A real ace will tell you what kind of systems you are running at your company already ;)
I would give them some real world questions. Ask them how they would go about cracking a company. Look up some common terms you see here on this list. www.whatis.com is great for that. Firewalking, IDS, snort, span ports, SSL, ec cetera. Have them explain it to you in your terms. After all , they will be reporting to you, so they should have the talent to explain it to non tech people. Look up recent exploits on securityfocus and ask them about them. A good penetration person will most likely have a lovely personality! :oP Chris Santerre Network Admin to the stars! -----Original Message----- From: Nick [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 5:17 PM To: Steven Boshuizen Cc: Security basics list Subject: Re: Pen Testing Skills Have someone who knows IT security interview your "shit-hot" candidate. Anybody who can get on the internet can learn buzzwords. I personally would ask for sanitized documents showing "his" methodology, explanations of tools he uses & why, and maybe even have a couple of servers loaded up with different OSs & server apps (e.g. SQL, Lotus, etc...) and ask for a demonstration. After he shows you what your vulnerabilities are on the box(es), ask what his mitigation strategy would be. Then have someone who is InfoSec knowledgeable check his strategy & methodology. It's a little in-depth, but if you're paying for a "shit-hot" guy's salary, you don't want false "security" feelings And if you are gonna bill this guy out to do consulting pen-testing for others, you want to make sure he is for real. Otherwise you'll lose all credibility in no time. HTH Nick On Fri, 2002-03-22 at 06:13, Steven Boshuizen wrote: > > > In my understanding people with these skills come > from a UNIX background, having worked on projects > with VPN's, intrusion detection, administering and > implementations. Could anyone tell me that if I was > looking for a shit hot penetration tester what sort of > background would such a guy have, and what would > be the keyskills/ buzzwords that I would have to look > for so that I would know I am talking to an ace?? > Would appreciate any assistance. -- Nick Network Security Consultant CISSP, CCSI, MCSE, CCNA Raleigh, NC _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
