Perimeter
2/27/2012
01:51 AM
Vincent Liu
Vincent Liu
Commentary
50%
50%

Can You Train A Great Penetration Tester?

The hacker mindset can't be taught -- it must be developed and refined over time

As far back as I can remember, the industry has struggled to figure out the best way to train a penetration tester. Along similar lines, they’ve questioned whether the “hacking mindset” can be taught, or whether it’s a talent you’re born with. All new pen testers wrestle with this question early in their careers, but rarely has a definitive answer been offered.

As a penetration tester for the past decade, and as a manager of pen testers for half as long, I’ve observed and studied many testers. In the course of training, leading, and evaluating pen testers, I’ve come to a conclusion of my own:

Penetration testers can be trained -- to a point.

It is possible to teach someone the fundamentals of security, the attack methodology, and the testing techniques. That’s enough knowledge to make a novice -- an individual with basic proficiency in performing penetration testing. Adding experience to the mix may result in marginal skill improvements, but simply knowing a few techniques and trying them repeatedly will get you only so far.

The leap to a more advanced level of skill requires study. More often than not, this means self-study. In order to be better, a pen tester must understand the ins and outs of the system that he is targeting. Focused and continuous learning is essential in being effective as a pen tester. And that’s where passion comes into play because only those willing to dedicate their time (their free time, in many cases) to learning more will get to be stronger testers.

Sadly, that’s when your passion, learning, and, most important, your training will hit a wall.

Achieving expert pen-test skills requires a lot more than just passion and learning. And it can’t be trained. There are certain qualities that great pen testers exhibit, which combine into what many refer to as the “hacker mindset.” The hacker mindset can’t be taught; instead, it must be developed and refined over the years. Two key talents comprise the “hacker mindset." First is the ability to synthesize disparate data to create actionable information. Second is the knack for identifying and pursuing the most effective attack paths against a target. Some will bring these talents to the table, and some must develop them over time, but most testers will never possess them.

At the head of the class are the testers who I consider the masters. They’re very few and far between, and while they possess the same qualities as the experts, they have one secret that sets them apart from everyone else. We’ll reveal and explore that quality in subsequent articles. But it’s because of this one quality that they are now and probably will always be simply better than everyone else.

So pen testing can be taught to a degree, but the hacking mindset must be developed. Passion and learning play key roles in all stages, but certain qualities exist that make the experts and masters better than the rest. In following articles, we’ll explore these characteristics in more detail to truly understand the differences between the novice, advanced, expert, and master penetration testers.

Vincent Liu, CISSP, is a Managing Partner at Stach & Liu, a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions, as well as U.S. and foreign governments. He has coauthored several books including Hacking Exposed Wireless, 1st and 2nd editions, Hacking Exposed Web Applications, 3rd edition, and the upcoming Web Application Security, A Beginner's Guide. He can be reached on Twitter @vinnieliu Vincent Liu (CISSP) is a Managing Partner at Stach & Liu, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm strategy, practice development, and client matters. Vincent is ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2188
Published: 2015-02-26
The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connecti...

CVE-2015-0594
Published: 2015-02-26
Multiple cross-site scripting (XSS) vulnerabilities in the help pages in Cisco Common Services, as used in Cisco Prime LAN Management Solution (LMS) and Cisco Security Manager, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug IDs CSCuq54654 and CSCun1...

CVE-2015-0632
Published: 2015-02-26
Race condition in the Neighbor Discovery (ND) protocol implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service via a flood of Router Solicitation messages on the local network, aka Bug ID CSCuo67770.

CVE-2015-0651
Published: 2015-02-26
Cross-site request forgery (CSRF) vulnerability in the web GUI in Cisco Application Networking Manager (ANM), and Device Manager (DM) on Cisco 4710 Application Control Engine (ACE) appliances, allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuo99753.

CVE-2015-0882
Published: 2015-02-26
Multiple cross-site scripting (XSS) vulnerabilities in zencart-ja (aka Zen Cart Japanese edition) 1.3 jp through 1.3.0.2 jp8 and 1.5 ja through 1.5.1 ja allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, related to admin/includes/init_includes/init_sanitize.php an...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.