Perimeter
2/27/2012
01:51 AM
Vincent Liu
Vincent Liu
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Can You Train A Great Penetration Tester?

The hacker mindset can't be taught -- it must be developed and refined over time

As far back as I can remember, the industry has struggled to figure out the best way to train a penetration tester. Along similar lines, they’ve questioned whether the “hacking mindset” can be taught, or whether it’s a talent you’re born with. All new pen testers wrestle with this question early in their careers, but rarely has a definitive answer been offered.

As a penetration tester for the past decade, and as a manager of pen testers for half as long, I’ve observed and studied many testers. In the course of training, leading, and evaluating pen testers, I’ve come to a conclusion of my own:

Penetration testers can be trained -- to a point.

It is possible to teach someone the fundamentals of security, the attack methodology, and the testing techniques. That’s enough knowledge to make a novice -- an individual with basic proficiency in performing penetration testing. Adding experience to the mix may result in marginal skill improvements, but simply knowing a few techniques and trying them repeatedly will get you only so far.

The leap to a more advanced level of skill requires study. More often than not, this means self-study. In order to be better, a pen tester must understand the ins and outs of the system that he is targeting. Focused and continuous learning is essential in being effective as a pen tester. And that’s where passion comes into play because only those willing to dedicate their time (their free time, in many cases) to learning more will get to be stronger testers.

Sadly, that’s when your passion, learning, and, most important, your training will hit a wall.

Achieving expert pen-test skills requires a lot more than just passion and learning. And it can’t be trained. There are certain qualities that great pen testers exhibit, which combine into what many refer to as the “hacker mindset.” The hacker mindset can’t be taught; instead, it must be developed and refined over the years. Two key talents comprise the “hacker mindset." First is the ability to synthesize disparate data to create actionable information. Second is the knack for identifying and pursuing the most effective attack paths against a target. Some will bring these talents to the table, and some must develop them over time, but most testers will never possess them.

At the head of the class are the testers who I consider the masters. They’re very few and far between, and while they possess the same qualities as the experts, they have one secret that sets them apart from everyone else. We’ll reveal and explore that quality in subsequent articles. But it’s because of this one quality that they are now and probably will always be simply better than everyone else.

So pen testing can be taught to a degree, but the hacking mindset must be developed. Passion and learning play key roles in all stages, but certain qualities exist that make the experts and masters better than the rest. In following articles, we’ll explore these characteristics in more detail to truly understand the differences between the novice, advanced, expert, and master penetration testers.

Vincent Liu, CISSP, is a Managing Partner at Stach & Liu, a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions, as well as U.S. and foreign governments. He has coauthored several books including Hacking Exposed Wireless, 1st and 2nd editions, Hacking Exposed Web Applications, 3rd edition, and the upcoming Web Application Security, A Beginner's Guide. He can be reached on Twitter @vinnieliu Vincent Liu (CISSP) is a Managing Partner at Stach & Liu, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm strategy, practice development, and client matters. Vincent is ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0985
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName parameter.

CVE-2014-0986
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the GotoCmd parameter.

CVE-2014-0987
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName2 parameter.

CVE-2014-0988
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode parameter.

CVE-2014-0989
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode2 parameter.

Best of the Web
Dark Reading Radio