Perimeter
2/27/2012
01:51 AM
Vincent Liu
Vincent Liu
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Can You Train A Great Penetration Tester?

The hacker mindset can't be taught -- it must be developed and refined over time

As far back as I can remember, the industry has struggled to figure out the best way to train a penetration tester. Along similar lines, they’ve questioned whether the “hacking mindset” can be taught, or whether it’s a talent you’re born with. All new pen testers wrestle with this question early in their careers, but rarely has a definitive answer been offered.

As a penetration tester for the past decade, and as a manager of pen testers for half as long, I’ve observed and studied many testers. In the course of training, leading, and evaluating pen testers, I’ve come to a conclusion of my own:

Penetration testers can be trained -- to a point.

It is possible to teach someone the fundamentals of security, the attack methodology, and the testing techniques. That’s enough knowledge to make a novice -- an individual with basic proficiency in performing penetration testing. Adding experience to the mix may result in marginal skill improvements, but simply knowing a few techniques and trying them repeatedly will get you only so far.

The leap to a more advanced level of skill requires study. More often than not, this means self-study. In order to be better, a pen tester must understand the ins and outs of the system that he is targeting. Focused and continuous learning is essential in being effective as a pen tester. And that’s where passion comes into play because only those willing to dedicate their time (their free time, in many cases) to learning more will get to be stronger testers.

Sadly, that’s when your passion, learning, and, most important, your training will hit a wall.

Achieving expert pen-test skills requires a lot more than just passion and learning. And it can’t be trained. There are certain qualities that great pen testers exhibit, which combine into what many refer to as the “hacker mindset.” The hacker mindset can’t be taught; instead, it must be developed and refined over the years. Two key talents comprise the “hacker mindset." First is the ability to synthesize disparate data to create actionable information. Second is the knack for identifying and pursuing the most effective attack paths against a target. Some will bring these talents to the table, and some must develop them over time, but most testers will never possess them.

At the head of the class are the testers who I consider the masters. They’re very few and far between, and while they possess the same qualities as the experts, they have one secret that sets them apart from everyone else. We’ll reveal and explore that quality in subsequent articles. But it’s because of this one quality that they are now and probably will always be simply better than everyone else.

So pen testing can be taught to a degree, but the hacking mindset must be developed. Passion and learning play key roles in all stages, but certain qualities exist that make the experts and masters better than the rest. In following articles, we’ll explore these characteristics in more detail to truly understand the differences between the novice, advanced, expert, and master penetration testers.

Vincent Liu, CISSP, is a Managing Partner at Stach & Liu, a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions, as well as U.S. and foreign governments. He has coauthored several books including Hacking Exposed Wireless, 1st and 2nd editions, Hacking Exposed Web Applications, 3rd edition, and the upcoming Web Application Security, A Beginner's Guide. He can be reached on Twitter @vinnieliu Vincent Liu (CISSP) is a Managing Partner at Stach & Liu, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm strategy, practice development, and client matters. Vincent is ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-0889
Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3020
Published: 2014-07-29
install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio