Security/ Penetration Tester Advice Needed

Hey Guys,

My log term goal is to be a penetration tester. I currently have an A+ Cert and a few years of Help Desk/Desktop Support.
I just got laid off from my job and want to take some time and get some certs.

So what's my next steps? What certs would you recommend I get and what title should I shoot for my next job?

Find more posts tagged with

Comments

NovaHax

Cert wise...probably CEH or Sec+.

But really, just start learning everything you can. Every language you can. How info systems work. It never ends and you will never catch up. Just so you know what you're in for.

M3Cody

NovaHax wrote: »

Cert wise...probably CEH or Sec+.

But really, just start learning everything you can. Every language you can. How info systems work. It never ends and you will never catch up. Just so you know what you're in for.

Yah, Ill pretty much be forever learning and trying to stay up on everything. I just know trying to get into the field with an A+ and some help desk wont get me in.

NovaHax

If you are wanting to get hands on experience, enroll in a eLearn Security or Offensive Security course.

docrice

Make sure your foundations are good. You can learn all the pentesting tools out there, but if you lack solid grounding on the fundamentals, your ability to choose/use tools and make judgement calls will result in you standing on shaky ground. If you're going to hand someone a report on findings, you're inevitably going to get questioned/challenged on it. For these inevitable events, you better be able to back up your claim with (IT-scientific) proof and be able to communicate resolutions in a way that's meaningful to your client.

So while getting "security certs" is all fine and dandy, make sure you understand common principles. Networking is a good start, and maybe solid Windows and Linux skills. Many things in the pentest world stem from these basic things which are essentially typical system/network admin functions. Learning these well will help glue together your understanding of the various parts which make up the digital ecosystem.

Above all else, you must learn to dig while having a never-satisfied curiosity and hunger to probe further. In many ways, your ability to be a good pentester will depend on your capability to improvise and think creatively, which ultimately requires knowing the fundamentals down cold.

JaneDoe

Play practical jokes on your friends that involve hacking things. I don't suggest you do anything malicious, just enough to get them to laugh and ask how you did it. Pay attention the mistakes people make that let you do that easily. Fix the vulnerabilities that let you do these things if you can.

M3Cody

docrice wrote: »

Make sure your foundations are good. You can learn all the pentesting tools out there, but if you lack solid grounding on the fundamentals, your ability to choose/use tools and make judgement calls will result in you standing on shaky ground. If you're going to hand someone a report on findings, you're inevitably going to get questioned/challenged on it. For these inevitable events, you better be able to back up your claim with (IT-scientific) proof and be able to communicate resolutions in a way that's meaningful to your client.

So while getting "security certs" is all fine and dandy, make sure you understand common principles. Networking is a good start, and maybe solid Windows and Linux skills. Many things in the pentest world stem from these basic things which are essentially typical system/network admin functions. Learning these well will help glue together your understanding of the various parts which make up the digital ecosystem.

Above all else, you must learn to dig while having a never-satisfied curiosity and hunger to probe further. In many ways, your ability to be a good pentester will depend on your capability to improvise and think creatively, which ultimately requires knowing the fundamentals down cold.

VERY helpful thank you! Good points to.

bobloblaw

I agree with everything docrice said.

To add, the single most common thing you will see in InfoSec is that no one ever started in InfoSec. Everyone always comes from another primary background (Sys admin, network engineer, dba, etc.). This could change in years to come, but no one is going to expect someone to perform a security audit/pen test of their Windows domain when that person hasn't ran a Windows domain (same for their network, unix systems, etc).

lsud00d

Also, look for events in your area. I participated in a multiple-site CTF (capture the flag) cybersecurity exercise and it really helped to see all of the moving pieces working simultaneously in the big puzzle.

Watch videos from DEFCON. Stay current with security related blogs. Follow CVE's. Go through the Metasploit Unleashed course. Etc.