Good cert/company review

I found this over at EHNet, thought you guys might be interested. I'm really glad I found it.

The Ethical Hacker Network - Infosec Intitute & Intense School

Find more posts tagged with

Comments

[Deleted User]

+1 this type of stuff makes me giddy. This is the stuff that excites me but I don't know if I will ever pursue these types of certifications. I guess maybe because I'm still pretty low on the rung but eventually when I get the fundamentals of everything down I will want to dive into this crazy/awesome world.

SephStorm

I know the feeling.

today I was talking to one of my managers about Symantic/Norton. He said he'd give me his IP and have me try, and I said I am not familiar with attacking from the outside. He was surprised of course, and I told him, I wanted to learn SysAdmin work before I get too deep into exploitation. So hopefully by december, I will e open to hitting security hard.

LukeQuake

SephStorm wrote: »

I know the feeling.

today I was talking to one of my managers about Symantic/Norton. He said he'd give me his IP and have me try, and I said I am not familiar with attacking from the outside. He was surprised of course, and I told him, I wanted to learn SysAdmin work before I get too deep into exploitation. So hopefully by december, I will e open to hitting security hard.

Be VERY careful here, don't 'have a go' at attacking your Manager's network/home machine just because he said you could.

These types of ethical hacks/vulnerability assessments, should only ever take place if there is detailed signed documentation in place stating exactly what you are and aren’t allowed to do, and even then only by companies with the relevant certified professionals carrying out these assessments. Never carry out these attacks over the internet from your own personal machine, doing so or attending to will get your IP blacklisted/flagged fairly quickly (unless you really know what you are doing). Security testing companies will have specific ISP agreements in place allowing these tests to be carried out.

Feel free to carry out testing / learn more about ethical hacking etc but keep it to your own closed private network.

JDMurray

Also realize that when you sign a contact with an ISP, you are not buying your IP address and public network presence, you are only leasing it. This means that the typical ISP customer does not have the sole authority to allow a pen test to be conducted against their network from the Internet. Permission must first be obtained from the ISP to run any pen test against any host or network connected to it.

SephStorm

I have no intention of pentesting over the internet without written authorization, or in my case, the experience to know what I'm doing.

I did find it interesting what JD said. I would bet that most companies dont have such a clause in their ISP contract.

GAngel

SephStorm wrote: »

I have no intention of pentesting over the internet without written authorization, or in my case, the experience to know what I'm doing.

I did find it interesting what JD said. I would bet that most companies dont have such a clause in their ISP contract.

Most ISP would never give a company that kind of right.

LukeQuake

GAngel wrote: »

Most ISP would never give a company that kind of right.

As long as you are with a decent business ISP, contacting them to obtain an 'OK' before the pentest is carried out by the security firm is usually fine. They just like to be kept in the loop.

It also depends on how 'skilled' the tester is, if they are just flooding the range of target IPs and filling up the session tables on the ISPs routers, they will be quickly locked out at network level by DoS filters.

This can potentially lead to missed results etc.

I strongly suggest using an accredited ethical hacking / IT Security firm. I’d be happy to share some details of my contacts with you via PM.