Pen Test Magazine – inspiring Interview with Erdal Ozkaya 2012
Erdal Ozkaya is the founder and Senior Microsoft Instructor of CEO IT Training, which has now merged with Fast Lane Asia Pacific; one of Australia’s Silver certified Microsoft Learning Partners.
Erdal travels across Australia teaching IT workshops and has served as Project Manager/Engineer for several large organisations in Australia, China, Philippines and the USA.
Erdal actively participates in worldwide events as a Technical Lead and Speaker.
He was awarded “Best Technical Learning Guide” and “Best Speaker” in Microsoft Technical Education Seminars (TechEd) Australia.
He specializes in Active Directory; Windows Client and Server O/S’s; Security/Exchange 2007/2010; Sharepoint2007/2010; EC-Council Security and ISO 27001 /27002/ 27005.
The passion and commitment that Erdal has shown to his work has been recognized by Microsoft. In 2009, 2010, 201 1 Erdal Ozkaya was awarded the Microsoft Most Valuable Professional (Windows Expert -IT Pro) award. Erdal is also a Security Consultant and Certified Ethical Hacker Trainer.
Recently, in April 2010, Microsoft went one step further and announced
Erdal Ozkaya as the FIRST Microsoft Certified Leaning Consultant in Australia. There are only 1 6 recipients of this award in the world, with only one recipient in Australia.
Even more recently EC Council announced Erdal Ozkaya as the Global Instructor of the Year Award (201 1). The award was in recognition of instructors that have contributed significantly, and made a difference to the information security community by providing leading EC-Council certification programs.
Erdal is also leading some User groups of PASS, GITCA (Culmins) & INETA
How you got involved in information security?
Erdal Ozkaya: When I was 9 years old, my brother received a James Bond style 3 digit manual handbag as birthday gift. He used to hide his secret stuff inside the bag, one day I realized he had really something interesting in his bag, and I wanted to have access to it. Of course, my brother was not that keen for me to have access to his bag…
Keeping the long story short, after running a manual password attack, which of course it took me a while and I did write every single combination down, within weeks I was able to open his bag. My reward was his Playboy magazine, as a 9-year-old boy having access to this kind magazine made me the most popular boy in my primary school
Starting my career as a network administrator, then moving onto infrastructure engineering with every work I completed, the security gaps that I found have always frustrated me. Researching every single issue that I have faced, reading many staff on the net, doing many hands-on exercises… then moving onto IT consulting and sharing my insight with my clients from all organizations showed me the biggest gaps in IT departments. then I decided to excel towards information security and build my skills and knowledge in the field to be able to pass onto everyone else around me.
What was the key to success of CEO IT?
EO: I started CEO Training by myself with my wife’s support. When I first started all had a teaching degree, as secondary subject while I was studying IT at university and lots of real life experience. With one word I can tell that the key success of CEO IT Trainings success is Delivering training by trainers who have real life experience and this success has lead us recently into merging with one of the world’s biggest training organization Fastlane Asia Pacific.
How long have you been an MVP?
EO: I have been rewarded as Microsoft Most Valuable Professional since 2009
What benefits have you noticed being MVP?
EO: Becoming an MVP has opened the doors for me into every opportunity I wanted to excel. All of the benefits that the MVP Program provides are really great. The MVP title gives you access to an unprecedented amounts of information and interaction opportunities with other MVPs worldwide and also with Microsoft Product Groups & engineering teams.
You get much of the latest information to keep you busy, Being an MVP also serves to increase the level of confidence that my customers have in me and my ability to assist them. It acknowledges that my activities in the communities are recognized as helpful to the people who are involved in Microsoft products and technologies.
The title allows me to experience the most advanced technology one step ahead of anyone else. I have access to important Microsoft news, software prereleases, and the technical Knowledge Base with a chance of having regular meetings about the upcoming products and asking questions straight to the people they made the products such as Windows
Which events taking place this year would you recommend to pentesters?
EO: For Australia: AusCERT http://conference.auscert. org.au/conf2012/
Take Down Con from EC Council
Hacker Halted again from EC Council http:// www.eccounci/.org
Microsft Tech Ed http:/mww.msteched.com
What are the best courses for beginners and for advanced pentesters?
EO: For beginners, EC Council Network Security Administrator and then Certified Ethical Hacker and then Licensed Penetration tester ECSA Il-TP course. After all this is done Advanced Penetration Testing class will be my order.
Is this all of courses? of course not. There is a really good offer from the Pen Test Mag which gives free Pen Test class for every subscription. Go for it ! Having subscription to a magazine like that will also give you many real-life examples delivered to your door/ inbox.
My job at Fastlane AP is to not just train professionals to become Microsoft, EC Council certified as well as giving the right training advice. There are too many training providers and vendors, I would highly recommend to make a thorough research before signing in to any course. Pen Testing skills is not easy to gain as its advertised in many web sites.
Which skills, in your opinion, are the most important to become a good pentester?
EO: This is a hard one. As it’s known becoming a pen Tester is not easy, a Pen Tester should be able to understand a network nearly from A to Z, as well as the components of a network. On top of it a Pen tester should have really good tools to make his life easy. If you lucky like me and have access to Core Impact your job is much easier than other tester. also BackTrack, Metasploit skills is a MUST. There is no way you can have all the skills in you, that’s why its also important to have a good team. A good reverse engineer will help you to open many doors in terms of the finding zero day vulnerabilities, or a good Social engineer can open actually the physical doors J to you. A good database administrator will help you to get protection against injections.
How do you see the position of pen testers on the background of other professions in the IT field?
EO: For me Pen Testing is like MASTER level of IT. In other words, being a pentester means being jack of all trades in IT. you need to know and understand a bit of everything in IT in order to be a good pentester
What can you say about the situation and development of pentesting market today?
EO: Many companies still do not believe in the benefits, the others complain about the cost. The fact is, if you don’t spend enough in to your IT Security then you will have all your Intellectual Property unprotected. It’s really important to employ or contract the right Pen Tester. The situation of the market is, still developing.
There is a huge need for qualified professionals, and I do see the market promising. There is no single day passing with a news of XXX company was hacked, ABC company just released the data was stolen and published in the net. Some of them are Security solution providers, their fault is in relying on just a single vendor! Or not giving attention to the security department they deserve.
Is competition between companies that offer pentesting services intense? (Yes or No) What are the reasons of it?
EO: Definitely yes. Some of them offer cheap service reelying just on few software scan, I also mentioned having the right tool is important, but there is no way to complete a proper pentest job just with a tool. A good pen test needs a good framework and a good report which will take the price up.
Depending on the budget sometimes white box pentesting could be better than on going to a cheaper solution.
