Saturday, June 15, 2013

Welcome to the Club: Advice to First-Time Pentesters

This is the first post in a series offering advice to InfoSec newcomers. Not being the most colorful crayon in the box, I'll just call it "Welcome to the Club", and will tag all posts in the series accordingly.

Giant pit mine in the Siberian tundra
Hop in. I'll be right behind you.
Occasionally, folks starting out in InfoSec will ask me for advice. I try to give it without sending them screaming toward a different, less-punishing career, like working in a Siberian diamond mine.

An acquaintance recently contacted me via LinkedIn to ask for advice on his first paid pentest gig, and this is what I told him.

As you progress from pentest to pentest, your skill and ability to find flaws, use tools, etc will increase, so I'm not going to give you any technical advice at this point. On the first gig, it is more important to ensure there will be a second gig than to try to cover every technical avenue possible. It would also be ideal for your first gig to also be the client's first pentest - then as your skills increase, their ability to implement your findings (in theory) and security posture should increase as well.

The best way to have a good first pentest is to focus on good communication with the client. This skill is important for consultants of any kind, but more so in any situation where there is the potential to cause harm in the course of doing the job they are paying you for. Relationship building is also important. Don't think about any gig as just one job. Think of it as the potential to start a relationship where you could potentially establish yourself as their go-to for any security work.

Burning Building
Yeah, could you stop scanning? It isn't going well for us.
Come up with a good plan, share it with the customer, and stick to it. If something changes, e.g. you find issues going deeper than you expected and you need to change the plan, notify them before going down any "rabbit holes". Make them aware that pentesting - even just scanning - is a potentially disruptive activity, but that you'll do your best to minimize the risks to their network. Make sure they know how to contact you, and that you can stop scanning/pentest activities relatively quickly if there are any issues.

Manage the client's expectations well, and they should be happy. Happy clients spread your services via word-of-mouth and rehire you. Positive word-of-mouth and reoccurring gigs build a solid business. Never stop learning and trying new things on pentests, and the technical side will improve as you gather experience.

There is also a ton of advice posted by the "Pentest Lessons" Twitter account.