Results 1 to 8 of 8

Thread: Penetration Testing Internship

  1. #1
    Senior Member
    Join Date
    Sep 2003
    Posts
    137

    Penetration Testing Internship

    Hey all,

    Just wanted to get some outside opinions.

    I am really trying to get deeper into the career field I am shooting for (penetration testing) and need some freindly advise from the antionline team.

    I have gone the certification route and have most every major ceritification, great, kudos for me. But where I stand now is that I have all the concepts and a great understanding of security in general but for me to enter into the penetration testers realm I need to take it to the next level.

    I currently work on pen testing my work environment, with permission of course, but it seems unfair since I administer it...lol. Easy for me to cheat if I wanted to I guess. I am the CIO and network admin for the company, not in a full time pen tester position.

    I guess what it comes down to is this:

    1. What can I do that will allow me to work on pen testing on live systems as an intern to grow my skills?
    2. What can I do to help me learn all the form and procedures that expose me to the business side of the field?

    My first though was to find a mentor that will allow me to shadow them and I can gain lots of knowlege that way, but I have not been able to secure that goal. Basicly someone I could assist as an intern to help them perform pen tests, legally of course, and gain a deeper appreciation for the field.

    Any ideas of thoughts? I have already set up a home lab and have been using that to test concepts on, but nothing beats the real experince and referances that I can proudly put on my resume.

    I wish there was a site like. www.penetrationtesterinternslookhere.com or something, but no such luck.lol

    Any advice is much appreciated as I really respect the AO community!
    \"Common Sense, isn\'t that common\"
    \"It is a lot easier to raise a child then it is to repair an adult\"
    -Kruptos

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    I don't think you'll find a "pen-testing internship" so to speak... It's not really that sort of industry... most Pen Testers that you'll find are private or small businesses... it's not a big business or even medium business field... I have a couple of buddies in the field and in the past have dabbled in it, I'm hoping to again in the future as well... It's a side project for me really... The experience you gain will really be what helps you... and getting that without being involved isn't the easiest...

    I would suggest you make use of your connections as CIO... find others in your position and offer to provide free basic level pen-tests... friends that are willing to allow you to do it... Just make it known to them that you aren't the most experienced and that's why you're offering to do it...

    Other than that, apply to pen testing companies in your area or places you're willing to relocate... if someone hires you you can gain on the job experience..

    I've got a few questions for you..

    1. What certs do you have... Many of the certs out there (MCSE comes to mind) are considered to be a joke to many of the pen testers I know and they don't really deal with people who have some of them... Others.. CISSP (for example) are still considered a joke.. but you get it because many companies will only hire pen testers who have that cert.

    2. What experience do you have thus far on the security side.

    3. What sort of area to you live in?? Big city, small town, in the middle... The bigger it is the more likely you are to find something of interest.. that will assist you.. training classes, etc.

    4. What's your current employer like... Could you slightly take advantage of them?? Have yourself sent to a few conferences or training groups... Maybe take some of the SANS courses or some of Immunity's stuff...

    Just some ideas...

    Peace,
    HT

  3. #3
    Considering the risks involved... you're better off finding any internship in IS/IA and working from there... there are no neurosurgeon internships for the same reasons.

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Each spring we offer an internship to the top ranked IS student from the state university. That practice has just changed and we now open security internships so that anyone can apply.

    That said, our internships last up to 12 months and are unpaid positions. If you're interested in something like that, hit me offline. I am the one who teaches security interns (and professionals) how to properly pen test systems. I've been doing it for more than a decade.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Senior Member
    Join Date
    Sep 2003
    Posts
    137
    Hey all, thanks for the feedback :-)

    To answer your questions HTRegz:

    1. I currently have ISC2 SSCP, MCSE, MCSA, CCNA, CIW:Security Analyst, C|EH, Linux+, Security+, i-Net+, Network+, A+ and half of my CCNP. I have several years experiance in the IT field also to help back that up. I realize that certifications are great in the aspect that I went through the trouble to get them, but nothing replaces hard fast experiance. I got all the certifications while I was an IT instructor at a technical school, they were free so I took them :-)

    2. Experiance on the security side is limited. I currently maintain my own network, only 2 servers and about 10 users. Firewall, network streaming, backup all the normal sys admin duties. I also do penetration testing on my own network, but as I mentioned earlier its hardly fair to the network since I know it already...lol.
    I also periodicly do HIPAA Security Rule audits for some small practices in and around San Antonio. My companies customer base isnt so large that I could do them every day. I got into HIPAA when I was the network admin for a Medical Claims *************. Outside of that is just research online, and mainly passive stuff.

    3. I live in San Antonio, Texas, not really the IT mecca. As for education, I am pretty self sufficient when it comes to sitting down an learning new concepts. I used to write ciriculum for the Tech school I worked for.

    4. My employer is pretty cool. I am the CIO for my company, but we are only about 10 people small. The CIO title is more a organizational title for me then anything. I am mainly the IT Director. We are in the VoIP Telephone market, and they brought me on to support that side of the business and try to grow a network support offering. Not going to good, it seems no one in san antonio wants to pay for network maintenance until something breaks...lol

    I have the power to define where we go on the IT Support side since I am the only one here who knows about the Data side of networking. I am trying to avoid going out and fixing end user problems like printers and small stuff and trying to get the business to go the route of HIPAA Audits/Education and Network Security Consultation/Implementation.

    I have some flexibility with training and attending events. I am taking the week of in July to go to Black Hat 2006 and Defcon 14.



    I hope this help with some of the questions you had, any advice is much appreciated :-)
    \"Common Sense, isn\'t that common\"
    \"It is a lot easier to raise a child then it is to repair an adult\"
    -Kruptos

  6. #6
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252
    Here are a few ideas - not looking at an internship, see below for that - but on a job as a penentration tester:

    1. Check out the audit firms that have IT auditors. These firms usually only go so deep, mainly business application audits, but there are also others that go down into the infrastructure.

    2. Check out companies with an internal audit division and see if they have IT auditors and if they pen test.

    Also, from my experience, companies tend to go about 50-50 on certs right now. They want the formal degree, and the certs and on-going education - the cheaper, but best quality, the better. The certs great way to get noticed, and get an interview, but it seems they also want people to be very flexible in picking up new or old technologies. Also for pen testing in the private sector, and I would surmise in the government as well, the interpersonal skills are crucial for pen testers, management expects you to be able to interface with all levels of staff and management, in regards to IT experience - don't make people feel dumb, and explain your results in regards to risk to the organization and it's functions.

    Management views certs, either if you have them or are working to get them, as a commitment to your on-going life learning and professionalism, however, as Miguel de Cervantes stated in Don Quixote "The proof of the pudding is the eating."

    For the internships, as others have stated, it is hard to find. If I lived in the area where TH13 does, I would sign up for their internship today! However, I remember seeing this old bit from insecure.org and thought to share:

    http://seclists.org/lists/pen-test/2001/Jun/0102.html

    When you go to the conferences, I would presume you will be networking with ppl to further research this topic. Good luck!
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  7. #7
    Senior Member
    Join Date
    Sep 2003
    Posts
    137
    genXer,

    Thanks for your feedback and the information you provided. I think you hit it on the mark. I agree with many of the things you stated. Thanks for the article from fydor :-)
    \"Common Sense, isn\'t that common\"
    \"It is a lot easier to raise a child then it is to repair an adult\"
    -Kruptos

  8. #8
    Senior Member
    Join Date
    Mar 2004
    Posts
    113
    Hey,

    From what I understand is that you are looking for an internship. If that is the case, then you can apply to companies like Deloitte and Tousche , E&Y. Ther may be other companies as well. i don't know much about D&T but they have a huge lab in San francisco. About e&y : They have Advanced security centers (ASC) where they hire out collge grads/experienced professionals for conducting penetration testing. I am sure you can get the contact information/e-mail address from any job website.

    For got to mention: E&Y conducts penetration testing for many companies. So it is not in house.

    I hope this helps.

    MRG.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •