[German Pentesters] Can you share some info about the field?

Hi all,

I have a Masters degree in Computer Science with a focus on Networking (and also a couple of security lectures). No further certifications or anything for this job. In my freetime I do mess around a lot with Linux machines and security stuff, do some CTFs, etc.

Currently I'm looking for a pentester job and would love to get some insights from pentesters working in Germany.

I've been reading a lot about how you need lots of fancy certificates to land a job, but this seems to apply to the US market and does not sound like the German job market at all.

Stuff I'm specifically interested in:

  • How did you get into the field?
  • What's a reasonable salary to expect in the beginning?

But also:

  • How does your typical work day look like?
  • Any special advice you would give to someone in my position?

Thanks in advance

Touch here for the full post on Network Security Noblemen tumblr

Are Virtual Chief Information Security Officers a real thing?

I've been interviewing and obtaining bids for VCISO services. I'm coming away from the process thinking that this service is really not properly named. At least not by the majority of proposals I've seen. What I've seen is that a company will install a SIEM, export the data, run it through a system, including, if it is one of the more advanced units, AI to help sort things, and then put human eyes on the data. My IT department gets a call and if the issue is worth my time I get roped in to make a decision. That effectively makes me the CISO even though I've hired a VCISO. Are most VCISO services really "Virtual Security Officer services? Hiring a CISO is cost-prohibitive in today's environment for a company of my size. Is this what others are experiencing?

Touch here for the full post on Network Security Noblemen tumblr

View URLs on Mobile

Hey all,

I am looking at helping my users with an issue we are having… URLs are very hard to preview on mobile devices. In my internal phishing I am seeing a large portion of clicks coming from mobile devices.

In our training, we are teaching people to hover over the link and read the URL. That is difficult to do for some on a mobile device and may risk an accidental click.

What are your thoughts?

Touch here for the full post on Network Security Noblemen tumblr

View URLs on Mobile

Hey all,

I am looking at helping my users with an issue we are having… URLs are very hard to preview on mobile devices. In my internal phishing I am seeing a large portion of clicks coming from mobile devices.

In our training, we are teaching people to hover over the link and read the URL. That is difficult to do for some on a mobile device and may risk an accidental click.

What are your thoughts?

Touch here for the full post on Network Security Noblemen tumblr

Any input before I purchase some courses from eLearnSecurity?

So I'm thinking of purchasing 5 courses on eLearnSecurity: PPT, PTX, WAPT, WAPTX, and THP at once for the discount. It'll be a heavy investment for me, but all the stuff for the less the price of a SANS course could be worth it for me.

I've heard good things about some of things course, but unsure about the others. If anyone that may have had some experience purchasing multiple courses like this, or have taken some of these course could weigh in it'd be appreciated.

For some background info, I am currently in pentesting, but really want to sharpen up my skills and knowledge and felt this would be a good option for me. The certificated may not be as prestigious as SANS or OffSec, the knowledge is primarily what I am after.

Touch here for the full post on Network Security Noblemen tumblr

Cyber intelligence analyst experience relevant to future as a penetration tester ?

(I posted this in ITcareerquestions too) I recently began a job as a cyber intelligence analyst in the DMV area. I mine the deep and dark web for information about extremists(jihadists, white supremacists, antifa, black nationalists, etc) and cyber criminals. I use Tor, I2P, Tails and other anonymizing services. I search the clearnet with OSINT techniques. I use the Elastic Stack for visualization and analysis. Finally, I take all that data and write intelligence reports, briefs and articles for the company blog. I communicate and present reports to clients. So far, all is good and I enjoy my job, but I'm a little concerned that I'm not utilizing or learning that many hard technical skills. My goal is to eventually become a penetration tester. I continuously learn and play around with my home lab. I have several security certs already and I plan on getting the CISSP and OSCP.

My question is: will my experience as a cyber intelligence analyst be helpful or relevant when I seek out junior pen testing jobs in the future?

Touch here for the full post on Network Security Noblemen tumblr

GeoIP vs BGP ASN mapping

Hello gents,

I've got a small question, but it's bugging me and I don't really find an answer that will satisfy me by my own. So, I've got this idea of being able to know the originating country for any given source IP. Looking up, I found this URL : https://www.team-cymru.com/IP-ASN-mapping.html stating that BGP ASN mapping and GeoIP are different in their usage, and BGP ASN mapping (my initial idea) was not a good idea.

My question is : what makes them different ? Don't GeoIP use some information similar to BGP ASN mapping ? Or does it rely on different mechanisms ? Worded differently, why would BGP ASN mapping be a bad idea to use for this specific purpose ?

Have a good day !

Touch here for the full post on Network Security Noblemen tumblr

Where to start? (How not to annoy)

Hey all,

So I am a recent grad currently in sales for a netsec company (won't pitch you anything don't worry), and I've noticed that the lack of understanding within sales teams is a constant source of annoyance for folks in this industry.

I actually studied neuroscience undergrad. The typical generalized, diluted "we help tone down noise"/"we help you catch undetected malware" pitches supported by cherry-picked cases that 499/500 companies use annoy even my evidence-based/analytically oriented brain.

In an ideal world, what would the people who send you Emails/call you on the phone know in order to be useful instead of a bother?

I don't mean this in the sense of "tell me how to manipulate you to buy".

In college, I worked at Gamestop. I didn't have to push or bother anyone because customers and I connected on a shared level of common interest and understanding, they got great games and I sold them.

Would ideally like to get back to that vibe. So what do? Do I learn languages? Study network architecture? What are some good resources?

I'm probably going to end up moving to the engineering side anyway, in the meantime though, would like to be less of a bother and more of a resource.

Touch here for the full post on Network Security Noblemen tumblr