03-20-2011, 06:16 AM
Yeah I am the guy that gets the pen test report at my company. We have pen tests yearly and enterprise security wants to go to quarterly but we just don't have time to remediate all the items found on that schedule. Security compliance is an annoyance to most project managers who have other projects they are behind on anyway.
The pen test people start out by doing footprinting. They will determine as much info as possible about the company via whois, google and your own site map and any bios they find on the site. Then they click around your pages, check the html source for telltale signs of technology. You can pretty easily determine if the site or web app was built using java struts, asp.net v 1-4, jsf, coldfusion, php etc or some content management system. If they determine that it was a content management system that is outdated and they go to that content mgmt system's site and find out that the latest version fixed a horrible security hole, they will attempt to exploit that hole.
Things they look for is the ability to cause a denial of service attack on the site, or to deface the site, or to craft a url to send to someone in an email that makes it look like its coming from your trusted site but once you click the url you go to their hacker site. That is a blind redirect.
They come up with all this and put it into a nicely formatted pen test starting with an executive summary and listing the items in order of importance. They describe the problem, the risk, how to reproduce it and sometimes suggest a way to mitigate that risk.
Then someone like me reads the pen test, determines the level of effort to fix the items on the list and sends that to management. Management then bargains with enterprise security on resource allocation.
Finally I get assigned a project to fix the ones under my umbrella and I may have to work with other teams to help them fix their issues.
The pen testers use a toolkit to do this. The same toolkit that hackers use in most cases. These toolkits are free and well documented. The pen testers do need to know how to manage networks, IIS servers, mail servers etc because their goal if possible is to hack into your server and do something bad to it or document that it could be done.
To me the pen tester is basically a network technician with specialized skills. The write no code at all but have to open up tcp dumps, watch traffic, analyze http headers so they need to know how distributed processing works, the ssl handshake, http post protocol etc.
Yes the CEH certification is for professional pen testers. The CISA is a certified auditor and CISSP is a general security certification. I am one of the few CISSPs that has a software development background that I know. Most are either internal IT security people from a networking background or security consultants from RSA etc traveling the country selling their products.
The pen test people start out by doing footprinting. They will determine as much info as possible about the company via whois, google and your own site map and any bios they find on the site. Then they click around your pages, check the html source for telltale signs of technology. You can pretty easily determine if the site or web app was built using java struts, asp.net v 1-4, jsf, coldfusion, php etc or some content management system. If they determine that it was a content management system that is outdated and they go to that content mgmt system's site and find out that the latest version fixed a horrible security hole, they will attempt to exploit that hole.
Things they look for is the ability to cause a denial of service attack on the site, or to deface the site, or to craft a url to send to someone in an email that makes it look like its coming from your trusted site but once you click the url you go to their hacker site. That is a blind redirect.
They come up with all this and put it into a nicely formatted pen test starting with an executive summary and listing the items in order of importance. They describe the problem, the risk, how to reproduce it and sometimes suggest a way to mitigate that risk.
Then someone like me reads the pen test, determines the level of effort to fix the items on the list and sends that to management. Management then bargains with enterprise security on resource allocation.
Finally I get assigned a project to fix the ones under my umbrella and I may have to work with other teams to help them fix their issues.
The pen testers use a toolkit to do this. The same toolkit that hackers use in most cases. These toolkits are free and well documented. The pen testers do need to know how to manage networks, IIS servers, mail servers etc because their goal if possible is to hack into your server and do something bad to it or document that it could be done.
To me the pen tester is basically a network technician with specialized skills. The write no code at all but have to open up tcp dumps, watch traffic, analyze http headers so they need to know how distributed processing works, the ssl handshake, http post protocol etc.
Yes the CEH certification is for professional pen testers. The CISA is a certified auditor and CISSP is a general security certification. I am one of the few CISSPs that has a software development background that I know. Most are either internal IT security people from a networking background or security consultants from RSA etc traveling the country selling their products.
BSBA CIS from TESC, BA Natural Science/Math from TESC
MBA Applied Computer Science from NCU
Enrolled at NCU in the PhD Applied Computer Science
MBA Applied Computer Science from NCU
Enrolled at NCU in the PhD Applied Computer Science
![[-]](https://www.degreeforum.net/mybb/images/collapse.png)
