Although penetration testing might be viewed as one of the more glamorous jobs in cybersecurity – think of Tom Cruise in Mission Impossible hacking into a CIA computer while dangling horizontally from cables in a heavily protected room – it might come as a surprise to learn that one of the challenges of the profession is fighting “boredom.”
“It sounds awesome, right? You get this view of Tom Cruise being [lowered] into a computer room, but in reality it’s the same tools, techniques, procedures done repeatedly over and over again. You’ll get a lot of the same findings,” says David Maynor, a security consultant who has been conducting penetration tests for more than 15 years.
Penetration testing -- aka pen testing -- is the practice of testing a computer system, network, or Web application to find vulnerabilities that an attacker could exploit. Many organizations hire professional services or consulting firms to assess the security posture of specific systems, attempt to break-in or compromise the systems, and then provide a documented report on how the applications or systems were breached and steps to mitigate future attacks. Other companies hire penetration testers to be a part their internal security teams, where they test products or systems for exploitable security flaws.
Most clients don’t engage pen testers to do a full-spectrum test. Instead, they want small parts of their IT infrastructure tested in a controlled environment, Maynor says. So if pen testers run their tools, do manual analysis of the environment, and there is nothing to find, that can be frustrating if a week is spent on testing and there is nothing to document. “Then there is the stress, somewhat of a pride thing, that you aren’t able to find things to help people make things better,” he says.
Helping organizations improve their security postures so bad guys can’t continue to take down systems or steal information is the ultimate goal and reward for pen testers, experts say. To that end, the first requisite is to have an innate curiosity of how things work and how to solve problems.
“Most of the people who are good at pen testing have always had an interest in understanding how things work,” says Deral Heiland, senior security consultant with Rapid7, a provider of security tools and penetration testing services. “They have that hacker’s mentality to be able to go in, and if they don’t understand something, to quickly figure it out.”
How to Become a Pen Tester
When Maynor started in the profession there wasn’t a lot of formal training for penetration testing other than being on red teams – a group that attacks an organization's digital infrastructure as an attacker to test the organization's defenses -- in the government.
“A lot of people ask me how to get into it,” he says. “The most important thing is don’t try to be a pen tester.”
People can start out by working as system administers or programmers, becoming so knowledgeable about how their systems work that finding flaws becomes second nature to them. “Then the security and penetration testing aspects will come naturally the more you know about the systems,” Maynor says.
“At a minimum, you need a good understanding of computing operating systems – Windows and Linux,” says Heiland. “You need to have a good working understanding of networks and network technology.”
A solid understanding of scripting language is also helpful. “To be effective you need operational experience. You need to have worked in IT,” he notes.
“What I tell people is, the penetration testers who do well have a mindset,” says D.J. Vogel, head of security and compliance with Sikich, a professional services firm. “You have to think like a bad guy, how a bad guy gets into a system, because it is a bit of a game in that fashion,” he says.
Having good technical skills is important, but it is more important to be able to think on your feet and approach a test a little bit like a game, “like capture the flag, where you are trying to get into an organization as opposed to being a really smart, astute technical person,” Vogel says.
In one pen test engagement, Vogel and his team was going after a password database. Vogel determined that the network administrator had a virtual private network connection from his home location into the corporate office. After doing research on social media, he found out information about the administrator-- the names of his wife, children, and pet. He was able to get into the administrator’s home computer through his wife’s account because she used a password based on the pet’s name.
Now Vogel had access into the domain credentials of the corporate network.
“You got to think outside of box in terms of these attacks,” he says. “That is by no means a typical corporate attack. But at the end of the day, we were able to demonstrate to the client, ‘here is the risk and here is why you need to think about how you allow remote access to your network.’”
A penetration tester can be a specialist or a generalist, says Alissa Knight, managing director with Brier & Thorn Germany, GmbH. Specialists are recognized for testing more specialized attack surfaces, such as Electronic Control Units (ECUs) in connected automobiles. Or they might focus on application penetration testing, requiring a deep understanding of web technologies as well as previous experience as a developer. At the very least, they should be able to interpret reports from tools like a static-code analyzer, Knight says.
Generalists focus on the testing of traditional information systems.
“I once had a penetration tester tell me that someone who doesn’t code can't be as good as a penetration tester who does,” Knight recalls. “I've never agreed with this. I couldn’t write you a line of code, but have performed over 200 penetration tests in my career and published the first advisory on hacking VPN [virtual private networking] appliances, presented at Black Hat Briefings in 2001.”
So even if you can't code, you can still pursue a career in penetration testing, she says.
A junior-level penetration tester can make $75,000- $90,000 a year, and a senior pen tester can get paid as much as $175,000 per year. Consultants working as subcontractors under a prime contractor can make $90 to $125 per hour depending on where they are located, Knight says.
Communications Skills For the Win
“Once you have broken in and compromised a system, the biggest skill pen testers can have is the ability to effectively communicate their findings to their client for remediation,” Maynor says. “If you can’t tell people how you did what you did, where you did it, and how you can fix it, it is not really all that valuable.”
Penetration testing is a service that has a beginning, middle, and end. The beginning is the assessment, the middle is the fun part like breaking into a system, and the end is the documentation and communication of those findings to a client. “If you don’t do all those things, I don’t think you are doing pen testing very well,” Maynor says.
Long hours and excessive travel are some of the rigors of the trade that can cause pen testers to “burn out,” experts say. In addition, pen testers must stay current with the latest technology advances, security tools, and hacking techniques.
“I think penetration testers have a shelf life,” Knight says. “I think the biggest burnout I see is related to people who get into it for the money and not necessarily for the passion. It's tough hours and high demands by clients and on ourselves that if you aren’t in it for the right reasons, you're immediately noticeable,” she says.
“Penetration testing is less of a job than it is a school and the person a student – less about access to zero-day exploits than it is methodology. “Always be learning. Always be playing with new tools” -- open source and commercial, Knight advises.