Characteristics of a Good Penetration Tester
Characteristics of a Good Penetration Tester
May 17 2017Penetration testers possess a curious mind and a hunger to know how systems work. While many technical people have a solid technical understanding of information systems, they often lack one indispensable characteristic of a good penetration tester: a hacker mindset.
To succeed, you must think like an attacker. Let’s talk about penetration testers and the hacker mindset in greater detail, and what characteristics separate the average pentester from the truly talented ones.
What is a penetration tester and what does he do?
Also known as an Ethical Hacker, a Penetration Tester is one who is paid to legally hack and probe for security vulnerabilities in computer systems, infrastructure, web applications and even mobile apps.
A pen tester’s objective is to exploit vulnerabilities in order to break into a computer system and document how their objective was achieved in a report so that the client can take steps to remediate the exploitable vulnerabilities discovered.
Many organisations engage the services of a professional penetration tester for the following reasons:
- To find and fix vulnerabilities before an attacker does.
- To help uncover vulnerabilities they didn’t know existed.
- To find out what it means to the business in terms of impact should an attack be successful.
- To find out how effectively the organisation is able to detect and respond to an attack.
- As an annual exercise to see how they stand up in the ever changing threat landscape.
- To illustrate the risk posture of a target system in a live environment.
- To meet compliance with regulatory standards such as PCI.
Cybersecurity is of such importance these days that some of the larger companies have their own in-house team of pentesters. If you’re an in-house pentester, part of your job would be to test products for vulnerabilities and then make recommendations on how to mitigate the vulnerabilities you uncovered based upon the level of technical risk exposure.
Generally, penetration testing involves the following five phases:
- Reconnaissance – Information gathering on the target.
- Scanning – Identifying open ports and fingerprinting services running.
- Gaining Access – Launching exploits in order to gain access or exfiltrate data.
- Maintaining Access – Using stealth to pivot onto other systems without detection.
- Covering Tracks – Making sure there is no residual data or logs left on the target.
Again, what is a penetration tester’s goal?
It is simply to help an organisation strengthen their defenses against cyber attacks by confirming identified vulnerabilities which could be used by an attacker to compromise a system, and report on recommendations for further improvement in order to reduce risk to an acceptable level.
Seven Characteristics of a Good Penetration Tester
Good grasp of operating systems and networks
A lot of penetration testers come from a previous technical background in networking or application development, or database administration. Understanding networking and application development is a prerequisite to becoming a good penetration tester. A penetration tester will be expected to be able to tinker with configurations settings and code as they work, whilst researching on the fly.
Always up-to-date in technology knowledge
As the saying goes, the only thing constant in this world is change. The same principle applies to penetration testing. It’s one thing to learn new technologies, and quite another to keep your knowledge updated. Every new task or project is a learning opportunity; a chance to learn a new system or update your skills. If you find constant learning and relearning a stressful cycle, then perhaps you’re in the wrong profession. On the other hand, if you enjoy every minute of learning new things, then this is the right path for you. You will have a natural instinct to become a keen researcher with a curiosity that makes you wonder and think about how everything works.
Analytical and meticulous
No two infrastructures are identical. Tools and methodologies that work so wonderfully on one system may not yield satisfactory results on another. Every environment is different and must be approached in a methodical manner. A good penetration tester is able to think outside the box and won’t hesitate to approach an assignment in ways never been done before; just as a real attacker would in the real world.
Attention to detail is crucial; being able to identify tiny differences between configurations can mean the difference between a successful exploit or not.
Enjoys a good challenge
The most formidable hackers are unpredictable. A good penetration tester adopts the same mindset. Whilst it’s a good idea to work with a set of tools and methodologies, a skilful penetration tester won’t get stuck with one that turns out to be ineffective and will quickly change tactics as the need arises.
Successful pentesters analyse everything they encounter, leaving no stone unturned, including why some parameters are missing and how they would fit into the puzzle when found.
Since penetration testers love a good challenge they often seek to engage in capture the flag competitions and hacking challenges such as ones at https://www.vulnhub.com/ and https://ctf365.com/
Great Communicator
Part of a pentester’s job is to be able to communicate at all levels of the client organisation. Listening skills are also very important, since a pentester needs to understand exactly what the business requirement is in order to formulate the correct attack vector, with clear definitions of what’s in scope and what’s out of scope.
At the end of the reporting phase of a penetration test, a pentester must present the findings to the target organisation’s key staff. They must be clear and concise and provide easy to understand recommendations. It’s not just technical people who will be interested, you will need to be able to communicate with risk and governance people, and other business owners.
The organisation will need to make risk based decisions based upon the results of your penetration testing report that either justifies implementing mitigating controls or, whether the risk better accepted based upon cost of control.
Social engineering skills
This is where information gathering comes back into play. Simply phoning the organisation and asking them is all it takes in a lot of cases. But before you do you must have the information on who, and what, about the target.
Pretexting involves creating an artificial scenario in order to get the target organisation to engage you in such a way that it increases your chances of a successful attack. Phishing is another common method social engineering.
A passion for cybersecurity
The most successful people in the cybersecurity world are also the most passionate ones. Having a passion for penetration testing, cyber security, and information security will inspire a pentester to want to learn more and dig deep into the core of any problem and provide customised solutions to an organisation.
Most penetration testers either got into the profession because it has always been their hobby, and/or they have ended up in cyber security and penetration testing because, well that’s just what some people are naturally good and have just ended up in the profession. But it takes the passion to become good at it.
It’s the love for what you do that keeps you going. After all, what can be more motivating than having a hobby as a career?
Conclusion
All in all, good penetration testers are curious, smart, techy, creative, incisive, passionate, great communicators, excellent attention to detail, and have good social engineering skills. If you’re looking to hire a penetration tester, then find someone that possesses these characteristics.
For more than 15 years, – a team of leading IT security enthusiasts – have been at the forefront of providing outstanding penetration testing services in Sydney and around the world.
The team has worked for some of the world’s biggest brands internationally, in a range of high-risk industries, including banking, finance, insurance, health, utilities, oil & gas, government and defence.
Other articles you may like:
How to Effectively Build Hacker Personas
Black Box vs. White Box Testing: Key Differences Every Organisation Should Know