Hi folks,
I am a final year PG student doing my Mtech course in Cyber Forensics and Information Security.I ,with a couple of my friends , would like to start a security consultancy business when we get passed out.But we are so curious about the feasibility since we don't have any experience.So it will be helpful if you guys would care to give us any tips and advices regarding starting an information security consultancy,Or any other business ideas related to this field.

Regards
vivek

Hi folks,
I am a final year PG student doing my Mtech course in Cyber Forensics and Information Security.I ,with a couple of my friends , would like to start a security consultancy business when we get passed out.But we are so curious about the feasibility since we don't have any experience.So it will be helpful if you guys would care to give us any tips and advices regarding starting an information security consultancy,Or any other business ideas related to this field.

Regards
vivek

My recommendation - Go to work for someone else first. This gets you the experience you need as well as the opportunity to see what another/other companies are doing right or wrong.

You have the perfect story to do cross-country interview. Find other business owners in noncompetitive parts of the country that you can interview over the phone, perhaps in exchange for $50 donated to their favorite charity. as long as they understand that you will never compete with them you can learn quite a bit from this exercise and shave much of the learning curve away.

Hello Vivek,

you can consider White Hat Hacking first... Using TOR and AWS you could slightly scan big corporates for intrusion and vulnerabilities points.

If you discover something - instantly send the pertinent information to the Chief Security Officer of the firm - they have a fiduciary liability at address these problems.

On the other hand, your penetration efforts maybe seen as Black Hat Hacking - and you may end up in in jail for 3 years.

But, the great news is - after you get out - you will absolutely be sought after as a security consultant.

you can consider White Hat Hacking first... Using TOR and AWS you could slightly scan big corporates for intrusion and vulnerabilities points.

If you discover something - instantly send the pertinent information to the Chief Security Officer of the firm - they have a fiduciary liability at address these problems.

On the other hand, your penetration efforts maybe seen as Black Hat Hacking - and you may end up in in jail for 3 years.

But, the great news is - after you get out - you will absolutely be sought after as a security consultant.

This is the worst advice that can be given IMO...

Lol. I used to know a guy who works as a hacker- people hire him to test their security by breaking into places. I actually don't think there's anything illegal about simply looking for vulnerabilities as long as you're looking at code that's open for viewing rather than breaking in to steal information, and as long as you're not exploiting those vulnerabilities. Same with looking for flaws in commercial software- if you buy a copy, you can look through the code as long as you don't pirate it or help other hackers commit crimes. In fact, many companies post bounties for hackers who inform them of security flaws, and if they don't you can still contact them and offer to sell them the info you found.

I'd recommend working for someone else first, like ITGuy said. But in addition, start a blog, do some bug hunting in your spare time and collect some bounties/testimonials. Post your accomplishments to your blog, keeping it vague enough that whatever you find isn't exploitable just from reading your blog. After a year or two, yo can strike out on your own, with your blog serving as a good resume.

Lol. I used to know a guy who works as a hacker- people hire him to test their security by breaking into places.
Theres a big difference between being hired to look for vulerabilities versus scanning any public IP Address looking for vulnerabilities that you would report to the company (Likely for a fee).


I actually don't think there's anything illegal about simply looking for vulnerabilities as long as you're looking at code that's open for viewing rather than breaking in to steal information, and as long as you're not exploiting those vulnerabilities.If you scan a network without authorization then your breaking the law. If you obtain access to private information (even if you don't view it) or cause any issues that affect a production environment/revenue then you are almost guaranteed a lawsuit at a minimum.

Here's just one recent one that you may be aware of: Hacker Found Guilty of Breaching AT&T Site to Obtain iPad Customer Data | Threat Level | Wired.com (http://www.wired.com/threatlevel/2012/11/att-hacker-found-guilty/)


Same with looking for flaws in commercial software- if you buy a copy, you can look through the code as long as you don't pirate it or help other hackers commit crimes.

Looking through the code would require that the code be decompiled which you will likely find a section in the ToS dedicated to this (If you ever happen to read them). This action alone would invalidate your license and would subject you to possible fines/legal action.