Perimeter
2/27/2012
01:51 AM
Vincent Liu
Vincent Liu
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Can You Train A Great Penetration Tester?

The hacker mindset can't be taught -- it must be developed and refined over time

As far back as I can remember, the industry has struggled to figure out the best way to train a penetration tester. Along similar lines, they’ve questioned whether the “hacking mindset” can be taught, or whether it’s a talent you’re born with. All new pen testers wrestle with this question early in their careers, but rarely has a definitive answer been offered.

As a penetration tester for the past decade, and as a manager of pen testers for half as long, I’ve observed and studied many testers. In the course of training, leading, and evaluating pen testers, I’ve come to a conclusion of my own:

Penetration testers can be trained -- to a point.

It is possible to teach someone the fundamentals of security, the attack methodology, and the testing techniques. That’s enough knowledge to make a novice -- an individual with basic proficiency in performing penetration testing. Adding experience to the mix may result in marginal skill improvements, but simply knowing a few techniques and trying them repeatedly will get you only so far.

The leap to a more advanced level of skill requires study. More often than not, this means self-study. In order to be better, a pen tester must understand the ins and outs of the system that he is targeting. Focused and continuous learning is essential in being effective as a pen tester. And that’s where passion comes into play because only those willing to dedicate their time (their free time, in many cases) to learning more will get to be stronger testers.

Sadly, that’s when your passion, learning, and, most important, your training will hit a wall.

Achieving expert pen-test skills requires a lot more than just passion and learning. And it can’t be trained. There are certain qualities that great pen testers exhibit, which combine into what many refer to as the “hacker mindset.” The hacker mindset can’t be taught; instead, it must be developed and refined over the years. Two key talents comprise the “hacker mindset." First is the ability to synthesize disparate data to create actionable information. Second is the knack for identifying and pursuing the most effective attack paths against a target. Some will bring these talents to the table, and some must develop them over time, but most testers will never possess them.

At the head of the class are the testers who I consider the masters. They’re very few and far between, and while they possess the same qualities as the experts, they have one secret that sets them apart from everyone else. We’ll reveal and explore that quality in subsequent articles. But it’s because of this one quality that they are now and probably will always be simply better than everyone else.

So pen testing can be taught to a degree, but the hacking mindset must be developed. Passion and learning play key roles in all stages, but certain qualities exist that make the experts and masters better than the rest. In following articles, we’ll explore these characteristics in more detail to truly understand the differences between the novice, advanced, expert, and master penetration testers.

Vincent Liu, CISSP, is a Managing Partner at Stach & Liu, a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions, as well as U.S. and foreign governments. He has coauthored several books including Hacking Exposed Wireless, 1st and 2nd editions, Hacking Exposed Web Applications, 3rd edition, and the upcoming Web Application Security, A Beginner's Guide. He can be reached on Twitter @vinnieliu Vincent Liu (CISSP) is a Managing Partner at Stach & Liu, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm strategy, practice development, and client matters. Vincent is ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3352
Published: 2014-08-30
Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3_SP9 and earlier does not properly consider whether a session is a problematic NULL session, which allows remote attackers to obtain sensitive information via crafted packets, related to an "iFrame vulnerability," aka Bug ID CSCuh...

CVE-2014-3908
Published: 2014-08-30
The Amazon.com Kindle application before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.