In the field of information security, there is an important and extremely fascinating profession of a Pentester, that is, a specialist in penetrating computer systems.
To work as a pentester, you must have good technical skills, know social engineering, and be a confident person. After all, the task often consists in outsmarting some very experienced guys who provide IT protection for the company, and also provide for the tricks of other people who want to circumvent this protection. The main thing here is not to overdo it. Otherwise, a very unpleasant situation may occur.
Cloud4Y prepared a small educational program on the work of the pentester, the necessary skills and certificates.
The demand for pentesters is growing every day (they are sometimes called “ethical” or “white” hackers, as they often try to penetrate protected systems to eliminate vulnerabilities that other hackers can use for personal gain). CybersecurityVentures.com estimates that by 2021, the damage from cybercrime around the world will reach $ 6 trillion, and hackers will strike at organizations such as Target, Facebook, Equifax, and even government agencies such as the NSA and the Department of Homeland Security.
Penetration tester required
So much is at stake, and the level of training required for such key positions in the field of information security is so high that it is extremely difficult for employers to find qualified specialists to fill a growing number of jobs. There are frighteningly few cybersecurity professionals.
This is one of the key factors contributing to the high salaries of professional cybersecurity. For example, the website CyberSeek.org, which provides data on supply and demand in the job market for cybersecurity, shows the average salary of pentesters. She is $ 102,000 .
What should a pentester do, what is its value? The main purpose of testing is to identify security vulnerabilities in both systems and policies. To succeed in these tasks, many skills are required:
- Coding skills needed to break into any system;
- Comprehensive knowledge of computer security, including forensics, system analysis and much more;
- Understanding how hackers use the human factor to gain unauthorized access to secure systems;
- A clear understanding of how computer security breaches can harm a business, including financial and managerial implications;
- Exceptional problem solving skills;
- Communication skills to use the human factor in tests;
- Skills to clearly and consistently express your thoughts in order to document and share your findings.
Penetration testing is usually carried out taking into account the characteristics of a particular organization and the industry in which it operates. Some industries, such as healthcare and banking, use pentesters to meet industry safety standards.
To identify potential blind spots lost by the developers of the system, application or any software, third-party organizations are usually involved. Their employees, the very “ethical” hackers, have experience in development, have a good education and a number of certificates required by cybersecurity. Some pentesters are actually former hackers. But they use talent and skills to help organizations protect their systems.
What does a pentester do
In addition to possessing the skills that we talked about above, a pentester must be able to “think like an enemy” in order to deal with the full range of methods and strategies that hackers can use and anticipate new threats.
If you become a penetration tester, your work will most likely include planning and executing tests, documenting your methodologies, creating detailed reports on your results, and possibly participating in developing fixes and improving security protocols.
In general, the following work responsibilities can be mentioned:
- Penetration tests for computer systems, networks and applications
- Creating new testing methods to identify vulnerabilities
- Performing a physical security assessment of systems, servers, and other network devices to identify areas that require physical protection
- Identify methods and entry points that attackers can use to exploit vulnerabilities or weaknesses
- Finding weaknesses in common software, web applications, and proprietary systems
- Research, evaluate, document and discuss results with IT teams and management
- View and provide feedback on corrections in the information security system
- Updating and improving existing security services, including hardware, software, policies and procedures
- Identify areas where improvements in user safety and awareness training are needed
- Be attentive to corporate interests during testing (minimizing downtime and loss of employee productivity)
- Keep up to date with the latest malware and security threats
Pentester career
Be prepared for the fact that your work will bring not only joy. Excitement, nervous tension, fatigue - these are normal phenomena when testing. But operations like hacking a CIA computer from the movie Mission Impossible are unlikely to threaten you. And if they threaten, then what? So even more interesting.
Our advice to anyone who wants to build a pentester career is very simple. Start working as a programmer or system administrator to get the necessary knowledge about how systems work, and then finding flaws in them will become commonplace, almost instinct. Practical experience in this field is simply irreplaceable.
It is also important to understand that penetration testing is a process that has a beginning, middle, and end. The beginning is the evaluation of the system, the middle is the fun part, actually hacking the system, and the end is the documentation and transmission of the results to the client. If you are unable to complete any stage, then you can hardly say that you will be a good pentester.
Most of the time, the Pentester’s job is to remotely study the system when long hours are spent at the keyboard. But work may include trips to workplaces and customer facilities.
There are many job penetration testers on LinkedIn at a wide variety of companies:
long list
- Bank of america
- Blue cross blue shield
- Booz allen hamilton
- JP Morgan Chase
- Hewlett packard
- Amazon
- Verizon
- Ibm
- Dell
- Capital one
- BAE Systems
- Sony
- Allstate
- eBay
- Deloitte
- Fidelity
- ADP
- E * Trade
- H&R Block
- Target
- Salesforce
- Microsoft
- Apple
- Uber
- Airbnb
- Raytheon
So there is demand, so are the prospects. In addition, high demand leads to a rapid increase in the salary of the chief security officer. In the field of cybersecurity, there are other specialties that have much in common with penetration testing. He is an information security analyst, security specialist, analyst, auditor, engineer, architect, and administrator. Many companies add the term “cyber” to the above names to denote the corresponding specialization.
Penetration tester or vulnerability assessor
Separately, we want to highlight another essentially close work: the work of a vulnerability evaluator. What is the difference? In short, here:
Vulnerability assessment is intended to compile a list of vulnerabilities by priority and, as a rule, is intended for customers who already understand that they are not where they want to be, from a security point of view. The client already knows that he has problems, and he just needs help in determining their priorities. The result of the assessment is a priority list of detected vulnerabilities (and often ways to eliminate them).
Penetration testing is designed to achieve a specific goal, simulating the activities of an attacker, and is requested by customers who are already at the desired level of security. A typical goal may be to access the contents of a valuable customer database on the internal network or to modify a record in the personnel management system. The result of a penetration test is a report on how security was compromised to achieve an agreed goal (and often ways to eliminate vulnerabilities).
It is also worth recalling the Bug Bounty programs, which also use penetration testing methods. In such programs, companies offer cash rewards to “white” hackers who identify vulnerabilities or errors in the company's own systems.
One of the differences is that when testing for penetration, usually a limited number of specialists look for specific vulnerabilities, while Bug Bounty programs invite any number of specialists to participate to search for uncertain vulnerabilities. In addition, pentesters are usually paid hourly or annual wages, while Bug Bounty members work on a pay-as-you-go model that offers cash compensation commensurate with the severity of the error found.
How to become a certified Pentester
Although practical experience in penetration testing is the most important factor, many employers often look: do candidates have industry certificates in the field of “white” hacking, pentesting, IT security, etc. And sometimes they choose those who have these certificates.
You can also get such documents. We even prepared a list of where to go:
- Certified Ethical Hacker CEH
- Certified Penetration Tester CPT
- Certified Expert Penetration Tester CEPT
- GIAC Certified Penetration Tester GPEN
- Licensed Penetration Tester LPT
- Certified Security Specialist ( Offensive Security Certified Professional OSCP )
- Certified Mobile and Web Application Penetration Tester CMWAPT
- CompTIA PenTest +
What else is useful to read on the Cloud4Y blog
→ The path of artificial intelligence from a fantastic idea to the scientific industry
→ 4 ways to save on backups in the cloud
→ Configure top in GNU / Linux
→ Summer is almost over. Almost no data leaked
→ IoT, fog and clouds: talk about technology?
Subscribe to our Telegram channel so as not to miss another article! We write no more than twice a week and only on business.