that can be "taught" effectively. If it was, I would have taken the class by now.