0

What type of hands on tests should I expect in a interview for a entry level penetration tester?

And what do examiners expect a candidate to accomplish (i.e. full compromise)?

The reason I ask is that I went for a pen test interview and I was given a 4 hour exam. I was not presented with any guidelines or expectations. The test consisted of looking at ip-pbx log files for the given scenario:

We have been approached by a customer who has been advised by their telecoms provider that a large amount of phone fraud (for clarity, this is where the phone line has been used to generate large call costs to the client such as premium rate or international calls) has been conducted on their company phone line.

The phone system utilises a Shoretel Voice over IP (VoIP) gateway. From internal investigation by the client, it would appear that the fraud was conducted between the 30th December 2011 to 6th January 2012.

Our task is to conduct a technical review of the logs supplied by the client with an aim to:

Identify how this fraud was conducted. 
Identify the source of the fraud (external or internal).

You will have until 13:00 to submit your report which should contain an executive summary of your findings and a technical section outlining your finding at a technical level.

You can find the log files here.

I did not have a clue what to do, at least not with pbx and these types of log files.

Is this type of exam common for entry level pen testing positions?

I thought the log analysis for this given scenario was more geared towards forensics and incident response (which wasn’t outlined in the job advertisement) am I wrong?

When it was sent suddenly my career aspirations quickly fizzled into a cold chill, my immediate thought was, O NO... NOT LOG FILES! I can’t imagine anything more soul destroying than this.

If the answer to the question seems subjective then at least this may help serve other graduates in their quest.

this.josh
  • 8,843
  • 2
  • 29
  • 51
G Gr
  • 175
  • 2
  • 11
  • 4
    Sorry, but this kind of question is *way* too subjective and localised to be a good fit here. Furthermore, it's almost impossible to answer - if the skill requirements of the job are unknown to you, then they're certainly unknown to us. Perhaps they're trying to see how you handle tasks that you're not used to? – Polynomial Feb 26 '13 at 15:03
  • Yes it was exactly geared towards that Polynomial, but as a graduate I am wondering if its a common occurrence for pen testing jobs to get you to look at these types of scenarios, I think though if this is the type of exams that graduates face in pen testing it has alot of relevance here. Not to mention I would still like to learn from someone’s answer as to how to deal with these pbx log files? Very frustrating that I can’t find anything on it. – G Gr Feb 26 '13 at 15:13
  • This is more a rant than a question. I appreciate your frustration @Gav, what I would say is that much of pentesting/forensics is hard, painstaking work. Rejoice in that - if it was easy, they wouldn't have to pay you good money to do it. Getting the first job will be hard, you'll have to knock on a lot of doors and have faith in yourself. – GdD Feb 26 '13 at 16:42
  • No wasnt a rant, just taken by shock.. first interview I didnt expect it to go well. Plus I like hard I just didnt expect complete defeat :), would still like to understand how to interpret those log files hence me waiting for any more potential answers. – G Gr Feb 26 '13 at 18:09
  • I am also looking for abit of clarity as I did not expect pen testing to involve forensics in terms of incident response. – G Gr Feb 26 '13 at 18:17
  • The forensics are useful when there is a breach of security, you need to be able to secure a machine and its data in a way that you do not compromise the chain of evidence or corrupt the information. – Lucas Kauffman Feb 26 '13 at 19:11

1 Answers1

5

I don't like answering these questions because as Poly said they're almost impossible to answer, but this is too long to fit in a comment.

This IS common for a non-specialist IT-Security-related job (as you said, it's graduate-level). You're not a specialist with 10 years of experience.

Don't worry about this, at this stage of your career you'll do almost everything. I'm almost sure that 9 out of 10 IT guys will tell you that in the beginning they worked in many different areas until their career settled and took a clear path.

My advice to you is this: You're a graduate, don't over obsess about final career at this point. Keep it your mind, think of it as a goal, but don't become obsessed. Focus on getting into the working life, gain as much experience as you can, and later you'll have the chance to be picky.

Best of luck.

Adi
  • 43,808
  • 16
  • 135
  • 167