What certs to pursue BEFORE pen test certs

If you're that big of a noob (no offense

), I'd definitely start with the Security+.

As far as networking goes, the CCNA:S is probably a good target to aim for. Systems is a bit more difficult answer since you'll be working with such a variety that there's no way you'll be a master of them all. An MCSE and/or RHCE would definitely be great, but I wouldn't put your studies on hold until you get them either.

I'd start experimenting with pentesting asap. You'll learn a lot as you go, and it'd be good to start building up that type of experience early on. What you need to realize is that you'll probably end up doing a lot of research on the spot. You might find a target system running X OS and A, B, and C services. Then you can take some time and research those and see what vulnerabilities exist and go from there.

I'd definitely try to have a good foundation in *nix and MS OSes, but you don't need to over do it either. Focus on broad topics, such as permissions, auditing/logging, DNS, etc.

Haha, point well taken re: the Sec+

To put it another way, I was struck by Keatrons "cans of Coke" analogy in another thread talking about the CISSP. It got me thinking what the "cans of Coke" might be when talking specifically about Pentesting.

I probably should have just said it that way from the beginning

lumbercis wrote: »

I realize this is a generalized question, but I would like to generate a little discussion and see what people think.

There are several posts that discuss the various Pen-test specific certs. My question isn't about those at all. What I am wondering is: what certs do you feel are essential or recommended BEFORE starting down the pen-test path?

Let's assume a total newb with an A+ level of knowledge. Would you jump straight into learning pentesting? On the other end of the spectrum, do you need to hit both MCSE and CCNA level before venturing into pentesting?

I've read in another thread that sysadmins tend to flow most naturally into pentesting. Should one leave out the higher-level networking certs (CCNA) and go for something like MCSE and/or RHCE then straight into pentesting?

Your input is greatly appreciated.

Lots of people do pen testing which isn't of itself difficult. You really want to get a deeper understanding of networking protocols and vulnerabilities. Certainly do some wide reading on application, OS and networking fundamentals and mechanics. At the same time look at some low level texts exploring vulnerabilities, exploits and countermeasures. Many good books out there. As a network Professional security is an inherent part of my work and I engage with security Professionals on a regular basis. The ones that provided the most value to my work are those with a solid grasp of networking fundamentals.

While Keatron's posts are fantastic in general, that one was particularly epic.

I think it really depends on how you define pentesting too. If you expand it beyond a strictly technical perspective, you'll want to add cans of social engineering and dumpster diving as well. You'll also want to be familiar with wired and wireless networking, operating systems, hardware devices (i.e. key loggers), cryptography, programming/scripting, and related tools (backtrack, nmap, nessus, etc.).

@Turgon: thanks for your perspective re: the security professionals youve dealt with on the job. It sounds like you would vote for CCNA as a valuable background for a pentester?

@dynamik: excellent info! But it is veering away a bit into pentesting specific skills rather than preparatory certs. Given the skillsets you mentioned what do you think are the best Certs for getting a solid foundation before getting into pentest specific certs?

Although im kind of hearing that maybe pentesting is such a specific skillset that it doesnt require the same kind of "preparatory certs"(MCSE,CCNA etc) that Keatron was talking about in relation to a well-prepared CISSP?

Thoughts?

NightShade03

I'm very much into pentesting and am working on building a career in the security field and I have found only one thing to be true:

"Know a little bit of everything, but be a master at none."

Honestly there are just too many things to learn to know it all when it comes to pen testing. If you want to branch into a particular area (like web app pen testing) then it kind of narrows the playing field down a little bit. I think certwise you should have a wide range of knowledge in different areas (as others above have pointed out).

Well excuuuuuuuuuuuuuuuuse me

I'd seriously start working on the pentesting stuff immediately. Pick up Hacking Exposed, any CEH book, and/or Penetration Tester's Open Source Toolkit and get to work!

There's not really a correct way to answer your question. Getting anything that gives you a foundation and security experience will help. You'll be sitting in good shape with a CCNA:S and MCSE:S, but there's a lot of other things you're going to need to do too. You could go Juniper and RedHat instead. I'd focus on a networking technology, an operating system, and mix in some security-centric stuff along the way.

dynamik wrote: »

Well excuuuuuuuuuuuuuuuuse me

I'd seriously start working on the pentesting stuff immediately. Pick up Hacking Exposed, any CEH book, and/or Penetration Tester's Open Source Toolkit and get to work!

There's not really a correct way to answer your question. Getting anything that gives you a foundation and security experience will help. You'll be sitting in good shape with a CCNA:S and MCSE:S, but there's a lot of other things you're going to need to do too. You could go Juniper and RedHat instead. I'd focus on a networking technology, an operating system, and mix in some security-centric stuff along the way.

Im not sure I would start with vendor materials to be honest. Far too many certified people don't know how the TCP handshake and sliding window actually works. I have met a few boobs in the security arena i.e 'we don't use VLANs for security, our security is at layer 2'....Stallings and Stevens would be a start for networking and there are many other good books out there. Any fundamental non vendor reading for networking, applications and operating systems would be a good start. Big books, you will be at them for a year solidily at least. You wont understand all of it yet. That's fine. Just read them anyway.

wastedtime

While like the other said you need a good understanding of networks, network services, etc. I have been looking into this site that someone (don't remember who) mentioned on this board. Remote-Exploit.org - Supplying offensive security products to the world The training for it which is done by the people who do the backtrack distro is Online Security Training from the Creators of BackTrack. Just something you may want to look into.

NightShade03

Here are some links with tools and such to get you started as well:

Penetration testing
Securitytools: WELCOME
{LANG_NAVORIGIN}
.:[ packet storm ]:. - http://packetstormsecurity.org/

These are tools and simulations that you can work with to learn different things in security. Its more important to understand how they work.

Also look here:

Penetration Testing Framework 0.55

This is a framework for conducting an actual pen test so going through it will give you a generally good idea of what's involved.

Yes WastedTime, BackTrack is awesome. I'm hopefully going to go for the OSCP later this year, and I recently saw they added a more advanced cert as well. Spooky

Here's a couple of more links you'd want to check out:
Top 100 Network Security Tools
ISECOM - Making Sense of Security (another pentesting methodology)
The Ethical Hacker Network

Turgon wrote: »

Im not sure I would start with vendor materials to be honest. Far too many certified people don't know how the TCP handshake and sliding window actually works. I have met a few boobs in the security arena i.e 'we don't use VLANs for security, our security is at layer 2'....Stallings and Stevens would be a start for networking and there are many other good books out there. Any fundamental non vendor reading for networking, applications and operating systems would be a good start. Big books, you will be at them for a year solidily at least. You wont understand all of it yet. That's fine. Just read them anyway.

Avoiding being the "security boob" is exactly what prompted my question.

I don't want to be the guy telling some experienced network admin what is wrong with his security when I don't have a good grasp of the technologies myself. But then that kind of begs the question; what are you going to tell a senior net-admin about security that he presumably already doesn't know? I would just think that someone at that level understands the technologies so well that they would know where their security vulnerabilities were. But I guess not or the world wouldn't need pentesters.

I'd love to see "Turgon's Security Reading List" posted up at some point.

Good stuff all.

lumbercis wrote: »

Avoiding being the "security boob" is exactly what prompted my question. I don't want to be the guy telling some experienced network admin what is wrong with his security when I don't have a good grasp of the technologies myself. But then that kind of begs the question; what are you going to tell a senior net-admin about security that he presumably already doesn't know? I would just think that someone at that level understands the technologies so well that they would know where their security vulnerabilities were. But I guess not or the world wouldn't need pentesters.

I'd love to see "Turgon's Security Reading List" posted up at some point.

Good stuff all.

hehehe..well I'm not a security specialist but I have long contested security is an inherent part of any network professionals job. Even if it's not on the job description you have a lot of responsibilities there. However the security genre if that's the right word has evolved into something of an entity in itself. There are a number of reasons for this. Over the years while I have been responsible for site and infrastructure security as part of my various jobs I have encountered from time to time an increasing number of security types coming along and looking at things, asking questions, auditing and in the case of firewall transit requests, having to await approval for said requests. This practice is actually very common in large organisations with a centralised security team. The same team usually dows a pen test from time to time after asking for IP ranges and such. It's a very wide ranging subject security involving all kinds of people doing all kinds of things these days. While I wouldn't expect most security professionals to have had to get their head around some of the intricate details of the layer 2 and 3 security vulnerabilities I have had to consider over the years some solid first principles of networking certainly helps discussions. Risk is something we work with in networking. The field has mushroomed over the years and like a lot of 'sexy' things a lot of deadwood joined the party. But good people coming along with insights on the latest vulnerabilities and approaches to combat them are helpful. I guess do a lot of reading and reflecting on things to really get on in security. Even more so if you aspire to be l33t. Im sure some of the security types on the boards can give you some very helpful reading lists across the domains. Expect to be spending at least the next 10 years reading stuff.

Exactly. ANYONE will benefit from security knowledge. It's intertwined with everything nowadays. You don't need to understand assembly and the inner-workings of rootkits, but a solid foundation and general understanding will go a long way.

The only thing I disagree with is your last sentence. You will be reading as long as you're in the field. You don't get a break after a decade

JDMurray

If you want to be a "network penetration tester" then you must have an a very good understanding of the design, configuration, and operation of computer networks. Any time you spend learning computer networking, getting networking-specific certifications, and learning the internal working of network software will not be wasted. The more knowledge and understanding you have in your brain the more quickly you will be able to diagnose situations and solve problems.

JDMurray wrote: »

If you want to be a "network penetration tester" then you must have an a very good understanding of the design, configuration, and operation of computer networks. Any time you spend learning computer networking, getting networking-specific certifications, and learning the internal working of network software will not be wasted. The more knowledge and understanding you have in your brain the more quickly you will be able to diagnose situations and solve problems.

Actually, we got a little off track into talking specifically about networks. However, from reading other threads in the security section, I actually started with the impression that pen-testing was more of a sysadmin game, which lead to my thinking that stuff like MCSA/E and RHCE would be the background to have. But maybe you are just getting at the fact that even within pen-testing there are specialties.

I don't mean to give anyone the impression that I think certs are enough by themselves. All of the discussion should assume that the person is also reading independantly, practicing the various tools, etc. But since this is a certification forum, I figured I would tailor my questions to talking about certs.

Two other questions to throw out there for your consideration:
1) Again assuming a newb, are the broader certs such as Network+ and Sec+ "enough" background before starting in with security specific certs? Or is it more beneficial to get the deeper understanding provided by the MCSE/CCNA type certs before diving into security-specific certs? What would your ideal "cert path" look like if your goal was pentesting?

2) If you were hiring a pentester for your organization, what type of certs would you be looking for? What else on the resume would get someone a call?

Thanks for all the great insights so far!

xocerrpy

I don't want to threadhijack, but what are the day rates that can be achieved as a pen tester/security consultant? I have looked at jobs (full time) and it seems anywhere from 30 - 70k. I can't find any information on day rates apart from an outdated article. (England based).

JDMurray

lumbercis wrote: »

1) Again assuming a newb, are the broader certs such as Network+ and Sec+ "enough" background before starting in with security specific certs? Or is it more beneficial to get the deeper understanding provided by the MCSE/CCNA type certs before diving into security-specific certs?

It depends on what knowledge and experience you already have in the way of computer systems, software, and networks. It's been said many times in these forums that "you can't protect what you don't understand," so jumping straight into security without understanding systems, software, and networks first won't get you very far.

lumbercis wrote: »

2) If you were hiring a pentester for your organization, what type of certs would you be looking for?

None. Anyone can get a pen testing cert without ever having performed a real pen test. I want a pen tester to have the experience of having performed thousands of pen tests on a diverse selection of production networks and end-hosts. Most of the really good pen testers I know don't even know what a "CEH" is and don't care. On their resume it's more important for me to see their work experience and a security clearance than any pen testing cert(s).

lumbercis wrote: »

1) Again assuming a newb, are the broader certs such as Network+ and Sec+ "enough" background before starting in with security specific certs? Or is it more beneficial to get the deeper understanding provided by the MCSE/CCNA type certs before diving into security-specific certs? What would your ideal "cert path" look like if your goal was pentesting?

See what I said earlier: http://www.techexams.net/forums/security-certifications/46266-what-certs-pursue-before-pen-test-certs.html#post341219 You can mix up your studies; you don't have to focus on one or the other. Definitely work towards building a solid foundation to build your security knowledge off of.

lumbercis wrote: »

2) If you were hiring a pentester for your organization, what type of certs would you be looking for? What else on the resume would get someone a call?

While I in no way disagree with what JD is saying, employers still do value certified individuals because that helps bolster their credibility when courting potential clients. For pentesting specific certs, the CEH, OSCP, and GPEN are pretty solid. Other well-respected security certs, such as the SSCP and CISSP, will also help bolster your credibility. As mentioned earlier however, they're no substitute for real-world experience.

JDMurray wrote: »

It depends on what knowledge and experience you already have in the way of computer systems, software, and networks. It's been said many times in these forums that "you can't protect what you don't understand," so jumping straight into security without understanding systems, software, and networks first won't get you very far.

Right, and I agree with what you are saying. The reason I keep yammering on about certs is that I am using "certs" as being representative of the "systems, software, and networks" knowledge that you are talking about. The question then is, what certs do you feel are most representative of the "systems, software, and networks" knowledge needed to be a successful pentester? Or perhaps a less broad question is, what certs are most representative of the knowledge needed to start in the pentesting field?

JDMurray wrote: »

None. Anyone can get a pen testing cert without ever having performed a real pen test. I want a pen tester to have the experience of having performed thousands of pen tests on a diverse selection of production networks and end-hosts. Most of the really good pen testers I know don't even know what a "CEH" is and don't care. On their resume it's more important for me to see their work experience and a security clearance than any pen testing cert(s).

This may need a new thread, but where does one get the experience of thousands of pentests? Is it a matter of getting a job as a netadmin or sysadmin and doing pentests as a supplement to that, then using that experience to land a job as a dedicated pentester?

@dynamik: So let me see if I can sum up what I am gathering from your and others excellent posts:

1) There is no reason to hold off on integrating some security studies in one's free time (heh, what's that?

) while also pursuing general OS and Networking knowledge/certs. Basically, "do it all at once."
2) The background knowledge required for pentesters is more broad than deep, so one shouldn't exclusively pursue sysadmin/OS or netadmin/networking type certs, but get a little experience in each?
3) The various pentest certs are nice to validate knowledge on a resume, but it's not necessary to have all or even any of them, so you don't necessarily need every pentest-specific cert out there, but maybe one pentest-specific and one or two general security certs to make human resources happy?

Putting this in practical terms it seems like a logical path would be:
1)work on something like the MCSA and CCNA (with security specializations) or RHCE/Juniper while reading about security and playing with pentest tools on the side
2) get a job as a sysadmin/netadmin and try to integrate security and pentesting as much as possible
3) while working at the above job, pick up a pentest specific cert and maybe a more general security cert
4) look for pentest specific job
5) advance and specialize to infinity and beyond

What do you think? About right? Wildly off-base? All comments appreciated!

Although there's no "right" answer, I think you're closer to "about right" than "wildly off-base"

More than anything, keep learning and don't expect to land an awesome security position right off the bat. And remember, there's going to be a lot of overlap with all your studies. For example, if you started with N.MAP right now, it would be impossible for you to not learn some networking concepts along the way. On the other hand, if you developed a strong foundation in networking before ever touching N.MAP, you'd be able to get up to speed with it much quicker. Don't worry, it'll all come together in the end

Paul Boz

get a CCNA.

I do pen testing as a regular function of my job and I notice all the time that my in-depth understanding of networking technologies makes me a better pen tester than many of the people in the industry whom I work with. You have to understand how TCP/IP works to be any good at pen testing. Networking is fundamental to any good penetration tester or security analyst. How can you expect to be able to advise a client on perimeter security recommendations if you don't really understand the wire?

Sec+ is good but don't expect it to make you an expert pen tester. I would crack a CCNA book, get that, maybe get the CCNA Security, and play with a lot of tools. Most of pen testing isn't even what you learn in books but what you see in the wild. Learn metasploit, nmap, nessus, and other industry accepted tools. I use these tools (except nessus, we have our own scanner) on a regular basis. There is a reason why my company encourages engineers to get at least a CCNA. While we don't necessarily get into routers and switches on a regular basis the knowledge of networking is invaluable.

Also, don't spin your wheels on specialized pen testing certs. The industry and technology changes so quickly that they devalue rapidly. The only good pen testing cert that I know of is the GPEN through SANS. I work with three guys who have the GPEN and it's solid. at $3500 or so its a bit steep for most people. You can get a lot of good information from the guys at offensive security. they do training on backtrack.

http://www.offensive-security.com/backtrack-tutorials.php

Thanks Paul! Nice to hear from someone in the trenches.

It seems like you are a dedicated Cisco guy, but is there something special about the CCNA, or would Juniper certs be just as good?

The vast majority of Cisco and Juniper are going to be based on standards, so you'd really only be learning differences in syntax, especially at the beginner level. While there are some proprietary protocols in place, like CDP, things like TCP aren't going to work differently between the two. What's important is that you establish a solid foundation in networking.

Paul Boz wrote: »

The only good pen testing cert that I know of is the GPEN through SANS. I work with three guys who have the GPEN and it's solid. at $3500 or so its a bit steep for most people.

Is that on your to-do list? Have you looked at "challenging" any of the SANS certs? Challenge Certification

Paul Boz

We have a $4000/year training budget and my two cisco certs and the SANS 502 ($3500) wrecked me for the year. I have some other stuff I want to do next year so the GPEN may be out of the cards. I have my co worker's books and MP3s and could probably challenge the exam but its still about a thousand bucks that I would rather put towards other certs.

lumbercis - I recommend the CCNA not only because you need to understand networking, but because Cisco is in every environment. I have never gone to a client's site without seeing at least ONE cisco router. On the other hand, the only Juniper routers I've ever worked with were the M10s I used to manage for a service provider. Understanding Cisco technologies are very important.

inc0mplete

Bravo. The CCNA seems to cost quite a bit to practice/study with all the equipment. I hope it's not like college. My friends and I are paying thousands of dollars (by that I mean our parents) and most of us graduated and can't find jobs!

I hope the CCNA greatly helps increase the size of my foot to put in that door!

dynamik wrote: »

Exactly. ANYONE will benefit from security knowledge. It's intertwined with everything nowadays. You don't need to understand assembly and the inner-workings of rootkits, but a solid foundation and general understanding will go a long way.

The only thing I disagree with is your last sentence. You will be reading as long as you're in the field. You don't get a break after a decade

hehehehe..well I did say 'at least' 10 years. I guess I didn't want to put people off too much