Penetration testing

Penetration Testing: Job Knowledge & Professional Development

Daniel Brecht
September 30, 2016 by
Daniel Brecht

Interested in starting a career in penetration testing? This is actually a good time to get in the field, as security has taken center stage in the IT activities of all companies and organizations and there is a demand for trained and competent pen testing experts. To join the ranks of pen testers and white-hat hackers, professionals need to have strong technical skills and knowledge, solid hands-on experience and the will to continue learning every day throughout the rest of their career.

So what is penetration testing? It is a process by which capable security professionals gain access to an IT system using a variety of intrusion techniques similar to those used by malicious hackers and perform a cyber security assessment. The pen tester's role is to identify possible vulnerabilities to be secured in a network-connected infrastructure and advise on crucial corrections of any discovered flaws. These professionals might test not only the resilience of the actual systems but also the efficacy of internal security policies and even the workforce's ability not to fall prey of social engineering and scam attempts.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

The field of penetration testing requires lots of practical knowledge of hacking techniques with the ability to use them creatively in any technical scenario the professional is asked to test. A good pen tester normally presents a good mix of theoretical knowledge and hands-on skills. Moreover, they shall be able to harness powerful new pen-testing tools and put them into practice in an attempt to mimic realistic attack situations.

Does this sound like a job role you would like to fill?

The 5 W's (and How) of Penetration Testing

Why Do We Pen Test?

As quoted from Patrick Engebretson's book The Basics of Hacking and Penetration Testing, "Penetration testing [is] defined as a legal and authorized attempt to locate and successfully exploit computer systems for the purpose of making those systems more secure." It is the work of a pen tester to reality-proof the defense mechanism in place and do what it takes to have computing systems be safe and protected. A penetration test can find new and old vulnerabilities in a network and help mitigate any risks and address them to improve the resilience of systems by preventing, detecting or otherwise reducing the impact of threats against a company's resources. Though it is almost impossible to make every system 100% secure, organizations are using pen testers and ethical hackers to identify vulnerabilities long before malicious hackers discover them. When done right, "penetration testing is a key component of a security assessment," says Bruce Schneier, a renowned American computer security expert.

Who Will Do the Pen Test?

A pen test can be performed by security service providers who come from different backgrounds. In the majority of cases, they are professionals with IT security experience and, often, advanced information systems degrees; some pen testers, however, learned through hands-on experience while hacking as a hobby or are actual hackers looking for a "career change."

What Should Be Tested?

Software / Hardware. Using ethical hacking tools and software testing methods, a pen tester can verify if there are security vulnerabilities that can expose systems, websites and network infrastructures.

Network Processes. A pen test during an audit process presents various insights into how secure the systems are so to identify ways to minimize weaknesses or holes that could result in data breaches.

When to Get Tested?

A penetration tester shall regularly perform penetration testing of systems, web applications, networks, etc. whenever there is a requirement for checking the security posture of an organization. In particular, as mentioned by Help Net Security, "Pen testing should be undertaken after deployment of new infrastructure and applications as well as after major changes to infrastructure and applications (e.g. changes to firewall rules, updating of firmware, patches, and upgrades to software)." In such cases, timely testing is important.

Where to Test?

Penetration testing can be either done internally (i.e., in-person at the facility's location) or externally (e.g., remotely via a VPN connection). Also, testing can be valuable for any organization that relies on an information system to manage its daily operations regardless of location, size and industry type.

How to do it?

The process takes a systematic approach that uses various tools and techniques for security testing. A group of information security practitioners (PTES) has identified seven standard phases for penetration testing execution that cover the entire process:

  • Pre-engagement Interactions
  • Intelligence Gathering
  • Threat Modeling
  • Vulnerability Analysis
  • Exploitation
  • Post Exploitation
  • Reporting

Although there is still no universal standard and although pen testing is an activity that also requires the ability to act creatively and that needs to be tailored necessarily to the characteristics of the system being examined, professionals are asked to take a consistent, systematic approach. The first stages of the pen tester effort include interactions with the client and his or her company as well as analysis during the intelligence gathering and collection phase. Subsequently, the pen tester begins working behind the scene looking for possible vulnerabilities and problems. This is not a mere vulnerability assessment or scanning, but the pen tester is also looking for ways to remediate issues effectively and provide feedback to the client on how to maintain a solid security posture. The pen tester acts as a real-world hacker would and attempts to exploit any identified vulnerability to report then to the client on findings and actions to take. The pen-tester will be able to provide clear and precise documentation in a formal report that will describe the activities performed, findings of all concerns found during the test and any recommendations to strengthen security defenses; the professional will offer a proper risk mitigation plan and advise on how to add value to an organization's security framework.

Specific penetration testing (automated or manual) tools can be used for hacking, scanning, and analysis. For example, using vulnerability scanning with Metasploit is a good option. "Metasploit Framework [is used] for developing, testing, and executing exploits," tells Rohit Shaw, a Certified Ethical Hacker; the tool serves as a vital software to a traditional penetration tester. However, the pen testers can also employ a variety of other techniques to gather information necessary to infiltrate the system, including social engineering. It is important for a pen tester to get specified in writing (in the contract) how far he or she can go so as not to break through the limits of what is considered to be ethical.

Penetration Tester: Knowledge and Competence Requirements

So, you like the idea of being a pen tester? The first requirement is the willingness to continue studying and researching in the field. All professionals know that the IT field is in continuous evolution and process of modernizing the user experience to keep up with technology, but pen testers more than other security professionals need to continue to progress and sharpen their skills throughout their career to remain one step ahead of malicious hackers. This also means to get abreast with the newest technologies and tools immediately.

From free guides on penetration testing to videos, tutorials, and books to webinars, workshops and conferences, there are many ways to perfect the craft of pen testing. A formal degree is often not necessary to be hired, but of course, a computer science degree with an InfoSec specialization makes proficiency in advanced penetration testing very achievable. Still, much can be learned from many different, sometimes unorthodox, sources.

There are many options for training in today's marketplace to leverage one's existing penetration testing and ethical hacking skills.

  • InfoSec Institute's Penetration Testing Training - 10 Day Boot Camp style course; this is ideal for learning about ethical hacking and how to apply penetration testing techniques. Alternatively, the skillsets (Penetration Testing and/or Ethical Hacking Basics) can be used to test one's knowledge and ensure he or she is qualified for such job roles.
  • eLearnSecurity Certified Professional Penetration Tester. The eCPPT certification is different from conventional certification that puts people through a series of multiple-choice questions; instead, it involves a penetration test that is modeled after a real-world scenario and requires hands-on work. Such a certification evaluates one's abilities in using attacking techniques against real targets. The cert provides thorough professional documentation that can help learners be a valuable asset in the field.
  • GIAC Practice Tests (for a cost of $129 each) can be accessed through the GIAC Certification Portal via the link in the SANS/GIAC portal account. It can serve as an aid that can help to master material covered on the certification exams. "Why GIAC? A Suitable Choice that Meets Professional Needs".

On-the-job training (OJT) is essential in the development of advanced skills beyond the theoretical knowledge foundation and expertise in the specialized area. In fact, nowadays many courses do include an OJT portion and certification track to recognize it as an essential part of the process to be a skilled professional who understands and knows what the job entails.

A standard certification in the field is also a great way to keep knowledge up-to-date and can prove employers the will to keep skills current. Specific certification programs from a leading international certification body in information security, including EC-Council, Infosec Institute and GIAC are a great place to start.

  • EC-Council offers CEH - Certified Ethical Hacker / LPT - Licensed Penetration Tester
  • Infosec Institute offers CPT - Certified Penetration Tester / CEPT - Certified Expert Penetration Tester
  • GIAC offers GIAC Penetration Tester (GPEN) / GIAC Web Application Penetration Tester (GWAPT) / GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)

InfoSec Institute can provide some direction as it has a number of available courses on different InfoSec job roles, in particular for Hacking & Pen Testing.

Much learning content is also available online. Resources include the following:

PenTest Magazine. This is a weekly downloadable IT security magazine that is devoted exclusively to penetration testing. It is a resource to get information on latest developments in the occupation. Apart from the literature, training is available.

The Ethical Hacker Network (EH-Net). This is a free online magazine for security professionals. On the website (ethicalhacker.net), one can find discussion forums, career resources and more.

DHS's NCATS program. The U.S. Department of Homeland Security (DHS) is giving firms Free Penetration Tests, tells KrebsOnSecurity that learned about DHS's National Cybersecurity Assessment and Technical Services (NCATS) program that offers "cybersecurity services such as red team and penetration testing and vulnerability scanning at no cost." The tests are designed to help an organization better understand how their external systems and infrastructures appear to potential attackers.

Books, courses, videos and even games are also effective learning tools. Listed next are a few.

  • Metasploit Unleashed - Free Offensive Security Metasploit course.
  • Penetration Testing Books - A collection of resources for learners.
  • PentesterLab.com provides hands-on exercises to learn web penetration testing; it makes available systems that can be used to test and learn how to find and exploit vulnerabilities.
  • The Hacker Academy, now part of Symantec, runs modules designed to get learners familiar with the ins and outs of the penetration testing structure.
  • The Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research is a good read, for example. "The book and companion Web site will provide professional penetration testers and security researchers with a fully integrated suite of tools for discovering, running, and testing exploit code."
  • As mentioned by aurelius, InfoSec Institute contributing writer, The Metasploit: The Penetration Tester's Guide is one of those books for InfoSec Enthusiasts and IT Security Professionals to have on their bookshelf.
  • Hack This Site: As mentioned on the site, "Hack This Site is a free, safe and legal training ground for hackers to test and expand their hacking skills. More than just another hacker wargames site, [they] are a living, breathing community with many active projects in development, with a vast selection of hacking articles and a huge forum where users can discuss hacking, network security, and just about everything."
  • YouTube: Free Online Penetration Testing and Ethical Hacker Video Course.
  • SecurityTube: Scenario Based Hacking and Penetration Testing.
  • YouTube: Metasploit tool - An introduction video to Metasploit for Penetration Testing.

Ethical Hacking Exercises, Activities and Challenges

  • The Hacker CTF Competition or Challenge are effective exercises. CTF365, for example, offers a training platform to practice the methods real attackers use to penetrate networks and computer systems. Learners use assessment and analysis techniques that work in the real world when a server or computer network is under attack by hackers. CTFs are meant to build on this knowledge to implement defensive techniques that can be used to protect systems.
  • HackerOne's "Hack The World" and also HackMe! Pilot program are activities to test your abilities; each one introduces its own set of security challenges and attacker opportunities. Members join the HackerOne Community and work directly with security teams to "hack on some of the most challenging and rewarding bounty programs in the world." (See: Hack. Learn. Earn.)
  • Ed Skoudis's Monthly Challenges created and managed by Intelguardians are geared towards testing one's hacking skills.
  • ShmooCon Contests are available as part of the annual ShmooCon conference in Washington, DC; the organizers usually sponsor a Hack-or-Halo challenge that involves a number of puzzles and challenges.
  • Project KidHack is a youth program that is teaching kids all about information security. It seems it is never too early to learn how to be an ethical hacker or pen tester!

Conclusion

Pen testers can help organizations understand and quantify the risk to their business IT infrastructure and can help them strengthen their defenses by using methods similar to those of hackers that attempt to break into them in the first place.

No doubt, "Penetration testing has come of age," as they are on every CISO's to-do list, believes Vivek Chudgar, Director of FireEye Labs (APAC). Professionals in the field are in demand today, and their services are requested by managers of companies of different size and industry.

Becoming a pen tester requires having the right balance of technical knowledge and practical experience. This mix can be gained not only through formal education but also through hands-on training, participation in conferences, interaction in groups of professional in the field and a number of online resources that can be used to keep skills current and sharp.

References

Chudgar, V. (2014, May 7). Penetration Testing Has Come Of Age – How To Take Your Security Program To The Next Level. Retrieved from https://www.fireeye.com/blog/threat-research/2014/05/penetration-testing-age.html

EC-Council. (n.d.). Licensed Penetration Tester (Master) Credential. Retrieved from https://www.eccouncil.org/programs/licensed-penetration-tester-lpt-master/

eLearnSecurity. (n.d.). Certification -
eCPPT. Retrieved from https://www.elearnsecurity.com/certification/ecppt/

Engebretson, P. (2011). The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy. Elsevier Inc. ScienceDirect Journal.

http://doi:10.1016/B978-1-59749-655-1.00001-5

FromDev, S. (2013, February 28). 6 Best Hacking Books You Must Read to be a Hacker. Retrieved from http://www.fromdev.com/2013/02/Hacking-Books.html

FromDev, S. (2014, September 17). 100+ Free Hacking Tools To Become Powerful Hacker. Retrieved from http://www.fromdev.com/2014/09/free-hacking-tools-hacker.html

Geer, D. (2015, July 7). 8 penetration testing tools that will do the job. Retrieved from http://www.csoonline.com/article/2943524/data-protection/8-penetration-testing-tools-that-will-do-the-job.html

GIAC. (n.d.). Get Certified: Roadmap. Retrieved from http://www.giac.org/certifications/get-certified/roadmap

Help Net Security. (2013, September 9). How important is penetration testing? Retrieved from https://www.helpnetsecurity.com/2013/09/09/how-important-is-penetration-testing/

InfoSec Institute. (n.d.). Advanced Ethical Hacking: Expert Penetration Testing. Retrieved from http://www.informationsecurityinstitute.com/courses/advanced_ethical_hacking_training.html

Rasch, M. (2013, November 26). Legal Issues in Penetration Testing. Retrieved from http://www.securitycurrent.com/en/analysis/ac_analysis/legal-issues-in-penetration-testing

SANS Institute. (n.d.). Penetration Testing Courses. Retrieved from http://pen-testing.sans.org/training/courses

Schneier, B. (2007, May 15). Is Penetration Testing Worth it? Retrieved from https://www.schneier.com/blog/archives/2007/05/is_penetration.html

The Ethical Hacker Network. (n.d.). Community Forums - Network Pen Testing. Retrieved from https://www.ethicalhacker.net/forums/viewforum.php?f=22

Tutorials Point (I) Pvt. Ltd. (n.d.). Types of Penetration Testing. Retrieved from http://www.tutorialspoint.com/penetration_testing/types_of_penetration_testing.htm

Verma, E. (2015, February 17). Which is best between CEH & CPT Certification for a lucrative career graph? Retrieved from http://www.simplilearn.com/ceh-and-cpt-certification-for-lucrative-career-article

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Willis, C. (2014, September 16). The Five W's of Penetration Testing. Retrieved from https://www.fireeye.com/blog/threat-research/2014/09/ws-penetration-testing.html

Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.