Penetration testing

Penetration Testing - Jobs, Certifications, Tools, and More

Yassine Aboukir
June 15, 2016 by
Yassine Aboukir

As technologies have increasingly advanced over the past few years, more complex cyber attacks have also emerged. Thus, data security has become the need of the hour as far as using these latest technologies. Penetration testing is not only an integral part of a security review process for any organization, but also a compliance obligation for standards like PCI-DSS.

In this article, we will discover what penetration testing means, who does it, who needs and how to do it.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

What is penetration testing?

A penetration testing also referred to as pen testing, is a process which consists of attempting to gain access to a particular system, whether it's a computer, a network or a web application by simulating real-world attacks to evaluate the security of the IT infrastructure and uncover any potential security vulnerabilities.

There has been a common misinterpretation of the real meaning of penetration testing where companies tend to confuse it with « security assessment » or « vulnerability scan » while, in fact, pen testing goes beyond simply spotting the security vulnerabilities to actively chain and exploit them in order to verify whether they constitute a real or false positive and, ultimately, demonstrate the real-world impact they could have.

Once vulnerabilities have been successfully exploited on a particular system, the pentester may attempt to use the compromised system to launch subsequent exploits at other internal resources, specifically by trying to achieve higher levels of security clearance incrementally via privilege escalation.

Penetration tests are typically conducted manually with the help of automated tools to systematically compromise the target, and it is also worth to note that a penetration test may be:

White box: the penetration tester has valuable knowledge and prior information about the targeted system, such as access to the source code.

Black box: the penetration tester does not have any prior knowledge or information about the target.

Grey box: the penetration tester is provided with limited
information, somewhere between black box and white box.

Can Pen Testing be a career?

IT professionals can pursue a career in penetration testing whose demand is growing so fast as technology becomes a bigger part of more individual industries. White hat hacking skills are in very high demand and salaries for qualified penetration testers are quite attractive (According to PayScale the average 2016 salary is between $43,840 - $123,837).

A penetration tester is a type of security consultant with a solid background in computer science and information security. Pentesters are expected to conduct formal tests on web-based applications, networks, and other types of computer systems on a regular basis.

There are many pieces of training and certification options that will ultimately lead to a career in security and penetration testing including Certified Penetration Tester (CPT), Certified Ethical Hacker (CEH) or Offensive Security Certified Professional (OSCP), etc. In this regard, Infosec Institute provides a variety of different security courses and training for individuals and groups.

Who needs penetration testing?

Every organization which involves and relies on IT technologies, whether they have an in-house IT team or not, should invest in penetration testing as well as any business that handles sensitive information — whether it is credit card transactions, health records, intellectual property or anything else that is covered by privacy regulations can benefit from regular penetration testing.

Also, the Payment Card Industry Data Security Standard (PCI DSS) Section 11.3 requires organizations to conduct regular application and penetration tests to meet compliance.

HIPAA Security Rule's section 8 of the Administrative Safeguards also requires security process audits, periodic vulnerability analysis, and penetration testing.

Penetration testing is also useful in post security incidents situations where an organization needs to determine the vectors that were used to gain access to a compromised system (or entire network). A penetration test, in this case, is often used to reproduce the attack process and to validate that new security measures put in place will prevent a similar attack in the future.

Is penetration testing legal?

Like any other consulting services, penetration testing is legal if it meets the minimum requirements. Penetration testing may affect system performance, and can raise confidentiality and integrity issues; thus, it is essential, even in an internal penetration testing, which is performed by an internal staff to get express written permission.

A Statement of Intent should also be drawn up and signed by both parties (Company and pentester) before any work. The statement outlines the scope of the job and what you may and may not do while performing vulnerability tests.

To avoid falling in legal troubles, it is important to check who owns the systems you are being requested to work on, and the infrastructure between testing systems and their targets that may potentially be affected by testing.

Nobody is supposed to ignore the law, so it is important to be aware of the different federal laws that govern penetration testers. Below is an example and a quick overview of the different laws in the USA that any pentester should be aware of:

Title 18 of the Criminal Code, Sections 1029 prohibiting fraud in relation to access devices, account numbers, passwords, credit cards, etc.

Section 2510 prohibits unauthorized interception of traffic There are also clauses to enable service providers to monitor, and procedures for law enforcement to gain access.

Section 1362 prohibits injury or destruction of communications equipment.

Section 1030 prohibits unauthorized computer access for government, financial and commerce systems.

Section 2701 prohibits access to stored information without permission of the owner.

Cyber Security Enhancement Act (2002) covers attacks which recklessly causes or attempts to cause death and has severe penalties including life in prison!

How can I learn penetration testing?

Becoming a penetration tester is an excellent choice of a career given that it is a well-paid and in-demand career. Learning how to pentest is likely achievable taking into consideration now all the existing training, courses, and certifications that are available.

There numerous key attributes of a good penetration tester to consider:

Passion: to be a good pentester you have to be passionate about IT security and moreover technology. Pentesting has to be more than a daily job and more importantly to consistently keep learning.

Good basics: the best pentesters know a lot about a few things, but something about everything else. Pentesters have to build a solid knowledge in the field they are specialized in and, parallel, understand the fundamentals of other computer disciplines. IT related degree provides a great grounding in computer science and will stand you in good stead.

Technical expertise: pen testing is an extremely technical discipline. Not only do you need to understand how things work at a low level, but you also need to understand its functioning. The ability to code or script is always an advantage, even if you're limited to simple bash scripting.

Soft and Written skills: At the end of every job, the pentester has to write a whole comprehensive report for the client. So, these skills are very important, and they are what separates Penetration testers from hackers and script kiddies. Also, penetration testing companies require consultants who can read, write and speak English well.

Penetration testers have to build a solid understanding of TCP/IP, networking, and reasonable Linux skills. Familiarity with Bash scripting along with basic Perl or Python is also considered to be a plus.

One of the crucial factors in the success of a pen-test is the underlying methodology. A formal methodology should provide a disciplined framework for conducting a complete and accurate penetration test. Thus, pen testers should be aware of the following methodologies:

Open Source Security Testing Methodology Manual (OSSTMM)

The Open Web Application Security Project (OWASP)

NIST 800-115

etc.

Penetration testers should know how to use a few essential tools such as Wireshark, Nmap, Metasploit, Burpsuite, Kali Linux, OWASP Zed Attack Proxy, etc. These tools are considered to be very helpful and make some pen testing tasks quiet easy.

Bug bounty programs are also a great way to prove your skills, with platforms such as HackerOne and Bugcrowd, which pay sizeable winnings to the best bug hunters. If this is beyond your current skill level, it is worth playing with some of the teaching frameworks such as Metasploit Unleashed or DVWA (Damn Vulnerable Web Application) to hone your skills.

The bottom line is whether you are a computer science undergraduate student, professional or passionate, pen testing is an accessible career which offers a great deal of variety and opportunities (Web apps, mobile apps, networks pen testing, etc.). Additionally, with the increasing security breaches (LinkedIn, VK, Sony, etc.), organizations have become more aware of the importance of data security, thus hiring more pentesters to conduct security assessments and penetration tests for their IT infrastructures.

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

A small background in computer science should give you an extra push and ease your transition into pen testing. As we have written above, there are a variety of resources on the internet to explore to start your learning process.

Yassine Aboukir
Yassine Aboukir

Yassine ABOUKIR (@yassineaboukir) is a security analyst at HackerOne by day, ethical hacker by night, actively participating in bug bounty programs. Acknowledged and rewarded by numerous companies including but not limited to Google, Facebook, Microsoft and Twitter etc. for his various responsible security disclosures. He is reachable at: hello@yassineaboukir.com & https://yassineaboukir.com/