Chris Sienko: Welcome to another episode of the Cyber Work with InfoSec Podcast, the weekly podcast where we sit down with a different industry thought leader to discuss the latest cyber security trends and how those trends are affecting the work of InfoSec professionals, as well as tips for those trying to break in or move up the ladder of the cyber security industry.
Today’s episode is a webinar released on June 19th, 2019 and features guest presenter Patrick Lane, CompTIA’s Director of Product. Patrick is going to help you learn everything you need to know about CompTIA’s PenTest+ certification and he’ll be discussing the following topics; why CompTIA created the PenTest+ certification, how PenTest+ compares to certs like Certified Ethical Hacker, the CEH, and who should earn a PenTest+ certification. Will also do an overview of the PenTest+ exam.
If you’ve been on the fence about whether to start studying for this new certification, join me in listening to this one hour introduction to the PenTest+ certification featuring Patrick Lane and moderator Hunter Reed.
Hunter Reed: Hello. Thanks for joining us on today’s webinar, PenTest+, everything you need to know about CompTIA’s new certification. My name is Hunter Reed and I’ll be moderating today’s webinar. We’re excited to have Patrick Lane, Director of Products at CompTIA here with us today. Patrick Lane directs ISE workforce skills certifications for CompTIA including Security+, PenTest+, CySA+ and CASP+.
He assisted the U.S. National Cyber Security Alliance to create the Lock Down Your Login campaign to promote multifactor authentication nationwide. He has implemented a wide variety of IT projects including an intranet and the help desk for 11,000 end users. Patrick is an Armed Forces Communications and Electronics Association lifetime member born and raised on U.S. military bases and has authored and co-authored multiple books including Hack Proofing Linux : A Guide to Open Source Security.
And we’re super excited to have him with us today, so Patrick, you want to go ahead and take it away?
Patrick Lane: Sure. Thanks a lot Hunter. Today we’re going to be covering five different items and I’m going to be leading you in this discussion. My name is Patrick Lane. Thanks for the great introduction. Yes, I’m here today to talk to you all about PenTest+. And so I’ll give you an overview and then I’m going to tell you where PenTest+ fits in a cyber security career because you’ll find it’s located is about the three to four year level of knowledge, skills and abilities for someone who’s been working in cyber security.
I’ll also go through some of the specifics. I can show you the exam objectives and we’ll talk about some of the training and then go into questions.
First let’s just go for an overview. What is PenTest+? PenTest+, it’s an intermediate level cyber security certification for people who are tasked with hands on penetration testing to identify, exploit, report and manage vulnerabilities on a network. So what it’s doing, it’s assessing penetration testing skills, but also vulnerability assessment and management skills. We’re focusing on those skills necessary to determine the resiliency of a network against attacks.
So essentially a PenTester is an ethical hacker. A PenTester is someone who is usually hired by someone to test a network to find the vulnerabilities in it before the bad actors do. And this job role is really come to importance since about 2012, 2013 and 2014 when we had a lot of our advanced persistent threats come in from nation States throughout the world prey on the United States in particular.
If you all recall the target attacks back in 2013, 2014, the Office of Personnel Management from the U.S. Department of Veteran Affairs. There has been a lot of hacks that all started, many people will say around 2013, 2014, the bad actors got as smart as the good actors. And that was bound to happen because of the Dark Web and the availability of all of these hacking tools that have been stolen and then posted on the Dark Web.
Most of them nation state weapons. For instance, you can find Armageddon software from the Russians from their Ukraine attacks a few years ago when they invaded Ukraine and took about a third of the country from it. They used a software called Armageddon. And so that Armageddon software appears on the dark web all the time and you can pick it up and use it.
Unfortunately, and due to that and reasoning, the penetration testing tools which are actually used and practiced in the certification, they’re hacking tools essentially. And so a penetration tester is really a hacker who has permission. So we could ask ourselves a joke, what is the difference between a penetration tester and a bad actor? Permission.
The only difference by between a penetration tester is that you usually go through a planning and scoping stage and you’ve talked to whomever you’re going to be working with to test their network. So that is essentially what this is about. It’s essentially as certification that is would come to fruition just in recent years because of these massive changes we had in cyber security since 2013, 2014.
And so now essentially, penetration testing skills are needed in IT because we have to be on the offensive. Back in the old days, we could just sit around and create firewall for perimeter security and then put antivirus software in the network and you were okay. You can actually have a secure network, and even in the ’90s, you could go home with your pager and then come back to the network if you had to.
Now of course, this is a 24/7 offensive task where you’ll often have a security operation center running 24 hours a day. Maybe you have a team in that of security analysts and penetration testers who are just constantly testing your networks and trying to make sure that they’re not weak and then you could patch any weaknesses you find.
So it’s a full time job and it’s full time offense and it’s being proactive. And that’s why penetration testing is so important now. This skill has really become extremely popular just in the past five years. Oh, there’s one thing I forgot to mention and that’s the key job roles and that’s listed here.
So the key job roles are penetration tester, vulnerability tester, security analysts, vulnerability assessment analyst, network security operations and applications security vulnerability. Those are some of the jobs that you can find. If you type in a penetration tester, or ethical hacker, or vulnerability assessment and management into indeed.com for example, which is a job search tool.
We’re often asked how PenTest+ is different because there are other ethical hacking certifications out there, there are other penetration testing certifications out there. Comp created this due to an industry demand. That’s why we create all of our certifications, it’s based on statistics, surveys, data. We’ve really moved to data analysis and this came up as one of the biggest skills gaps out there.
And so we tried to make our exam unique. And so ours is unique because it has both hands on performance based questions as well as multiple choice. Some of the competitors out there that test for PenTesting skills, they’re actually just multiple choice tests or they might just be like a 24 hour capture the flag test.
Our test is unique in that it’s half multiple choice, half performance-based, so you actually have simulations on the exam when you’re at the Pearson’s VUE Testing Center that actually require you to do skills required by a penetration tester. So if you were able to pass the penetration testing or PenTest+ exam, then you’ve proven your ability with hands on skills.
Another thing is that PenTest+, it covers vulnerability assessment and management and that’s really important because the other certifications that cover penetration testing and ethical hacking, they don’t cover the vulnerability assessment and management skills. And the reason why our cert covers the vulnerability assessment and management plus penetration testing is because there’s actually three times more jobs available in vulnerability assessment management.
In fact, penetration testing technically is a tool used by a vulnerability assessment and management professional. And if we take another step back, believe it or not, all of this is categorized under information security analyst by the Bureau of Labor Statistics, which is the… there’s something called An Occupational Outlook Handbook by the Bureau of Labor Statistics that includes the number of jobs available and it categorizes job roles.
And so it categorizes PenTesting under security analysts. It’s really amazing. But it makes sense if you look at that large grouping because penetration testing essentially is one of the skills that a security analyst would use ultimately in order to monitor a network and ensure that it’s safe.
The third area that makes it different is that we have new environments introduced in our cert, especially Cloud and mobile. Cloud environments are making it more complex due to the fact that you have to run penetration testing on someone else’s system. With cyber security, if you’re working in the Cloud, you have to layer your cyber security solution on top of the Cloud provider’s security solution.
That is very complex and it requires you to know the rules and know what you’re allowed to do and what you’re not allowed to do because there’s different rules when you’re doing a penetration test in the Cloud. You may have to get multiple permissions instead of only the permission to test from the company that owns the assets, you may have to get permission by the Cloud provider as well to do the test. It all depends on what kind of arrangement you have set up.
But those are things that make PenTest+ different from all the other certifications that test for ethical hacking and penetration testing. And we developed the exam over about a year and a half period and it required a lot of visits and a lot of surveys. Oh, but here’s some of the big companies that actually flew in and joined us for a week of meetings and work group to talk about the daily events that they do in their jobs as penetration testers, vulnerability assessment and management professionals as well as ethical hackers.
And so we brought them in from around the world and really wrote down what they do every day on a daily basis. And ultimately their tasks that they do every day as penetration testers and their jobs is ultimately what become the exam objectives because that’s all we’re really doing. Our exam objectives, it’s just the penetration testing job role. It’s like these are the tasks you do if you’re a penetration tester.
Just like if you go over to CompTIA’s CySA+ exam, the security analyst exam, all the objectives are as just a task list of what they do, what their tasks are on a daily basis. So it’s not rocket science, but it takes an extraordinary amount of validation and large numbers to prove these things.
So what we have here is a couple of amazing companies. We have Secureworks that’s focused on the vulnerability assessment and management aspect of it, but also Las Vegas Sands corporation. The reason why we brought them in is because they brought two people because they sustained an attack from Iran back in 2014.
And so to the Las Vegas Sands corporation employees we had, they actually survived that state-sponsored attack from Iran because apparently the owner of the Los Vegas Sands corporation had made negative remarks about the leadership of Iran and I guess they know each other, so Iran a tact Sands for week long I believe and they were able to provide us what they learned during that state-sponsored attack and we were able to put that knowledge skills and the abilities that they had to endure during that actually into PenTest+.
And so that was really great because they were able to comment on the tools that were used by the state attack, as well as the types of attacks, as well as their monitoring tools. It was just really great. And so that’s why the PenTest+ objectives are so amazing because we have knowledge like that integrated into them.
Also, John Hopkins University Applied Physics Lab, I want to mention them because they’re a huge DOD contractor and one of the guys we work with is currently securing the F/A-18 fighter jet because it has a lot of embedded devices on it. As the military moves into IoT with sensors, that’s something they’ve been using for decades in war.
And so now they’re having to secure their sensors, their IoT devices on these airplanes just like we have to secure our Apple watch. And so what they’re having to do is learn new techniques for penetration testing on Internet of Things devices are embedded systems, i.e. a system that has like a custom kernel like a Linux kernel that has been modified specifically for a specific use.
One of the problems with IoT devices is just as they’ve been implemented over the past couple of decades, is that they have a non-secure kernel and it’s not a certified secure kernel for an IoT device. Microsoft for example, if you work with their IoT services in Azure, they actually require you to use a secure kernel and they have one for their IoT devices Azure.
However, I was with Red Hat, it’s the Internet of Things conference in San Jose and Red Hat was saying they still don’t have a certified Linux kernel for IoT devices. And that’s a problem. And so right now what we have is just hundreds of thousands of millions of unsecured IoT devices out there that are embedded devices.
Somebody who didn’t know about security created that IoT device, maybe it’s a kid’s speaker that goes in their room, they have the full Linux kernel installed with all the default ports open. It’s plagued with opportunity for risk. Anyhow, so you really have to make sure you’re securing these operating systems or else they’re just going to be sitting ducks.
And so IoT, one of the major problems we have is exactly what I just described and that’s why many IoT devices are insecure. And so what you’re going to learn a lot about is hacking IoT devices, embedded devices. Let’s move on.
Alright, let’s learn something about the exam. Here’s some of the specifics. PenTest+ is a multiple choice and performance-based exam that you would take it a Pearson VUE Testing Center somewhere around the globe. Our exams of course are taken by civilian and governments. And so the exam code is PT0001. We just released it last year, it hasn’t even then out for a year yet.
It’s available worldwide, the price is 349 retail. Also, as I said, you have to go to a Pearson VUE Testing Center. There’s 85 questions, multiple stories and performance-based. Performance-based questions I believe are usually dished up first when you sit down to take the exam, so keep that in mind and don’t take too much time on them. You may wish to mark them, do the multiple choice questions and come back to the performance-based questions. I’ve heard that from numerous people.
Number of questions are 85, length of test, 165 minutes, passing score, 750 out of 900. Right now it is an English and Japanese is on the way.
Recommended experience, if you take PenTest+, you really should know networking and Security+ level knowledge. With PenTesting, you have to know how the network works if you want to be effective because what you’ll find is that hacking, penetration testing, vulnerability assessment, the tools that are used for this are oftentimes manipulating the TCP/IP language and the TCP/IP protocol is the language of the internet.
And you need to know that language inside and out if you want to be a penetration tester. If you want to be a good penetration tester and if you want penetration testing to be easier, then learn networking inside and out because you’ll find packet conditioners are often used to modify the IP headers in the packet. Well guess what? I can change the IP header, I can change the IP address to any address I want and then send it.
If I’m on the same segment, that person who gets that packet is going to think they just got a packet from gosh, North Korea, Russia. And then they could think, oh my gosh, I’m being attacked, whereas they’re not. It’s simply being spoofed. So those are the types of things. If you understand TCP/IP, you understand how easy it is to manipulate the packets. You mess with the field values and the IP headers. You could do anything you want.
So if you understand the packet, if you understand the open system interconnect, you understand the internet architecture for layer model as well as the OSI/RM 7 layer model. Both of those will be key aspects. And then understanding all the protocols within the TCP/IP language, how they work, how packets are assemble, disassembled, how they’re routed.
These are all key elements to understand, and you will never be a good penetration tester or a good cyber security expert unless you know networking inside and out. So I cannot stress the importance of networking to this group. It’s the key to cyber security.
And then of course, you’d have to have Security+, and Security+ is really securing the network because you can’t secure a network unless you… No, I love the saying, “You can’t secure a network unless you know how the network works.”
All right. Also PenTest+, right now it’s being reviewed by the Department of Defense and it should be approved by the Department of Defense for 8570 at the end of summer. They’re reviewing that right now as well as our Cloud+ certifications. We hope to have those added on in the coming months.
It already is ISO ANSI 17024, so we’ve gone through an extensive exam development process that has been legally defensible.
All right, what do we have next?
Hunter: All right, Patrick, before we move on, we have a question from John about the exam. Is the test operating system agnostic?
Patrick: Oh, right. No, I have looked at that. I know what you’re saying. They developed the questions in Kali Linux. So you need to make sure that you understand how to use the apps like Metasploit for example on a Linux system. Good question.
Here’s an example of Metasploit Pro. In fact, the reason why I included this is because I didn’t want people to be scared if they don’t know Linux. So you know, I come from a Windows background and I didn’t learn Linux until the beginning of the two 2000s. That’s when I wrote that Hack Proofing Linux book because back in the ’90s, we were able to live off of Microsoft products.
I got my Microsoft Certified Systems Engineer in 1998, me and an army of Gen Xers helped wire the country and get our entire country on a computer network. And now we’ve moved on to wireless and we moved on to Linux because Linux is open source, it’s less expensive, more flexible, you can customize it simply. And it’s mainly an engineer, developer society. And so Linux has come in very handy for cyber security.
What you need to understand though, is that if you ever download, for instance, Kali Linux or Security Onion Linux, those are just Linux operating systems that have penetration testing tools and security analyst tools already built in. So it’s like downloading a fully weaponized operating system.
So that’s why I like working with Kali Linux and many people do, and Security Onion. There’s a lot of operating systems that already have cyber security tools built into them. So you just download the ISO image, load it into Oracle VirtualBox for example. I don’t know if any of you have used that virtual environment, but it’s really great if you have a Windows system to download Oracle Box… Sorry, it’s Oracle VirtualBox.
So you download Oracle VirtualBox onto your system and then all you do is you select the link to the ISO image that you downloaded and the ISO image, it’s simply a file that contains the entire Kali Linux operating system and all the tools preloaded. So you just go to the Kali Linux website and you download the operating system, put it on your computer, open up Oracle VirtualBox, and then just link to that ISO image. That’s all you have to do.
And that will load Linux on your computer system, and that’s if you’re running Windows as your host operating system on your computer. It’s really great. And then you could just basically load in two different ISO images. And then you can make one offense, one defense for example, and then you can attempt to hack yourself. But it’s a great learning environment.
This is a screen capture of a Metasploit Pro. I took this because doesn’t that look like Windows? It does. You can download like the KDE interface, it’s like a Windows like interface. There’s a ton of different interfaces for Linux, but a lot of them look like Windows. In fact, they try to make them look like Windows.
And here’s an example. This is an app, Metasploit Pro, you’re running within Linux. It opens up most of the Linux software tools. It’s specific to the software tool, not to Linux. So even if I’m using an IDs like Bro in Linux, once I open up Bro, basically all I need to know are my Bro commands. I don’t need to know Linux commands. All I got to do is open up the program in Linux most of the time. And then work within the application. The application’s going to have its own commands.
So that’s just an important concept for you. I never took official Linux courses. I learned it through being thrown in to the environment as a network administrator and I’m sort of just telling you the things that helped me a lot.
Another tool is Social-Engineering Toolkit. I’ll just show this to you because I want you to see how easy hacking is nowadays. It’s like hack by numbers. Select from the menu. What do you want to do? Penetration test? Social-engineering attack? Third party modules. There’s all kinds of different modules you can choose from that people have created to use in this toolkit.
But this toolkit, by selecting numbers, you can essentially create a social-engineering attack. This program will let you copy a website like Bank of America’s website, duplicate that. Then it will let you create an email that will go out to people and you can fake that you are from the bank and you want their password. You send that email out and the link that it goes to is that fake site that it just created for you using SET.
Then essentially that person will then click on the email, go to the fake site where you have malware loaded for them. It’s that easy, but there’s a lot of nuances involved to pull it off and make it work, you can imagine. But the thing that I don’t like about it and the thing that should be scary to all of us is just that it’s hacked by numbers.
So this is one of the reasons why we need penetration testers and vulnerability assessment and management professionals out there. You need to make sure your network is going to be secure from these types of things. You’d better make sure, hopefully that your people at your company, for example, aren’t falling for these social engineering attacks. So you should be doing lots of different testing on your network.
But also when it comes time to defending yourself against social-engineering networks or social-engineering, I mentioned end user awareness, but also when it comes to defending yourself against social-engineering attacks, defense against hacking is usually a security analyst job role. And that would be covered in CySA+ and that security analyst, which is a defensive or blue team role.
In fact, we’ll get to that in a minute. We’ll talk about red team, blue team, but I just wanted to show you some of the tools just to give you an idea, maybe a little easier than you think.
Next slide. And this side is just to give you hope that if you do choose to go into this career, you will have opportunity available to you if you are good and if you have the hands on skills and can prove to employers you can do hands on skills during the hiring process. But here we go. Essentially penetration testers, as I said before, are also vulnerability assessment and management pros.
The median pays 92,000 a year. Right now there’s about 82,000 jobs available and it’s growing at 28% a year, so that number, there’s more jobs available every day. And then Cyberseek.org States, “98 grand a year. There’s 6,695 jobs available.” Every source is going to have a different number of jobs. This is a slice of the penetration testing, vulnerability assessment and management.
Right now there’s over two million IT jobs available in the country or in the world and I believe there are almost 800,000 IT jobs available in U.S. alone, 800,000. So this is actually quite a few jobs available and if anyone on this call can take one of those 82,000 jobs, that would be outstanding.
Hunter: And before we move on, Patrick, I just wanted to remind everyone that we’re going to be answering some questions at the end of this webinar. If you want to submit those in the Q&A panel, it looks like we already have some getting started in there. So yeah, we’ll have some time at the end for those.
Patrick: Thanks. The next part I’ll talk about is the PenTest+ career pathway. What I want to do is just show you where penetration testing and security analyst skills would be in somebody’s cyber security career. You can look at this document, but what these certifications are our job roles. So let’s get away from CompTIA branding and let’s just look at job roles.
Because if you start from the left of this diagram and go to the far right, that’s 10 years of knowledge, skills and abilities of someone that works in cyber security. So it starts with zero on the left, that’s IT Fundamentals. That’s mainly like a survey certification, that’s like here’s what a programmer does, here’s what an infrastructure pro does, here’s what a cyber security pro does, here’s what a manager does, or IT manager.
Does any of this look interesting to you? And that’s a course that is really heavy in middle schools, high schools, community colleges. If people then want to go into an IT career, they would jump into A+, which maps the knowledge, skills and abilities of someone at about nine months who’s been working in IT. And A+ is mainly a help desk, support desk cert where you’re actually customer service on the phone helping people with their devices.
It’s not about PCs A+, no it’s about devices, all devices hooked up to the internet and supporting them, major. Also Network+, that would be the next step in somebody’s career because after they’ve learned how to maintain I guess and support all the devices on the internet, they need to know how the internet works because that’s what they’re all attached to.
So A+… sorry, Network+, which I’m talking about right now is the step after A+ and it represents 18 months of knowledge, skills and abilities. After that you go to Security+, which represents two years of knowledge, skills and abilities. Noteworthy of the chronology of what I’m describing to you right now is incredibly important and it’s required a great deal of research in order to determine this from like 20 years of IT in the United States around the globe.
And so what happened in the last as I said, five years is what caused the next level to be created, which is PenTest+ and CySA+. We didn’t need those certs like five years ago. We did need them, but we didn’t know that we needed them. There’s amazing job trends that show right after 2014, job openings for penetration testers and security analysts skyrocketed, doubled in one year because the cyber security community in a realized, oh dear, we have a huge skills gap here and that’s the penetration testing, security analyst skills.
We did not have those before because we never had to be searching in our interior networks for the bad guys. In the past, you could have up to Security+, you could configure a firewall, you could configure antivirus and your network was going to be safe as far as you knew. But basically 2014, the bad actors got as smart as the good actors and they learned how to do advanced persistent threats.
They learned how they easily get into internal networks, search around for targets, and then exfiltrate those assets that they find by staying on a network for hundreds of days, years in some cases. It’s very hard to detect them. And this is required a whole new level of cyber security tools for us, mostly continuous monitoring.
But what I’m saying is that these are all skills that we weren’t focused on a few years ago, and now we have to be or else our networks will continue to be insecure. So that’s why the three to four year level of knowledge, skills, and abilities came to be. So PenTest+ and CySA+, three to four years of KSAs.
PenTest+ offense, perfect, and CySA+ defense. So let’s take a look. Remember I was talking about red team and blue team? Let’s take a look here at those three to four year skills. One is red team, which is penetration testing, that is on offense. Now, you might say, “Where did this red team thing come in?”
Another thing that happened after 2014 is we realized we had to train IT pros differently and what we had to do is essentially put IT pros into teams of offense and defense and have them try to attack and hack into one another, to practice hacking on each other. Red team, blue teams came from military and now is actually implemented in corporations throughout the globe as well. It’s very common to do this now.
But let’s take a look, the red team are the penetration testers. They’re the hackers. They are the ones who are trying to break into systems by identifying weaknesses and people processes and technology. Then you have the blue team, the blue team, those are the security analysts. They’re the ones who want to discover. They’re the ones who want to detect the attack from the red team.
So they want to discover it, they want to contain it. They want to remove the intruders and they’re going to be using all these monitoring tools, so this is ideal. Take a look at the screen now because here’s an example. Up on the top picture there on the left hand side is a Kali Linux offensive red team system. On the right hand side of the top image is a blue team security analyst system and that’s the defense.
If you look down at the bottom image, you’re going to see the red team, it has launched an attack, and in this case that’s using the command line, Metasploit Auxiliary TCP SYN flood attack, which is basically, it’s a denial of service attack. It’s manipulating the TCP three-way handshake.
So anyhow, I’m launching the attack on the left system using the auxiliary module from Metasploit. Not Metasploit Pro mind you, I’m using the free version of Metasploit and that is command line and that’s what’s included if you download Kali Linux. You have to go out and buy the pro version of Metasploit and it’s like over $1,000, but if you’re at a corporation, of course that’s not a big deal.
Okay. And then on the right hand side you can see the blue team has discovered the red team attack. So what they have used as a network monitoring tool, in this case, just for the purpose of examples, I use something called EtherApe, which is a visual tool that simply shows the number of packets traveling across the network.
What I got to show is where the attack is you can see concentrated on the one system that’s on the left hand side of that red target indicator. And then on the right hand side is that big circle and that’s actually a representation of the size of the attack. So in this case, it’s actually like the death star on the right hand side from Star Wars attacking a small rebel Freighter.
And so in this case, if I were to have kept this attack going, we would have had the blue team would have gone down. All the CPU would have been used and the system would have no longer been accessible, and so thus it would have been a successful attack. But that I just want to show you an attack and a detection because that is a key concept for you to understand as far as offense and defense goes in cyber security.
All right. And now I do have to take pause because the PenTest+ exam objectives that follow, I could spend an hour talking about them or 10 minutes talking about them. So I might ask Hunter, how would you like to proceed at this point? How are we doing with our time?
Hunter: We have about 20 minutes left on here, so I’d say we want to give folks a little bit of time at the end for questions, so say about 15 minutes you can spend on this.
Patrick: Perfect. Okay, good. What I’m going to do now then is going to a little bit of details about the PenTest+ domain objectives. I’m going to teach you exactly or tell you exactly what you do. I believe there’s five domains in PenTest+. We’ll see. What they do is they follow the hacker lifestyle, so I’m going to talk about that in case any of you are interested in a MITRE approach or the Lockheed Martin Kill Chain model. Somewhat similar to that because hacking processes are established.
So here’s PenTest+. The first domain for PenTesting is planning and scoping because you have to make sure that you have permission to attack the network you’re going to be testing. So there a legal agreement in place. It will be far more complicated depending on who you’re working with. If you’re in a Cloud environment, legal concepts could be more complicated. You’d have to look into that, but the main thing is getting permission.
As I said before, what’s the difference between a hacker and a penetration tester? Permission. So it’s really important to also understand what you’re going to scope out because you’re going to have to label systems. There’s going to be certain that you can hack, certain systems that are off limits.
And so often though then classify your targets into like different colors like you might have white systems, black systems. Some are off limits, some you can hack and so those are the types of agreements you have to have with whoever you’re going to be engaging with.
Next. Once you’ve determined that you have permission, you need to go out and see what’s out there. You have to conduct an inventory. We call this information gathering and vulnerability identification. So what you’re going to be using is using different tools on the network to actually scan the network. And there are many different tools that do this, OpenVAS being really great free vulnerability assessment tool.
And so what you do is essentially you’re going to be running these programs, whether it be command line program, whether it be OpenVAS, and you’re going to scan the network, and you’re going to find out exactly what systems are on the network, and what operating system they’re running because these vulnerability systems tools will tell, these vulnerability tools.
So what you can end up with is a network map. It might have all the different devices. So you’d see, “Oh, okay, look, I’ve got 20 Linux systems on here. I’ve got a 15 a Windows systems on here. I got three routers, two switches. I’ve got a DNS server, I’ve got proxy server.” All of that would come back to you in the report, but it will also say what the operating system is, as I said, the service pack number, the latest patch that’s been installed on that system. And that is very helpful.
For example, if you find Windows XP systems on your network, you would know those are no longer supported by Microsoft and you’d be surprised how many of those are still out there in the world. And so if it then comes back in your reports, you have a bunch of Windows XP systems on it, then you are in business because you are aware that they have security vulnerabilities.
Once you’ve figured out what your vulnerabilities are, you have to choose which attack and exploit you’re going to use. So you have to say, “All right, now that I have this particular Windows XP system on it, what attack am I going to run on it? Am I going to run an application-based attack? Am I going to run a social-engineering attack? Do I want to make it network based over the segment? Do I want to get on the network and attack directly from the segment?”
These are all decisions you have to determine based on what you have discovered. And so basically, now that you have your weaknesses, you choose the attack. Once you know what attack you want to use, you have to choose the right tool, and with penetration testing, there’s a million tools.
One thing we didn’t want to make the PenTest+ exam was become a tool parade. We wanted people to mostly focus on the concepts because once you understand the concepts and a few of the tools, you can apply that knowledge to many, many, many different vendor-specific tools. And so we teach some of the basics like Nmap.
Remember how I was telling you earlier that you need to scan the network and I talked about OpenVAS? There’s a basic tool that’s one of the basics that came out with the TCP/IP language. It’s an app called Nmap, and it’s a network map. And so if you run Nmap, it will actually provide you… it’s a free a scanning tool, and so you can find out what’s on your network and it will even provide information based on the command did you use that will determine the information that you get back.
But that’s a free version. Not as easy to use of course as… It’s fast, it’s quick. OpenVAS can take a long time to get that initial scan. All right. But the tools are key. I had also mentioned some like Metasploit. Metaspoilt is probably the most popular penetration testing tool. The reason is it’s easy to use.
And so if you go out there and do a search, like for example, if you wanted to try to do that that denial of service attack, once you download Metasploit, you have to call up modules, it has different modules in it. So I just called up the auxiliary module, which is a test module for the denial of service attack.
I used a test module because I didn’t want to actually destroy the system, but I just wanted to basically do a demonstration. I basically took half of all the CPU power off of that system I was testing, not all of it.
Okay. Then there’s a lot of other tools. In fact, if you go into the objectives themselves, there are sub objectives under there which cover all of the different tools and there are dozens and dozens of tools that… But those are the ones that hackers use. As you go through the main objectives, you’re going to find the main tools that would be used which in this case are more related to a vulnerability assessment and management.
Do you want to make sure you understand Nmap inside out, OpenVAS is extremely important as well as you need to know. Metasploit, and then there are many other tools that you’ll find in Kali Linux if you go through the menu, because if you go through the menu, you’re going to see that there’s just preloaded hundreds of hacking tools for you and vulnerability assessment and management tools, and security analyst tools.
Oh, another thing I have to mention is that you need to be able to analyze a basic script, Bash, Python, Ruby or PowerShell. You don’t have to write it, but you need to analyze it and identify that, oh, that’s Python or that’s Ruby. Why do you need to know this? Because those are very common tools used when you get further up the ladder with penetration testing.
For example, if you’re a basic penetration tester, you’re probably just using Metaspoilt, but the really good penetration testers, they’re able to program in Python on the fly while they’re performing an attack. That is the gold standard. That’s where you should try to be. PenTest+ is going to get you up to that three to four year level, but typically, the guys that are really good at PenTesting, the red teamers that are actually doing offense typically, have over 10 years of experience, typically they know what’s in PenTest+, but they also know programming languages. Very important and I just wanted to make note of that.
And then reporting and communication. One of the main lessons we learned going out to the field, talking about penetration testing and cyber security in general was it’s become a team sport. No longer can there be the security guru on the top of the hill who knows all and bequeaths their knowledge upon the general population.
That is no longer the case, it’s all about teamwork now because it’s all about cyber security professionals communicating together throughout the world. And probably the most important thing with penetration testing and security analyst skills is teamwork and communication and threat intelligence.
Threat intelligence is key because that’s how cyber security pros communicate all over the world using security bulletins. If I find an attack, I’m going to announce it, and if you’re a cyber security pro in Norway, Denmark, you’re going to see that I was attacked and I’m going to say where I was attacked from.
I’m going to say, “Here’s a command and control center that’s attacking end users on my network, so you guys need to block it so this doesn’t happen to you too.” That’s essentially how cyber security is working to a large portion right now as far as major attacks go. For example, I believe that Petya, NotPetya, they didn’t destroy the U.S. as bad as they could have because once the attack started in Russia, we were communicated with, the security analysts, the cyber security pros in the U.S. found out about it and we were able to install the patches before those attacks came to the U.S.
And so it’s critical and you can see the importance of it communication. So this is key. Reports are so key. Being able to say, “Here is the vulnerabilities I found. Here’s the report and if you need to, here’s how you might fix it.” Or that might be a job for the security analyst actually.
So what you have to understand is you have to be able to communicate, report what you found so that action can be taken. So that’s it. There’s the five domains. It’s quite a nice package as you can see because it follows the hacker lifestyle.
So training for PenTest+, how can you train for PenTest+? Let’s find out. All right, let’s see here. Do you want to jump in Hunter and talk about your InfoSec products?
Hunter: For sure. We’re going to get your-
Patrick: All right.
Hunter: … questions everyone in just a moment, but I just want to take a quick moment to talk about how you can train for the PenTest+ cert. We recently launched a new on-demand cyber security training platform called InfoSec Skills. It’s a monthly subscription for just $34 and it includes access to more than 45 skill and certification learning paths, including the CompTIA certs like Security+, PenTest+, CySA and CASP+.
It also includes access to practice exams for each certification and a variety of cyber ranges where you can practice your skills on Cloud hosted virtual machines. Again, it’s just $34 a month and you can even try it out for free for seven days.
If you prefer to train via live bootcamps, we also have this five-day ethical hacking bootcamp, which is one of our most popular training courses that we’ve offered for about 15 years now. But that’s, I’d like to move on to some questions. It looks like March CEO had a question. How do these PenTest+ certs differ different certifications and level of difficulty?
Patrick: Oh yes. I did analysis as a product manager, I have to analyze PenTest+ and do mappings against some of the biggest competitors in the area, so I ended up doing a mapping between PenTest+ and CEH, the EC-Council CEH cert because they were the biggest player in the field. And here’s what I found. I was able to identify four differences between PenTest+ and CEH.
The first difference I found was that PenTest+ is multiple choice and performance-based, but the CEH exam at least as approved by 85/70 with the DOD is multiple choice only. That’s been a big advantage of our cert. The idea is that if somebody passes our cert, they have the hands on skills, so they wouldn’t have to pass a multiple choice exam like CEH and then have to go out and get employer verification that shows you have the hands on experience.
The idea, and that’s why we invest millions into our exams development, and that’s why we are able to do this is create these performance-based exams. So in theory if you pass PenTest+, you’ve proven that you have PenTesting skills, that you’ve actually done them on a computer as well as the knowledge with the multiple choice questions. That was one difference.
The other was just price because when I was looking at the retail price of CEH, it was around 1099, but then the retail of PenTest+ is $349. And I think the reason that is the case is because CompTIA is a not-for-profit organization and so we don’t have the overhead necessarily or I guess we don’t have all the expenses.
The third thing I found was teamwork. When I looked at CEH and all the other penetration testing certifications and vulnerability assessment management, they were all purely technical. And so as you saw, we have teamwork in ours. It’s one of the domains in fact, one fifth of it because that was just… I can’t tell you how much all of the decision makers and leaders we talked to kept telling us that that teamwork was so critical to them.
The other difference was PenTest+, do you remember how I told you we were working with John Hopkins, Applied Physics Lab, we were working with Las Vegas Sands corporation? What they emphasized to us was the fact that we need to focus our PenTesting on IoT devices, Internet of Things devices and embedded systems as well as traditional operating systems and server systems.
Nowadays with IoT, as I mentioned earlier, we’re getting these embedded systems out there. There are custom IoT devices that some developer has created with a full Linux kernel in many cases. And so, one of the things we have to adjust to as penetration testers is this new mobile environment, is these new insecure operating systems.
Now the industry should be fixing themselves very quickly. I do believe that there’s going to be certified secure kernels for IoT devices from all vendors soon and that’s going to make a huge difference. Also agreements that when someone releases IoT products, that they at the same time support those IoT products and ensure that those IoT devices can be updated once they’re released out in the world. That is key.
And so those are the main four differences that I found when doing my research.
Hunter: Definitely. It looks like we’re just out of time. We just had a few more questions. I can forward those to you Patrick, so you can reach out to them personally. So as we wrap up, I just wanted to remind you of to not miss out on our free trial of InfoSec Skills, to get started learning about PenTest+, Security+ and a bunch of other cyber security skills. And you can also go onto our website, infosecinstitute.com/skills to get started on your free trial.
And lastly, I just want to thank Patrick so much for joining us today and everybody for watching the webinar. If you’d like more information right away, you can head to infosecinstitute.com or call to speak with a rep about the course and our current promotions. And as always, if you have any other questions, feel free to send them to firstname.lastname@example.org and we’ll be sure to get back to you soon.
Hunter: Have a great rest of your day everybody.
Chris: I hope you enjoyed today’s episode. Just as a reminder, many of our podcasts also contain video components which can be found at our YouTube page. Just go to youtube.com and type in Cyber Work with InfoSec to check out our collection of tutorials, interviews, and other webinars.
As ever, search Cyber Work with InfoSec in your podcast app of choice to get lots more episodes, see the current promotional offers available for podcast listeners and to learn more about our InfoSec Pro live bootcamps, InfoSec Skills on-demand training library, and InfoSec IQ security awareness and training platform. Go to infosecinstitute.com/podcast.
Thanks once again to Patrick Lane and moderator Hunter Reed, and thank you all for listening. We’ll speak you next week.