Have someone who knows IT security interview your "shit-hot" candidate. Anybody who can get on the internet can learn buzzwords.
I personally would ask for sanitized documents showing "his" methodology, explanations of tools he uses & why, and maybe even have a couple of servers loaded up with different OSs & server apps (e.g. SQL, Lotus, etc...) and ask for a demonstration. After he shows you what your vulnerabilities are on the box(es), ask what his mitigation strategy would be. Then have someone who is InfoSec knowledgeable check his strategy & methodology. It's a little in-depth, but if you're paying for a "shit-hot" guy's salary, you don't want false "security" feelings And if you are gonna bill this guy out to do consulting pen-testing for others, you want to make sure he is for real. Otherwise you'll lose all credibility in no time. HTH Nick On Fri, 2002-03-22 at 06:13, Steven Boshuizen wrote: > > > In my understanding people with these skills come > from a UNIX background, having worked on projects > with VPN's, intrusion detection, administering and > implementations. Could anyone tell me that if I was > looking for a shit hot penetration tester what sort of > background would such a guy have, and what would > be the keyskills/ buzzwords that I would have to look > for so that I would know I am talking to an ace?? > Would appreciate any assistance. -- Nick Network Security Consultant CISSP, CCSI, MCSE, CCNA Raleigh, NC _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
