Ready to Start Your Career?
July 17, 2018
Pocket-Guide for the Penetration Tester Career Path
July 17, 2018
July 17, 2018
In this pocket-guide, we’ll cover the key elements of building a strong Penetration Tester career path.How does penetration testing fit into today’s business security landscape? As hackers’ methods continue to evolve through the use of new, sophisticated attack mechanisms, it’s becoming increasingly difficult for companies to defend their systems and data. Therefore, it’s crucial for businesses and organizations of all shapes and sizes to actively protect their assets; in many cases, they hire trained cybersecurity or InfoSec professionals well-versed in pentesting. They seek Penetration Testers who can look for vulnerabilities in less traditional ways and undertake cybersecurity posture assessments that scan and secure network segments based on the risks (threats and impacts) represented.Highly-trained Penetration Testers can “think like the enemy,” employing creative ways to look for problems before they occur, which often means going beyond the use of automated tools. Pentesters can perform technological offensives, simulate spear phishing campaigns that identify weak links in a company’s security posture, and pinpoint training needs. Through their work, they understand that exploiting the human element is essential to simulate realistic attacks and uncover all of an infrastructure’s critical weaknesses.What is a typical Penetration Tester job description? As a penetration tester, you’ll be responsible for ensuring that computer information systems are protected from hackers. This means that your role will include running tests on applications, networks, and software. You will attempt to hack into systems and software, allowing you to access data that should be off-limits to unauthorized individuals. You will be responsible for identifying any potential weaknesses in existing systems and collaborating with other departments and professionals to determine the most effective and efficient ways to shore up software and systems. The solutions you create may require adding new or additional security measures and rewriting program code.Additional duties for Penetration Testers include reviewing any security system incidents, documenting threats, and completing reports with findings. You may also be asked to design improved security protocols and policies.As a Penetration Tester, you’ll likely be required to:
- Perform penetration tests on computer systems, networks, and applications
- Create new testing methods to identify vulnerabilities
- Perform physical security assessments of systems, servers, and other network devices to identify areas that require physical protection
- Pinpoint methods and entry points that attackers may use to exploit vulnerabilities or weaknesses
- Search for weaknesses in common software, web applications, and proprietary systems
- Research, evaluate, document, and discuss findings with IT teams and management
- Review and provide feedback for information security fixes
- Establish improvements for existing security services, including hardware, software, policies, and procedures
- Identify areas where improvement is needed in security education and awareness for users
- Be sensitive to corporate considerations when performing testing (ie.e minimize downtime and loss of employee productivity)
- Stay updated on the latest malware and security threats
- Plan a specific penetration test
- Create or select the appropriate testing tools
- Perform the penetration test on networks, applications, or systems
- Document methodologies
- Identify vulnerabilities using the data gathered
- Review and evaluate findings
- Establish possible solutions to the weaknesses
- Provide feedback and recommendations to management or clients
- They must have excellent computer skills to be able to attempt hacking systems.
- They require solid analytical skills to evaluate and analyze the processes involved in resolving existing and potential security threats.
- It’s also important for Penetration Testers to have proficient communication skills, as they will be writing reports and working closely with other IT professionals and departments.
- Penetration Testers must also have exceptional problem-solving skills to determine the best course of action when resolving issues and protecting networks from potential threats or breaches.
- Expert knowledge of at least one mobile platform (iOS, Windows Mobile, Android, Blackberry)
- Expert application reverse engineering skill set, which can be applied to mobile platforms
- In-depth understanding of mobile code (Objective C, Java, etc)
- Expert manual code review skills
- Strong knowledge of information security frameworks and standards such as ISO17799/27001 and their application into diverse environments
- Strong understanding of the security mechanisms associated with Windows or Unix operating systems, switched networks, web-based applications, and databases
- Demonstrated ability to solve complex technical problems
- Competent to discuss the underlying technology with product developers
- Able to describe major phases, activities, checkpoints and deliverables of the application development lifecycle
- Understand the security controls/processes required to implement a robust secure application and can clearly articulate the risk associated with the failure of those controls/processes
- Detailed knowledge of the purpose of - and approaches to - security testing
- Strong web application testing experience
- Keen understanding of network security architecture
- Experience in reverse engineering or disassembly
- Technical risk assessment experience
- Application Security Code Review (e.g. looking at a client's home-grown web-facing application and reviewing the security of the code)
- Able to identify specific information security technical build guides and best practice deficiencies within the global organization; develop and drive cross-functional correction strategies
- Able to identify security requirements for business applications and dataExperience in evaluating the design effectiveness of IT security controls
- Do you filter ports on the firewall?
- How does tracerout or tracert work?
- Can you name the three parts of a TCP handshake?
- What are the strengths and differences between Windows and Linux?
- How can you encrypt email messages?
- What kind of penetration can be done with the Diffie Hellman exchange?
- How do you add security to a website?
- What are some ways to avoid brute force hacks?
- Do you perform any scripting?
- What tools are available for packet sniffing?
- What is the difference between asymmetric and symmetric encryption?
- What is the importance of a penetration test?
- What is SQL injection?
- Describe how SSL and TLS work
- How will you protect the data during and after testing?
- What are the phases of network penetration?
- Discuss a recent project or role
- Pretend I’m a layperson and explain how e-mail works to me
- What is a ‘Threat Model’? How do you go about designing one?
- What is the difference between a vulnerability scan, a risk analysis, and a penetration test?
- What is the most important/valuable thing you have learned from working here?
- What is unique about working at this company that you have not experienced elsewhere?
- What is the most fulfilling/exciting/technically complex project that you’ve worked on here so far?
- What are the strengths and weaknesses of the current team? What is being done to improve upon the weaknesses?
- How do you see this position evolving in the next three years?
- Who is your ideal candidate and how can I make myself more like them?
Build your Cybersecurity or IT Career
Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry