Can I legally pentest with a Security+ Cert?

KIMP

Hey Guys,

I've been searching all around the web for the answer but I can't find a clearcut YES or NO. What I'm interested in is starting my own business doing pentest and network security consulting for homes and small business in my area. Is there a de facto cert I MUST have to legally do this type of work? Yes, I am aware of the CEH cert, my understanding is that this is the best one to have when it comes to penetration testing, but this is out of the question for now. Of course it's a certification I'd pursue later as my business grows, however in the beginning is a Security+ enough to legally call myself a pentester and go to work penetrating WLAN's with the owners consent?

Looking forward
-KIMP

aftereffector

You aren't legally mandated to have anything to pentest. I would recommend getting a couple of certs, though... Security+ is a good start, and OSCP would be a nice goal to shoot for.

zxbane

As after said, I think Sec+ is a good start and from my understanding the OSCP is much more valuable both in knowledge gained and reputation than the CEH when it comes to Pentesting.

danny069

You can pentest without a cert, to make it 'legal' you have to have a contract with implications and procedures, etc. and have the both parties sign it.

KIMP

Thanks guys! Very helpful. Glad to know I can get started with planning my exact business structure. Defiantly need to learn more about the OSCP cert. I always thought CEH was king. Again thank you guys for the help.

cyberguypr

You can call yourself whatever you want right now: pentester, security guru, almighty security cool guy of all things IT that have blingy lights, etc. IT in a lot of places is not a regulated industry. As a result, certifications are not mandatory. Some of the best pentesters out there have never even taken a single cert. Having said that, for the SMB segment, I think there's definitely some value in having a credential or two that you can use to educate people on your expertise.

As you mentioned, the key component to legal pentesting is one: permission (written) from the system's owner. That is really all you need followed by a good contract and SOW, both reviewed by lawyer who understands this line of work. Limiting your liability is a key factor here. Just thread carefully and educate yourself as the repercussion could be serious.

One last thing, what is your background? I could be way off base, but the way you worded your post worries me a bit and makes me think you just want to get out there and start running tools. Hope this is not the case.

lsud00d

@OP, CEH is little more than a vocab/memorization exam--there are no skills tested.

[Deleted User]

In order for you to do any sort of Penetration testing in general, you have to ask the company whom you plan to perform this testing for and have a legitimate reason for performing this. You should also perform pen testing during a time when not a lot of users are online to prevent any disasters from happening.

diggitle

lsud00d wrote: »

@OP, CEH is little more than a vocab/memorization exam--there are no skills tested.

Thanks for making laugh out of my chair. I needed that.

BGraves

lsud00d wrote: »

@OP, CEH is little more than a vocab/memorization exam--there are no skills tested.

Currently studying for the CEH for my MS degree, can confirm this is accurate.
You might learn some useful stuff doing the CEH but I can't say this makes you "Pentester" capable, you just know (hopefully) how to use some tools and their switches and what their output looks like. (OSCP frankly, sounds fascinating!)

If you're just looking at Wireless penetration testing, really just building some skill with a backtrack/kali distro and a wireless card that can inject packets would get you started. From there, knowing how to build/generate dynamic wordlists and use hashcat or etc.
Books like:
BackTrack 5 Wireless Penetration Testing Beginner's Guide: Vivek Ramachandran: 9781849515580: Amazon.com: Books
or
The Basics of Hacking and Penetration Testing, Second Edition: Ethical Hacking and Penetration Testing Made Easy: Patrick Engebretson: 9780124116443: Amazon.com: Books

might be useful if you don't know quite where to start...but all that info is probably found freely online if you know where to look.

Just my opinion of course.

ThePawofRizzo

cyberguypr wrote: »

One last thing, what is your background? I could be way off base, but the way you worded your post worries me a bit and makes me think you just want to get out there and start running tools. Hope this is not the case.

I have to echo cyberguypr's question about your background. I'm not sure if your planning on pentesting in the near future, or merely researching to plan for the more distant future. I have to wonder about your current background if you are as yet unfamiliar with whether you require basic certs, or which legal necessities, or contractural considerations. From your original post I would guess you are very green, at least in pentesting matters.

[Deleted User]

Also keep in mind, using any distro such as BackTrack or Kali does not make you a penetration tester. These are only tools to help assist with your penetration testing. If you want to become a full penetration tester, that takes years among years. Learning multiple programming languages to make your own scripts.

N2IT

lsudood you always crack me up! ITIL Foundation and Security + were very similar (at least from my minds eye) aka your description.

TechGuru80

zxbane wrote: »

As after said, I think Sec+ is a good start and from my understanding the OSCP is much more valuable both in knowledge gained and reputation than the CEH when it comes to Pentesting.

Do you have any networking knowledge? Having network and system knowledge is a large portion of being able to pen test when researching for exploits and diagraming your target (client). Security+ does not give the foundational knowledge in either...but does give some knowledge of security aspects. As said in the quote above CEH has become more of a foundation or beginner cert into pen testing and OSCP has taken over as the next level. Can you pen test without one? Sure can but in this industry, certifications validate knowledge and skills. Would I trust somebody to do research without a PhD versus somebody with a PhD? Doubtful.

docrice

Something that is often not mentioned when the topic of becoming a pentester comes up is the need for very good writing skills. A good portion of the work in penetration testing is creating very detailed notes based on evidence collected, collaborating with your peers, articulating the impact/severity of the findings in reports and recommendations, and defending your assessments in a way that your client can understand.

Many people think that penetration testing is about capturing the flag by running through a gamut of tools, but ultimately it's to provide real value to organizations by revealing their point-in-time posture and helping them action positive results. This involves not just knowing what tools to use, but also knowing how to maneuver around technologies, infrastructures, deployments, and business workflows.

In other words, you really need to have an in-depth understanding of the businesses processes and controls that are put in place. If you submit a finding and make a recommendation which is completely unrealistic or off-base in the practical real world, you'll be written off as nothing but an amateur. The infosec industry is still in a relative infancy, and we still see shops that pass themselves off as security consultants without having experience to back up their ability to sufficiently gauge their clients' infrastructure.

I'm not directing this at the OP necessarily, but if you're still at a point where you're asking what certifications are necessary to pentest, then it sounds to me like you don't have a solid grasp of what's involved in the field. I could be wrong about that, but I've seen these sorts of threads come up a lot. Much of the work in the security industry (including pentesting) involves taking the time to conduct research and discerning information carefully. It's tedious, time-consuming, and requires constant knowledge maintenance. And frequently, this work isn't fun when we're in the middle of doing it.

Master Of Puppets

That's a common occurrence these days - everyone wants to pentest/hack or whatever but they lack the very basic knowledge needed to do that. This is not meant to sound offensive but I do feel like the OP has only a faint idea of what he is talking about.

I would also like to echo the idea of knowing the bounds of the penetration test. Doing something that is outside of what has been agreed with your client can cost you a great deal. You need to be fully aware of what you are allowed to do and how things are going to play out before you start. For example. you can't place backdoors if this hasn't been agreed on. The possibility that someone else might use them to cause actual damage is enough by itself.

Disgruntled3lf

Docrice brings up a very valid point. My company does consulting work for a ton of local SMBs and the majority don't have the budget to implement the changes that would make them defensibly secure. Additionally, in my area at least, it seems most are using third party software and don't control the development. As an example I discovered that an application a client was using that hosted patient files was not encrypting the files during the re-upload process. I brought it to their attention but they were powerless to do anything because they depended on that software and had tailored several processes around it. I also (with my clients permission) informed the developer but to my knowledge it remains unfixed. So to reiterate, you need to be familiar with the business processes of your client and you need to suggest realistic changes even if they're not ideal.

zxbane

I'm confused TechGuru, was your question about networking knowledge intended for me or the OP?

TechGuru80 wrote: »

Do you have any networking knowledge? Having network and system knowledge is a large portion of being able to pen test when researching for exploits and diagraming your target (client). Security+ does not give the foundational knowledge in either...but does give some knowledge of security aspects. As said in the quote above CEH has become more of a foundation or beginner cert into pen testing and OSCP has taken over as the next level. Can you pen test without one? Sure can but in this industry, certifications validate knowledge and skills. Would I trust somebody to do research without a PhD versus somebody with a PhD? Doubtful.