Is this a good pathway to become a pentester?

A+...Network+, security+, ccnet, ccna,(maybe ccna-security), CEH

Of course gain some experience along the way, but as far as certs go, is this a good path?

Thanks everybody

Find more posts tagged with

Comments

tpatt100

I used to work with a couple of guys who went on to become penetration testers. I remember one of them saying knowing laws, rules and regulations and compliance as well as being able to explain them to a customer was important.

RobertKaucher

Others are going to comment I am sure. But I think lot of the people here who are in the infosec field took a similar track cert wise. But I think the important thing is the career path, not just the cert track you choose.

YuckTheFankees

robert can you explain more?

colemic

I think what he meant is that is probably significantly more important to make sure that the positions you take (your 'career path') align with the cert track - you will be hard-pressed to get a pentesting job without very relevant experience. I know you characterized it as 'some experience' but truthfully, most hiring managers aren't wanting someone who has just dabbled in security as an additional duty, they want someone with very relevant, hands-on experience. The certs are intended to highlight your expertise in specific areas that are relevant to your career path.

JDMurray

You might want to throw some actual pen testing certs in there. Have a look at this thread: http://www.techexams.net/forums/security-certifications/64451-pentesting-certifications.html

YuckTheFankees

JD,

I was showing what certs I would get so that I would have a good foundation of knowledge before I started with Pentesting. Do you agree with the path, or are there different certs I should start with to put me in the right directions?

after my general certs..I was thinking..CEH, ECSA, OSCP, OSCE, LPT

veritas_libertas

Although this thread is aimed at security certifications in general, I think there is much to be learned from it:

http://www.techexams.net/forums/security-certifications/28593-security-certification-where-start.html

docrice

I think the A+ isn't as relevant directly, so to speak, but on the other hand if you don't already know general PC troubleshooting maybe it's very relevant that you have the grounding.

In penetration testing, you'll need to learn the tools (CEH helps a bit here), how networks function (Network+ and a CCNA are a good start, although CCNA Security is applicable as well), but after you uncover the results from your tools, whatever they may be, you'll still have to interpret them. That requires knowledge of how protocols work (something the CCNA isn't necessarily going to teach you that much of), and very importantly how operating systems function, including both Windows and Unix. Going further, you'll need to know how applications work to some degree (web servers, databases, SMB / CIFS, RPC, SSH etc.).

That casts a pretty wide net, but the folks requesting pentests against their infrastructures are going to be running various services on different platforms and you'll have to assess, write reports, and make recommendations based on the results of the various methods you employ. Tools are subject to false positives and they require a lot of human interpretation. I think the writing / documentation part tends to be under-stressed sometimes.

If I'm a security admin who requests ACME Consulting Company to make a vulnerability assessment for me, I'm going to want it in a thorough report that also provides context within frameworks that are important to me (such as PCI, HIPPA, etc.). I would expect the report to contain recommendations and prioritization of issues that need to be addressed as they are applicable in my business space.

JDMurray

I've heard that this book is good for getting started in pen testing

Review: BackTrack 4: Assuring Security by Penetration Testing | TechExams.net Blogs

YuckTheFankees

Ive been reading the reviews lately, and Im going to def. get that book. I tried to d/l backtrack 4, but it kept giving me an error...so its annoying not being able to d/l it. Ill try again when backtrack 5 comes out.

Whats the best way to learn wireshark and nmap, books?

SephStorm

books, practice, and of course you can watch some of the better videos on youtube and other security centric websites.

I would advise you to consider taking the elearnsecurity student course. It prepares you for the Pentesting Pro class, and should give at the least, a high level overview of the knowledgebase you will need.

powerfool

CCNA Security would definitely be a good lead-in to the CEH, so would the understanding of many of the MCSE Security concepts and background knowledge.