Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/9/2013
12:06 PM
Vincent Liu
Vincent Liu
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

So You Wanna Be A Pen Tester?

Like anything you set out to do, it's best to start with the fundamentals

If you're looking to advance your career in the world of security, then you probably have a lot of questions about what you should do – what books to read, what groups to join, what training or certifications to get.

Ten years ago, I would have shared a short list of books and courses. These days, the number of options has multiplied to the point where it's almost a precondition to know what specialization you want to pursue – from being a "penetration tester" to a "forensics expert" to a "SOC analyst" or "compliance analyst." There are many paths to go down, and each calls for a different set of skills. In this article, we'll assume you want to become a penetration tester.

Let's also say you have the drive to become a good pen tester, maybe even a great pen tester. You're not reading this because you think there's a decent paycheck at the end of it.

Like anything you set out to do, it's best to start with the fundamentals. I've been teaching, training, and leading penetration testers for a long time, and the ones who always wind up the best have a thorough understanding of what's going on under the hood. Are you already a great sys admin who understands the nuances of many operating systems, or a professional developer who has a deep background in one or more languages? Perfect. You have a big advantage, over the long term, compared to the people getting into security without understanding how things work, including those with lots of letters after their names. Most of the pen-testing-related certifications test you on a thin level of knowledge across a broad domain, which belies the true complexity of pen testing. Or they gauge your ability to run tools, which just validates that you're a script kiddie. To be more than a tool jockey, here's what you should consider:

Learn to program. It doesn't matter what language, although C is a good language that forces you to understand many key concepts. Too hard? Try PHP, Python, or Ruby. Eventually, you'll want to progress to lower-level languages. Keep in mind you don't have to be the best programmer in the world; you don't even have to be decent. But you must have a strong understanding of how applications work and how they interact with one another (e.g., the OS, services, other applications).

In order to break an application, you must be able to think like a developer. In order to think like a developer, you must understand how they build applications and the programming models and paradigms. So it's important to learn the common design patterns and algorithms used by programmers. This way when you're breaking an application, you have a reasonable idea to answer questions like, "How did they implement this functionality?" and, "What didn't they think of when writing this code?" Then, finally, "How can I leverage that gap to break their application?" Building an attack based on an assumption that's based on another assumption should be considered de rigueur. Layered assumptions, sometimes almost a leap of faith, underscores many of the more sophisticated and elegant exploits.

Many other subjects are worth studying as well. Learn the basics of networks by setting up and running your own home network. That way, you'll gain an understating of how network administrators view the world. Learn operating system nuances by building your own home servers so that you better understand how system administrators view things. Read Security Engineering, and learn how to think like a security engineer. You may even take a look at the concepts in the CISSP domains. A solid foundation in security concepts is essential to understanding how security should work and how it shouldn't.

At the risk of trotting out the too-oft quoted Sun Tzu, "If you know your enemy and know yourself, you can fight a hundred battles without disaster." You learn programming, networks, and system administration because if you know how to think like a programmer, sysadmin, and network administrator, then you'll be much more effective at breaking in.

This is why security is harder and more dynamic than other IT areas. You not only have to be able to learn and understand multiple domains (i.e., programming, networking, administration, architecture) and be able to adopt their perspectives, but you also have to figure out how to break them using knowledge often drawn from multiple domains.

The early years of my professional career (and a great deal of my free time) were spent reading as much as I could put my hands on, learning on my own, and studying all tof he available texts that were out there. When I started, there was only one book that had anything to do with security on shelves. Now there are so many options you could spend all of your time just reading the security books. But don't make that mistake. Start with the fundamentals. Once you have the base knowledge, security topics become dramatically easier to comprehend. Vincent Liu (CISSP) is a Partner at Bishop Fox, a cyber security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm management, client matters, and strategy consulting. Vincent is a ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Snyper82
50%
50%
Snyper82,
User Rank: Apprentice
9/26/2013 | 2:53:45 PM
re: So You Wanna Be A Pen Tester?
"Start with the fundamentals." Programming, SysAdmin, NetAdmin? If programming is the lack, that is where one should start.

You mentioned C, for someone just starting their programming path, even a little later in life, what is a good gateway language?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17476
PUBLISHED: 2020-08-10
Mibew Messenger before 3.2.7 allows XSS via a crafted user name.
CVE-2020-9525
PUBLISHED: 2020-08-10
CS2 Network P2P through 3.x, as used in millions of Internet of Things devices, suffers from an authentication flaw that allows remote attackers to perform a man-in-the-middle attack, as demonstrated by eavesdropping on user video/audio streams, capturing credentials, and compromising devices.
CVE-2020-9526
PUBLISHED: 2020-08-10
CS2 Network P2P through 3.x, as used in millions of Internet of Things devices, suffers from an information exposure flaw that exposes user session data to supernodes in the network, as demonstrated by passively eavesdropping on user video/audio streams, capturing credentials, and compromising devic...
CVE-2020-9527
PUBLISHED: 2020-08-10
Firmware developed by Shenzhen Hichip Vision Technology (V6 through V20, after 2018-08-09 through 2020), as used by many different vendors in millions of Internet of Things devices, suffers from buffer overflow vulnerability that allows unauthenticated remote attackers to execute arbitrary code via ...
CVE-2020-9528
PUBLISHED: 2020-08-10
Firmware developed by Shenzhen Hichip Vision Technology (V6 through V20), as used by many different vendors in millions of Internet of Things devices, suffers from cryptographic issues that allow remote attackers to access user session data, as demonstrated by eavesdropping on user video/audio strea...