Attacks/Breaches

9/9/2013
12:06 PM
Vincent Liu
Vincent Liu
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

So You Wanna Be A Pen Tester?

Like anything you set out to do, it's best to start with the fundamentals

If you're looking to advance your career in the world of security, then you probably have a lot of questions about what you should do – what books to read, what groups to join, what training or certifications to get.

Ten years ago, I would have shared a short list of books and courses. These days, the number of options has multiplied to the point where it's almost a precondition to know what specialization you want to pursue – from being a "penetration tester" to a "forensics expert" to a "SOC analyst" or "compliance analyst." There are many paths to go down, and each calls for a different set of skills. In this article, we'll assume you want to become a penetration tester.

Let's also say you have the drive to become a good pen tester, maybe even a great pen tester. You're not reading this because you think there's a decent paycheck at the end of it.

Like anything you set out to do, it's best to start with the fundamentals. I've been teaching, training, and leading penetration testers for a long time, and the ones who always wind up the best have a thorough understanding of what's going on under the hood. Are you already a great sys admin who understands the nuances of many operating systems, or a professional developer who has a deep background in one or more languages? Perfect. You have a big advantage, over the long term, compared to the people getting into security without understanding how things work, including those with lots of letters after their names. Most of the pen-testing-related certifications test you on a thin level of knowledge across a broad domain, which belies the true complexity of pen testing. Or they gauge your ability to run tools, which just validates that you're a script kiddie. To be more than a tool jockey, here's what you should consider:

Learn to program. It doesn't matter what language, although C is a good language that forces you to understand many key concepts. Too hard? Try PHP, Python, or Ruby. Eventually, you'll want to progress to lower-level languages. Keep in mind you don't have to be the best programmer in the world; you don't even have to be decent. But you must have a strong understanding of how applications work and how they interact with one another (e.g., the OS, services, other applications).

In order to break an application, you must be able to think like a developer. In order to think like a developer, you must understand how they build applications and the programming models and paradigms. So it's important to learn the common design patterns and algorithms used by programmers. This way when you're breaking an application, you have a reasonable idea to answer questions like, "How did they implement this functionality?" and, "What didn't they think of when writing this code?" Then, finally, "How can I leverage that gap to break their application?" Building an attack based on an assumption that's based on another assumption should be considered de rigueur. Layered assumptions, sometimes almost a leap of faith, underscores many of the more sophisticated and elegant exploits.

Many other subjects are worth studying as well. Learn the basics of networks by setting up and running your own home network. That way, you'll gain an understating of how network administrators view the world. Learn operating system nuances by building your own home servers so that you better understand how system administrators view things. Read Security Engineering, and learn how to think like a security engineer. You may even take a look at the concepts in the CISSP domains. A solid foundation in security concepts is essential to understanding how security should work and how it shouldn't.

At the risk of trotting out the too-oft quoted Sun Tzu, "If you know your enemy and know yourself, you can fight a hundred battles without disaster." You learn programming, networks, and system administration because if you know how to think like a programmer, sysadmin, and network administrator, then you'll be much more effective at breaking in.

This is why security is harder and more dynamic than other IT areas. You not only have to be able to learn and understand multiple domains (i.e., programming, networking, administration, architecture) and be able to adopt their perspectives, but you also have to figure out how to break them using knowledge often drawn from multiple domains.

The early years of my professional career (and a great deal of my free time) were spent reading as much as I could put my hands on, learning on my own, and studying all tof he available texts that were out there. When I started, there was only one book that had anything to do with security on shelves. Now there are so many options you could spend all of your time just reading the security books. But don't make that mistake. Start with the fundamentals. Once you have the base knowledge, security topics become dramatically easier to comprehend. Vincent Liu (CISSP) is a Partner at Bishop Fox, a cyber security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm management, client matters, and strategy consulting. Vincent is a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Snyper82
50%
50%
Snyper82,
User Rank: Apprentice
9/26/2013 | 2:53:45 PM
re: So You Wanna Be A Pen Tester?
"Start with the fundamentals." Programming, SysAdmin, NetAdmin? If programming is the lack, that is where one should start.

You mentioned C, for someone just starting their programming path, even a little later in life, what is a good gateway language?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
CVE-2018-20727
PUBLISHED: 2019-01-17
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.