I'll add that if you're going to bill this guy out to test for others you better check his background too. Last thing you need is for your contracted employee getting paid to use your equipment to break into your customer's systems and steal credit card info to pass out to his friends.
It's a fine line between top-notch pen test guys and black hats. Sort of like spies; the best ones always seem to have an edge to them, but you want to be sure that at the end of the day their loyalty is to you and the customer and they aren't just using you for illegal or unscrupulous ends. Just my 1/44th of a Euro. Aloha, -Ben- Ben M. Schorr, MVP-Outlook, CNA, MCPx3 Director of Information Services Damon Key Leong Kupchak Hastert http://www.hawaiilawyer.com > -----Original Message----- > From: Nick [mailto:[EMAIL PROTECTED]] > Sent: Friday, March 22, 2002 12:17 PM > To: Steven Boshuizen > Cc: Security basics list > Subject: Re: Pen Testing Skills > > > Have someone who knows IT security interview your "shit-hot" > candidate. > Anybody who can get on the internet can learn buzzwords. > > I personally would ask for sanitized documents showing "his" > methodology, explanations of tools he uses & why, and maybe > even have a couple of servers loaded up with different OSs & > server apps (e.g. SQL, Lotus, etc...) and ask for a demonstration. > > After he shows you what your vulnerabilities are on the > box(es), ask what his mitigation strategy would be. Then > have someone who is InfoSec knowledgeable check his strategy > & methodology. It's a little in-depth, but if you're paying > for a "shit-hot" guy's salary, you don't want false > "security" feelings > > And if you are gonna bill this guy out to do consulting > pen-testing for others, you want to make sure he is for real. > Otherwise you'll lose all credibility in no time. > > HTH > > Nick > > On Fri, 2002-03-22 at 06:13, Steven Boshuizen wrote: > > > > > > In my understanding people with these skills come > > from a UNIX background, having worked on projects > > with VPN's, intrusion detection, administering and > > implementations. Could anyone tell me that if I was > > looking for a shit hot penetration tester what sort of > > background would such a guy have, and what would > > be the keyskills/ buzzwords that I would have to look > > for so that I would know I am talking to an ace?? > > Would appreciate any assistance. > -- > Nick > Network Security Consultant > CISSP, CCSI, MCSE, CCNA > Raleigh, NC > > > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com >
