InfoSec consultants answer questions you've been wondering about

I came across a Reddit AUA (Ask Us Anything) post that features 5 guys from small InfoSec consulting companies answering questions you've been meaning to ask.

https://www.reddit.com/r/netsec/comments/3k9ul8/we_run_five_infosec_consulting_companies_ask_us/

Some of the topics they covered:
- What value do you place on OSCP/OSCE and other certs like CEH/Sec+/CISSP/GSEC?
- How to obtain clients
- What skills do you think would benefit someone fresh out of school in the job hunt?
- What are the biggest skills you look for in candidates?
- What kind of interview questions do you like to ask potential employees?
- What are some of the tradeoffs between working for a security consulting firm and being a security engineer at a large company
- Are there any good or bad aspects to a pentesting career that someone might not know about?

I think this is of great value for all of those "How to get into security/pentesting" posts that we get on a weekly basis.

Find more posts tagged with

Comments

Jasiono

Very nice.
I wish work didn't block reddit so I will have to take a look when I get home.
I definitely think the first, 4th and 7th questions are very important.

MrAgent

Here are some of the answers I saw in regards to certifications

What value do you place on OSCP/OSCE and other certs like CEH/Sec+/CISSP/GSEC?

Also, what is (anybody) your favorite vuln you've ever found that you're allowed to talk about?

We don't really place value in certs.

That being said, in a really, really twisted way, CEH is the best of them all. In large tenders, it helps if you can list CEH (they even ask for certified ethical hackers), and it'll only cost you one afternoon.

None at all, if you have a cert I'm wondering why. Of all the certs that are out there though OSCP/OSCE seem to be the closest to not sucking I've seen though.

Edit: Favorite vuln was one where that we were given that every major shop had already assessed grey-box style and we still were able to get RCE via a backend converter system that nobody had attacked successfully via a PostScript execution. It was the first vuln I saw at the company where I thought to myself "I would have never found that, I really freaking lucky to be working with guys smarter than me!"

I really dig OSCP and OSCE. I think they are the best example of someone trying to improve the bad reputation a lot of certs have.

CISSP is not great (and ISC2 as an organization is mess) but it is kind of something you have to do for certain types of InfoSec jobs (especially gubbies).

CEH, run away. Run.

SANS stuff I like, I just wish it was more accessible to people without gigantic training budgets.

(Now brace yourself for all of the "certs suck" comments. They do. But sometimes you need them to get a foot in the door.)

We don't place any value in certifications. That said the OSC* seem to be a step in the right direction to a far off vanishing point.

Some larger org will require you to have a CISSP due to their customers or places they want to consult for work for. We don't.

aftereffector

That was a very fun read. Thanks for linking it!

Jasiono

Thanks MrAgent.

Very interesting responses you quoted up there. I will definitely have to go home and read the entire thing.

I wonder what the first quote means by "It will only cost one afternoon".

aftereffector

Jasiono - I interpreted that as Christiaan saying that the CEH is so basic compared with the level that he and his employees operate at, they would be able to get the CEH certification by simply walking in and taking the test - no study or preparation required.

Jasiono

Ha, that's what my initial thought was but didn't state it since I'm not sure if that was the full response.

Man, that's a little cocky, if you ask me. But then again, the only security cert that I have is Security+ which I aced with a week of studying.

Some things come more natural to others.

I was always under the assumption that CISSP and CEH | Ethical Hacking were the holy grail certs and that you are basically qualified for a LOT of jobs in the market. I have learned over the years that certs really mean nothing unless you are attempting to gain an entry level position, and that experience trumps certs.

That was trumped over the person hiring. It all comes down to the person who makes that final decision on whether or not to give you the job.

I plan on going for my MSIS from WGU and I'm pretty stoked that CEH | Ethical Hacking is part of the curriculum

JoJoCal19

MrAgent wrote: »

Here are some of the answers I saw in regards to certifications:

Edit: Favorite vuln was one where that we were given that every major shop had already assessed grey-box style and we still were able to get RCE via a backend converter system that nobody had attacked successfully via a PostScript execution. It was the first vuln I saw at the company where I thought to myself "I would have never found that, I really freaking lucky to be working with guys smarter than me!"

Man, I follow a ton of these security guys on Twitter, Reddit, and follow web blogs, and the stuff I read just boggles my mind. It makes me wonder, "how the hell would I ever be half as good as these guys". Sometimes I feel like tucking my tail between my legs and heading back over to GRC land haha.

MrAgent

He was right. The CEH is a very easy cert, for those with security experience. I am pretty certain that I could go and re-pass the exam with no studying required.

When I initially took it I studied for a week or two with the Matt Walker book. Knowing what I know now, I wouldn't need to study for it.

gespenstern

Unfortunately, it's all about web applications security/pentesting, something that I'm totally not interested in...

cyberguypr

Funny. I had to do a double take as I always though your nickname was 'gpentester'. I just realized that's not what it is.

E Double U

cyberguypr wrote: »

Funny. I had to do a double take as I always though your nickname was 'gpentester'. I just realized that's not what it is.

You are not alone. Good catch!

mokaz

Good read, thanks for the post !

Indeed and to state what i think about certs; they show your interests in the field. Being able to self study and being interested in your job/field which sounds very important at least to me. And Information Security is no exception, there are interested peoples as well as bored ones..

Therefore i'd be a little milder there on, because spending countless hours to gather knowledge is not something anybody can do, there are of course a few wizards but thats certainly not more then 5% of all the pro's out there. So proving you know what you're talking about is never going the wrong way to me..

Jasiono

I'm looking at it now. Apparently the place I work for lifts all websites banned for an hour a day from 12 to 1. I got it loaded just in time LOL

don't ask why, I just found out.

cyberguypr

All of them? Go try some questionable stuff and report back

Jasiono

LOL
I pulled up reddit at 12:59 on the nose and opened another window and tried it again after 1, and it didn't work.

In reading the reddit article though, I agree with a previous post. These guys are smart. I know absolutely nothing compared to these guys nor do I think I ever will.

beads

I concur with the whole CISSP/CEH thing. Been calling the CEH the 'Tour of tools' now for years. You've find over time the more authors; more books; more reference materials - the easier these certs become.

Many of these certifications are now just footnotes to one's work experience.

- b/eads

E Double U

beads wrote: »

Many of these certifications are now just footnotes to one's work experience.

Pretty much! I go for the certs that compliment what I've been working on. For me it is similar to getting a degree after a few years of school. The paper doesn't prove that I know a damn thing. I just like the sense of completion plus it helps get beyond those HR filters. And if an employer is paying then why not take advantage.

TranceSoulBrother

So some of the answers smack of elitist everything-computer no-life-club stuff. This talk of downplaying certifications, promoting CTF events, reading tons of books...for what?
What's the ROI?
how many companies will value this self-starting crap and allow you to put food on the table when looking for a job or changing positions?
How many bosses will not make your life hell when you appear a bit more smart than them?
how many hours in the day between all this self-studying, actual work...and (gasp) having a family?

5ekurity

TranceSoulBrother wrote: »

So some of the answers smack of elitist everything-computer no-life-club stuff. This talk of downplaying certifications, promoting CTF events, reading tons of books...for what?
What's the ROI?
how many companies will value this self-starting crap and allow you to put food on the table when looking for a job or changing positions?
How many bosses will not make your life hell when you appear a bit more smart than them?
how many hours in the day between all this self-studying, actual work...and (gasp) having a family?

That is the sacrifice, and risk, of starting your own business.

UnixGuy

TranceSoulBrother wrote: »

So some of the answers smack of elitist everything-computer no-life-club stuff. This talk of downplaying certifications, promoting CTF events, reading tons of books...for what?
What's the ROI?
...
how many hours in the day between all this self-studying, actual work...and (gasp) having a family?

That's what I was thinking...cool reverse engineer work work work...and then what?

iBrokeIT

TranceSoulBrother wrote: »

So some of the answers smack of elitist everything-computer no-life-club stuff. This talk of downplaying certifications, promoting CTF events, reading tons of books...for what?
What's the ROI?
how many companies will value this self-starting crap and allow you to put food on the table when looking for a job or changing positions?
How many bosses will not make your life hell when you appear a bit more smart than them?
how many hours in the day between all this self-studying, actual work...and (gasp) having a family?

This post smacks of jealously, a very judgmental attitude and the inability to comprehend someone having different values in life other than your own. Believe it or not some people actually have a passion for this stuff and aren't interested in being mediocre at best in their career.

They offered perspective as to what it takes to get to where they are as successful business owners in the info sec industry in their AMA and you somehow think that's the ONLY path everyone should follow? *Woosh*

Danielm7

iBrokeIT wrote: »

This post smacks of jealously, a very judgmental attitude and the inability to comprehend someone having different values in life other than your own. Believe it or not some people actually have a passion for this stuff and aren't interested in being mediocre at best in their career.

They offered perspective as to what it takes to get to where they are as successful business owners in the info sec industry in their AMA and you somehow think that's the ONLY path everyone should follow? *Woosh*

Yeah, a bit of both and somewhere in the middle. These are guys who are super hardcore about security and have likely been hacking things in grade school. They are usually light years away from a typical security engineer in most large corps. Most of us probably have hobbies that take a lot of time, or families, or anything else, for them it's security, it doesn't make them elitist jerks, it makes them very serious about what they do.

For example, for most of my life I've done martial arts, many hours a week. I have a good job, family, etc. If I didn't do any of that and only worked on reversing code all that time for many years I'd likely be a really good at reverse engineering and people would say I'm a "no life nerd." It really just depends on what you're passionate about.

As for the downplaying certs thing, lots of people in security are like that, because most of them really don't do much for you day to day. Do you really think the CEH makes you a real ethical hacker? Of course not, a lot of people in security only have it because HR requires it. When you run a small business and you are your own HR dept, you only care about what gets the job done, not letters after a name. It's not offensive, it's just reality.

OctalDump

It seems very much that this is pentesting, vulnerability, code auditing type stuff. So, might explain the particular attitudes to certification.

Certification can in itself be used as a risk mitigation strategy by a company - "MS says she knows her stuff". And I imagine that some environments might be more inclined to that more conservative approach. I mean if you are basically auditing compliance with some standard, your culture will be geared more towards valuing external standards - like certification.

I think CEH is a necessary evil. You need something near entry level for pentesters. It seems like their "contempt" (it's not that, but you know what I mean) is basically because these guys are at or near the top of their fields. It's like a similar question I saw put to someone on how to get to be a Linux Admin, and there was a list of all the things you should be able to do competently to work as a Senior System Admin. It was a long list, with a whole heap of advanced skills - basically the equivalent of RHCA (a big step above RHCE). This seems like that, but more so. Like if someone asked "How do I become a network guy?" and was given all the nitty gritty on how to go from recent graduate to multiple CCIE. It's a lot of work, which normally takes 5, 10 or more years to get to.

The short of it is that at the level they are talking about, the certs are about as relevant as that Network+ is to a CCIE or A+ to MCSE or Sec+ to, well, what they are doing

gespenstern

Chuckled a little on the interview questions they suggested as typical they ask on interviews. One of them:

"How would you exploit the following scenario which uses CBC encryption? <code snippet>"

My ass, are they really that cool or just pretend to be? Cryptography involves pretty complicated math and usually people whose crypto work is accepted as a standard in government or industry spend tens of years studying math and with rare exceptions (like Bruce Schneier or Ross Anderson) are more or less pure mathematicians with little to no knowledge and overall interest for general infosec field. It takes years and years for a whole academia to find a flaw in some algorithm and lower a work factor by a few bits. I.e. many brightest minds in best world's universities think and experiment and for years they all do not see a problem with some algorithm until on a step-by-step basis, almost always based on previous work and researches, some group of researchers finally comes up with a proof of concept that allows to find a key some billions years faster on existing computing equipment.

There are actually not that many names across the world who do this type of work and not all of them do that all the time because I imagine it's pretty exhausting mentally. Aforementioned Schneier and Anderson don't do crypto these days, for example.

So by asking this question they say that they are THAT cool and expect interviewees to be also THAT cool? Like, being aware of typical approaches to encryption algorithms on a level to see flaws in implementations? Specifically on chaining (i.e. using previous block's cryptotext as a randomizing input for encrypting the next block)?

I'm skeptical, personally.

P.S. cert bashing could also be of the same nature. Think about this: all of them are businessmen, one of them mentioned that he now does almost pure management for about a year. Which means that they are salesmen. Which means that they sell their services. Which means that it's beneficial for them to position themselves as demigods who are lightyears above any cert. I agree to some degree, CEH is **** and I personally passed it without any prep. But still I kinda feel that they bash certs too much, it looks suspicious and not fair and rises question on whether their responses are biased here because they are not interested to assess the question without any bias.

UnixGuy

Danielm7 wrote: »

....

For example, for most of my life I've done martial arts, many hours a week. I....

I understand that it is a hobby for people, but I think doing martial arts have much more positive impact on your mind and body and family/social relationship in general; whereas security as the *sole* hobby have a very negative impact on life. But

For example, letting your health deteriorate because of stressing out to hunt 0days and get a heart attack at 40 versus being healthy and fit and in your prime in your 50s..that's a massive difference. We are smart people working IT and we should make smart decisions and think of the long term impact of our daily habits.

I'm not really hating, I think it's something admirable, I like excellence in any field, but one has to keep in mind that different hobbies have different impact on one's life. It's a choice afterall

OctalDump

gespenstern wrote: »

Chuckled a little on the interview questions they suggested as typical they ask on interviews. One of them:
"How would you exploit the following scenario which uses CBC encryption? <code snippet>"

So, there is this dealing with data at rest: Practical malleability attack against CBC-Encrypted LUKS partitions | Jakob Lell's Blog
and this relating to POODLE and SSLv3: https://www.us-cert.gov/ncas/alerts/TA14-290A

There's quite a few possibilities with that question. One is that they would accept something like the answer you gave since it shows some insight into the problem, some awareness that attacking the CBC part might not be the best option. Another is that they are looking for creative approach, that might work around the encryption entirely. Another is that there is a specific flaw in the implementation of CBC in this code which makes it weak to some attacks, which a deep understanding of the specifics of the encryption might show. Another is that the code is a 'textbook example' of a known vulnerable implementation. Another, more interesting one, is that someone in that company had found this vulnerability and published it, which would show that the interviewee has done their work not just preparing their technical skills but learning about the company.

At least some of the companies are doing code auditing, so knowledge of specific code weaknesses and/or knowledge of how encryption /should/ be implemented in code, is probably a skill they are interested in. They say quite a few times that they don't hire 'juniors', prefering senior or mid-career types with a body of experience in the area, so people that already have good fundamentals and have developed specialised infosec skills. So, maybe the question isn't so outrageous.

Mike7

gespenstern wrote: »

"How would you exploit the following scenario which uses CBC encryption? <code snippet>"

Results from a VA (vulnerability assessment) scan on public web site

Problem : The web site is vulnerable to BEAST (CVE-2011-3389) attack
Solution : Disable CBC cipher or disable SSL v3 and TLS 1.0

And you are told to fix it.

Do you know who discovered POODLE?
From Google Online Security Blog: This POODLE bites: exploiting the SSL 3.0 fallback

Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to supportTLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

New security vulnerabilities are discovered regularly, at times in areas that we do not have much knowledge in. Security professionals (i.e. most of us) try to understand what it means and figure out how to protect against it.

The pen testers and hackers will go deeper in depth to understanding the security vulnerabilities, and figure out how to write exploit code.

Scottdt

iBrokeIT wrote: »

This post smacks of jealously, a very judgmental attitude and the inability to comprehend someone having different values in life other than your own. Believe it or not some people actually have a passion for this stuff and aren't interested in being mediocre at best in their career.

They offered perspective as to what it takes to get to where they are as successful business owners in the info sec industry in their AMA and you somehow think that's the ONLY path everyone should follow? *Woosh*

Your post struck a chord. It reminds me of when I used to play MMO's and the occasional "excuses" forum post.

@TranceSOulBrother: if you truly love what you do, you will make time regardless of your outside responsibilities.

brchap

Take what those guys say with several grains of salt. If a particular certification can increase your chances of getting the job, why on earth would you NOT get it? Pride? Honor? Hey, as long as you didn't **** to pass the exam, there's no shame in having a certification. Certifications will NEVER hurt your chances of getting a job, unless the hiring manager has a weird "anti-cert" chip on his/her shoulder and if that's the case you wouldn't want to work there anyway.

Plain and simple, your resume should be designed to get you an interview - that's all. How you do in the interview is what gets you the job, but if your resume never makes it through the certification filter you're done before you have a chance to speak with anyone. The best way to design your resume to get you to the interview is to have what employers are looking for.

The way I see it, these days, it's downright dumb to not try to have what employers are looking for in a desirable candidate, especially when THEY TELL YOU WHAT THEY ARE LOOKING FOR RIGHT THERE IN THE JOB POSTING! If they want a piece of paper saying that I passed an exam, that's a no-brainer in my book.