Scope Creep: Escaping the Madness

Have you heard the term “Scope Creep” before? Chances are you haven’t, because it’s one of the most commonly missed things to be mindful of in Information Security / Cyber Security.?

What is “Scope Creep”?

Usually during the pre-engagement phase of Penetration Testing, while you are defining your contract, you set aside a block of hours that you feel will serve as the proper amount of time to properly test your client according to the SOW (Statement of Work). This block of time is considered as the “Scope”.?

Scope creep is when a client commonly says to you “Oh hey, While you are here, can you test this ________ also, it’s something we forgot to include in the initial engagement.” And trust me, this happens more than it doesn’t. And most Pentesters are so happy to have landed another contract, they work harder to oblige the client, and work it into the already existing scope of work.?

But here’s the thing; aside from the legal problems this can pose, it will eat up more of your pre-determined block of time (scope) and you will find yourself working longer, thus decreasing profits. ?Now if you have been enrolled in our Penetration Testing for Beginners course, you will know that I constantly bring up this issue, and warn you should never work for free. In fact, there is a way to hit the ESC key on this common debacle, while still meeting the clients request.

 

Escaping the Creep:

One successful way I have found to do this is is approaching your client in a manner that makes them aware that you want to help, but also you need to get paid extra. ?For instance:

“No problem Mr. Customer, I certainly understand. So what I will do is have a separate Statement of Work drawn up to include the added time and resources?that will go into testing the additional resources you mentioned. Once we?get that signed and returned back, we will go ahead and work that into the schedule. Where should I send it, to your email?”

You should never ever work for free. There will never be any benefit to it, and in fact, most clients will take that as a sign of weakness, and during the rest of your business relationship, will always seem to have “Forgotten to include that” in the statement of work. It’s a serious trap. Don’t fall victim to it.?

So by now, I hope that you are able to understand how Scope Creep can negatively impact your time and resources, and now how to effective hit the ESC key in a manner that makes the intent clear and concise.?

 

If you have enjoyed this article, please share it with your friends and colleagues.?

 

 

 

www.PentesterUniversity.org

Sharing is Caring:

I Know Everything

“I Know Every Thing” – The Cyber Security Pitfall.

Chances are (especially in this field of Cyber Security) you’ve worked with someone who claims to know it all. And you’ve probably quickly noticed that they don’t. Ugh, I see it all of the time. I’ve worked alongside plenty of these “Know it all” types, and the fact is, they only knew what they read in a book to pass their certification test. If I had to guess as to why they act this way, it’s because of self doubt and inferiority complexes. If they could just get past that and humble up, they’d probably be fine.

It’s impossible to know everything, regardless of the Career. The so-called “Gurus” don’t even know it all. In the field of Cyber Security, this is especially true. Cyber Security, on both of the offensive and defensive side, changes so rapidly that it’s virtually impossible to know everything. Heck, you’ll never catch me saying that I am a “guru” or “Know it all” because I’m not, and I don’t. There is always something new to learn in this rapidly changing career. The sooner you realize that, the better off you will be.

The key to a successful career in Cyber Security is to be humble, among other things. Keep learning, keep moving forward, and don’t get discouraged. Our ideal student at www.PentesterUniversity.org are complete beginners. Why? Because normally there is no “I know it all” attitudes, and that is important for their success with our personalized training.

Stay Humble My Friends.

 

 

 

 

Sign up for our 10 Day Trial

Sharing is Caring:

The Memory Dump

Often times as people of the digital technology age, and especially as Penetration Testers we tend to get “Information Overload”, just like computers. And much the same as computers, we need to do a Memory Dump, before we crash.?

I felt it was important to write about this in a blog article, because we all need to step away from the screen from time to time, even for just a little while, so we can regain our focus. I can’t tell you how many times I have been on a Pentesting Team, and the team spent hours upon hours going on circles just because a team member was thought to have performed a task to further the teams goal, and because of “Information Overload” simply forgot to do the task, or otherwise note the results. It’s super frustrating, so I understood; it happens to us all.

Eventually, when I was a Team Leader, before we started an active Pentest, I mandated every team member to 3 days of nothing. Meaning, no research, no testing, no report writing, nothing. It was 3 days to go do what ever they wanted (Except for the above mentioned) to clear their minds. I dubbed it “3 days of Memory Dumps, no logs”, which was quite funny at the time — Nothing worse than a memdump with no log of it lol

They key takeaway here is, what ever you do, don’t allow yourself to burn out. Take some “Me Time” out for just you. Do what ever makes you decompress and relax. Go get a deep tissue massage, go veg out and watch endless hours of Mr. Robot, or simply sleep. What ever it takes to clear your memory. You’ll thank me later when you are on an active engagement and blaze right through it like Tank from the Matrix 🙂

Shaun James

 

 

 

www.PentesterUniversity.org

Sharing is Caring:

News: Vi Editor Course is Now Open

I am very pleased to announce that we just released a new course specifically on the terminal based vi(m) Editor.

vi or otherwise known as vim is a very powerful UNIX based terminal text editor. You can quickly create, modify, save and edit configuration and text files inside of a Linux/Unix shell. You can even write programming code with vi/vim.?

In this course we discuss how to properly use vi/vim to create, edit, and save files. We also talk about how to navigate files inside of vi/vim, how to search for text and replace text, and much more.

It’s completely FREE for Members of PentesterUniversity.org and ONLY?$27 for non-members.

You can check out the course right here: Learning The vi Editor in Linux

Shaun James

Sharing is Caring:

5 Things You Need to Know Before Becoming a Penetration Tester

Are you looking to become a Professional Penetration Tester? Here are the Top 5 Things You need to know before becoming a Professional Penetration Tester: Number 5 is the most important.

Download our FREE Fast-Track Cyber Security Career Guide HERE

College Doesn’t matter:

Over the years I have worked with a lot of people. And in that time, I have found that Traditional College degrees do not matter. Some of the smartest and most talented people I have had the pleasure of working with were merely High School Graduates. They never spent a single day in a Traditional College. On the flip side, some College Graduates I have worked with that had their computer science degrees were very book smart, but when it came to putting those book smarts to their hands to action their skills, they were clueless.?

 

Certifications do Matter:

While Traditional College degrees are falling by the wayside, even less required by employers, industry certifications however, are taking place of that. Let’s be honest, I think even that is going to be phased out in the next decade. Why? Just take a look around, there are a myriad of Professional Certifications these days. CEH, LPT, CISSP, OSCP, Sec+, to just name a few. And for the most part, they all test basically the same skills. And here’s the thing about these Certifications. Most of them have a re-test period, in which that Certification you worked so hard for expires in a period of time. Now, don’t get me wrong, this industry of Penetration Testing and Information Security does change rapidly, so it’s not really a bad thing to re-test. But think of the amount of money and time you have to devote to a re-cert every 2 or so years. It ads up quickly.

 

Knowing Linux:?

This is a MUST in my experience. Most of the tools we use in every day Penetration Testing tasks simply do not exist in the Windows Space, and only about half of them exist in the Apple/Mac space. There are many reasons for this. The most important reason is because Linux is open source, and the networking stack is very much more robust than its windows counterpart. So, while you do not need to be a Master Linux Super Guru, you do need to understand the basics of how it works, and some simple commands before you can pentest from a Linux Environment.?

 

 

Networking:?

This is another must. You must know the basics of how a Network and it’s basic protocols work in order to be successful at Penetration Testing. Now again, you don’t need to be a network engineer here, but you should have a basic understanding of TCP/IP, Packet Structure, and other protocols such as HTTP, UDP, ICMP, OSI Model, just to name a few. The more you know in this area, the better and faster you will be.

 

Social Engineering:?

The weakest link in any security environment is the human element. And that is a fact. Now you don’t need to be a psychology major here, but you should understand how people tend to think.

For instance, lets say that you ?Pentester a Company called XYZ Widgets International, and you simply can not find a way in. They are super secure. So, in your Information Gathering phase, you find a company directory, full with names, numbers, and most importantly email addresses. You have also managed to stumble upon a portion of their website, where you can see their “Partners” i.e. other companies they deal with. You pick the partner ABC Widget Wholesalers, Inc, who has a manager of partnerships named Michael Dawson.

So, in the company directory of XYZ Widgets?you find Mary Adams. She’s a secretary for the office. You also found in that list a higher level employee, such as a manager of partner relations named James Matthews.?

So you craft yourself a pdf with a reverse_tcp meterpreter shell, pack it with your packer of choice, and craft a spoofed email from [email protected] In this email, you put a subject line of: “URGENT – Partner Application”. In the body of the email you put something like “Mary, I need your help. My boss Michael Dawson is having issues with his email or something. Ugh, you know how that is. He’s screaming at me about it, like I know anything about computers! Anyway, I am trying to help him, so he asked me to email this Partner Application to you. Could you please download it and print it out. It needs to be signed by James Matthews, and returned by email to me by no later than 2pm today. Thanks! – Sam Smith – Assistant to Michael Dawson”

Lets talk about this for a minute.?

Mary Adams, being just a secretary probably doesn’t know much about computers, and to be honest, she’s probably on some shoe shopping site, browsing for a new set of heels or something. Bing, email pops up. She quickly glances at the subject line and see’s “URGENT – Partner Application”, looks at the sender, and it comes from abcwholesaler.com – one of their partners. Mary doesn’t want to get in trouble, so she quickly opens the email, see’s her first name which builds validation of legitimacy. Then she sees her name again, this time followed by “I need your help” — she’s a secretary, she’s always doing something for bosses. This set’s her mind back into work mode, and away from shoe shopping mode. You mention your boss, so that immediately lets her know that you are a lower level person in the company, just like her. You then follow by saying that your boss is having email problems (tells her why you are emailing her instead of Mr. Dawson), and throw in the UGH at the end. This gets her mind into a place of compassion, because likely she’s been there too. You heighten the sense of urgency saying “He’s screaming at me about him email problems”, builds on the URGENCY clause you had in the subject line, and followed up with “Like I know something about computers”, which builds trust again that you are a low level employee just like her, and how bosses can be unreasonable. Now, you give her the Call To Action with sincerity – “Can you please download this, and print it out?” The Call To Action tells her brain that she needs to do this. You then follow with “It needs to be signed by James Matthews” – probably one of her many bosses. This one sentence alone does 3 things here: ?Again another sense of Urgency by mentioning her bosses name, Persuades her not to be lazy and forward it, since it needs to be printed, to be signed. You give her a dealine, sealing the urgency deal.?

 

You should now have a shell on Mary’s machine. Social Engineering is one of the most important things to know in becoming a Penetration Tester.?

Download our FREE Fast-Track Cyber Security Career Guide HERE

 

 

 

 

Sharing is Caring:

YouTube Ruins Online Education

This post is really a double edge sword for me personally, because YouTube is?how I got my start into online training. It’s how we built an audience of super awesome people, eager to learn. And it hurts me to admit this, but YouTube is a Terrible Place to Learn Ethical Hacking.

Let me explain;

I’m sure you’ve been there. You go to Youtube to get some information about something related to Ethical Hacking / Penetration Testing / Cyber Security only to spend countless hours watching someone type commands into a terminal, and explain it via typing (with many errors) into a notepad. The crazy zoom in and zoom out, it’s enough to make you dizzy. But, like a trooper, you suffer through it in hopes that you will be able to pull off what ever it was you were looking for. So, you get started, and realize that the YouTuber was full of crap. Nothing they showed is working for you, and now you are back at square one, frustrated and feeling defeated. Usually, people just wind up quitting at that point, and feeling like this whole Cyber Security thing is wizardry and stupid.

BUT, here’s the thing;

What I have found (even before we created the NetSecNow Channel) is that these supposed “Teachers” are just regurgitating something they found somewhere else. Seriously, how many times do you see the same titles, and each video is just worse and worse. It’s enough to make your head spin.

Most of the things you find for Cyber Security on Youtube is outdated. As such, our Industry Niche is one of the fastest changing and evolving of all IT related careers. So It’s impossible to be current on a platform like YouTube, especially with all of the outdated dis-information out there.

And maybe that’s fine for some people on a $0.00 budget who are trying to get into Cyber Security Professionally, but it’s just time wasted usually.

Sharing is Caring:

Kali Linux Really Sucks

Ok, so maybe it doesn’t totally suck, BUT

Kali Linux is one of the few go to operating systems for Penetration Testers and Hackers alike. And it does do a really good job at giving you a mostly full set of tools used in Penetration Testing, but it still totally sucks! Here’s why;

Kali Linux, above anything else is really just a tool, like any other “hacking” tool. But the problem is, just that. It tends to mislead potential users into a false sense of thinking that Kali Linux itself is all they need to “hack the planet”. In fact is the furthest thing from the truth. YouTube is to blame for this epidemic also, but that’s for another topic all together.

Here’s the thing that us Professionals already realize; and that’s “The Very best tool you will ever have in your tool kit is YOU.” Yes, YOU. I’ll explain

Everyone thinks because they saw some guy/gal on YouTube fire up their Kali Linux install, and hack a website, or hack another computer with such ease, that of course they can do it just like what they saw. And often times they become super frustrated, and ultimately discouraged, and defeated. I wrote a blog post about that?HERE

Many users lack the firm understanding of the core principles of a Proper Penetration Test. Including the very important Phases of Penetration Testing. Unfortunately, most online resources rarely teach the Phases of Penetration testing. Nor do they encourage?would-be Penetration Testers to apply a simple, yet powerful tool within themselves called Logic. Usually the reason they don’t teach these important things, is because they are boring.?One of our Flagship ideals here at Pentester University is teaching these methods very much in-depth, while making it fun and interactive.

You are the BEST Computer You will ever use.

And I truly mean that. By understanding the core fundamentals, such as the Phases of Penetration testing, and applying LOGIC, you are now able to build a better case against your target, a clear road map of the best method of attack. This will lead to a higher success rate of compromising clients systems, less frustration, and ultimately a lower chance of Defeat.

In closing, You could have the very best of the best tools in the entire world, but without using Logic, and Understanding the important Phases of Penetration Testing in-depth, you are just clicking buttons, and making yourself frustrated, and perhaps looking foolish in front of your client, bosses, or colleagues.

Sharing is Caring:

Overcoming Defeat in Penetration Testing

So if you ever practiced Penetration testing, or conducted a Penetration Test for a company, then you may have?been met with the ever so frustrating?sign of Defeat. What’s important to remember is you’re not the only one, and this won’t be the last time this happens.

It’s common to run into road blocks in Penetration Testing, stubborn firewalls, strict IP ingress/egress filtering, Crazy Sensitive A/V, etc etc. This leads to Frustration (Severe in some cases) and ultimately will lead to your own demise of success. I find the more frustrated some people get, especially in this career, the harder it is to focus and continue on. This my good friends is none other than, defeat. And sometimes, even if only Temporary, it’s important to admit defeat to yourself, step back, take a break, and re-assess the situation or plan of attack. Often times, it’s something so simple that you are over looking and making yourself crazy with, that simply stepping back, and re-engaging with a clear head will show prevalence and mitigate defeat.

 

Defeat is unfortunately going to be part of you, for as long as you are alive, in all facets of life, not just pentesting. But as you grow older, gain experience, it becomes easier to recognize it, and overcome it. So don’t get bummed out, or feel alone, because you shouldn’t be, and you’re not.

Sharing is Caring:

Picking the Best Online Cyber Security Training

If you are reading this blog post, you’ve probably been searching around for online cyber security training and are confused by how many results there are, what course to choose, and where to start in general. I hope this blog post will help you in Picking The Best Online Cyber Security Training.

Cyber Security is a very in-demand career, especially after all of the public mention of large, and small companies, Local and Federal Governments, and pretty much everyone getting hacked in 2016. No one was safe. So, if you have ever considered a career in Cyber Security, there is no better time than right now in 2017.

But here’s the thing, because of this so many “new” Online Cyber Security Training Facilities have popped up all over the internet, making it even more confusing for potential students to pick one. And you’re not alone. So many of these online training facilities offer so many different things; Training, Certification, Test Vouchers, Boot camps, Fast Tracks, and the list goes on for miles. Most of these “things” are just buzz words, so here’s how to choose an Online Cyber Security Training Facility.

 

Sustainability:

Since it seems like almost every day a new “Cyber Security Training Facility” pops up, you should find out how long your potential choice has been around. If they are relatively new, or not known well, chances are they will close their internet doors in 6 months or less.

 

What do they offer?

Here’s the thing, what they offer is just as important as what they DON’T offer. Do they offer beginner classes??7 Day Bootcamp courses? :Cringe:, Do they offer Industry certifications, or do they self-certify? How long is the access to content, 7 days, 1 month, 1 year, lifetime? Support: 1-on-1, self study, forums, email support, anything at all?

 

Price:

While I’d advise against price being your deciding factor, it is something important to consider. If you are a beginner, you certainly should not cough up $5k per course right away. That’s entirely too much. On the flip-side, You do get what you pay for. For example, there are some free courses out there, and while I can’t personally say if they are any good, I do however live by the old adage: “You get what you pay for. Nothing in life ever comes for free, and if it does, it’s not worth the time you invest.”

 

Beginners:?

It’s really hard to find an Online Cyber Security Training Facility that caters to complete beginners. It’s much harder to teach a complete beginner than it is to teach someone with experience, especially in Cyber Security. However, there are Organizations out there who do a really great job Training Complete Beginners Start to Finish, Step By Step in Cyber Security Training. We happen to be one of them.

 

Bootcamps:

I always CRINGE and turn the other way when I hear this buzz word. It makes my skin crawl. The reason why is simple; while is a good tool for seasoned professionals looking to up their game and get a new certification, these same Boot-camps wind up duping unsuspecting students into paying a boat load of cash for an ultra stressful, fast paced specific certification training course. Unless your sole intent is to pass a specific exam, and you already have a bunch of experience, don’t get sucked into this buzz word trap. It could cost you $5,000 per course, only to be completely lost in the material.

 

Free Trials / Demos:

This is very important. I’d wager that any Online Cyber Security Training Facility that doesn’t offer some sort of No-Money up front Free Trial, or Demo, should be skipped over. Here’s the thing, when ever you pick a Cyber Security Training Course, you have to see if the teachers way of teaching jives with your way of learning. If you can’t understand the teacher, or can’t follow along, perhaps it’s time to skip past that Facility as well.

 

So, as you can see there are a ton of questions that have to be answered in order to pick the right Online Cyber Security Training Facility. I hope that this outline was able to help you narrow down your choices.

Sharing is Caring:

Welcome to Your Brand New University!

Hello All, and Welcome!

Many of your are probably already students, and have received an email explaining what the new website will contain, and that we were moving away from our old platform. HOORAY! WE MADE IT!

It was a tough decision to move mid-stream like this, but hopefully you all understand why. In the end, it’s all about creating the best student experience in Cyber Security, second to none, and I believe we have done just that!

As we embark on this new journey together, I want to thank you all for your continued support over the years and in the future!

I hope you like what we created, after all it was you, the students, who made this possible. Thank you all for your most valued feedback!

To all the new Students, enrolling on our newest platform for the first time, Welcome!

Sharing is Caring: