In this pocket-guide, we’ll cover the key elements of building a strong Penetration Tester career path.
How does penetration testing fit into today’s business security landscape? As hackers’ methods continue to evolve through the use of new, sophisticated attack mechanisms, it’s becoming increasingly difficult for companies to defend their systems and data. Therefore, it’s crucial for businesses and organizations of all shapes and sizes to actively protect their assets; in many cases, they hire trained cybersecurity or InfoSec professionals well-versed in pentesting. They seek Penetration Testers who can look for vulnerabilities in less traditional ways and undertake cybersecurity posture assessments that scan and secure network segments based on the risks (threats and impacts) represented.Highly-trained Penetration Testers can “think like the enemy,” employing creative ways to look for problems before they occur, which often means going beyond the use of automated tools. Pentesters can perform technological offensives, simulate spear phishing campaigns that identify weak links in a company’s security posture, and pinpoint training needs. Through their work, they understand that exploiting the human element is essential to simulate realistic attacks and uncover all of an infrastructure’s critical weaknesses.What is a typical Penetration Tester job description? As a penetration tester, you’ll be responsible for ensuring that computer information systems are protected from hackers. This means that your role will include running tests on applications, networks, and software. You will attempt to hack into systems and software, allowing you to access data that should be off-limits to unauthorized individuals. You will be responsible for identifying any potential weaknesses in existing systems and collaborating with other departments and professionals to determine the most effective and efficient ways to shore up software and systems. The solutions you create may require adding new or additional security measures and rewriting program code.Additional duties for Penetration Testers include reviewing any security system incidents, documenting threats, and completing reports with findings. You may also be asked to design improved security protocols and policies.As a Penetration Tester, you’ll likely be required to:
Ultimately, you’ll utilize your knowledge to find vulnerabilities in networks, internal systems, and applications. When vulnerabilities are identified, you will be responsible for advising managers or executives how to make systems more secure.What job responsibilities does a typical day for a Penetration Tester include? A typical day for one penetration tester may look a lot different from another’s, depending on the organizations for which they work. For some, there may be travel required between different sites, there may be evening or weekend work that helps minimize the disruption to the company workflow, and/or there may be remote or by telecommuting work that can be performed. But, as noted above, the heart of the Penetration Tester position is identifying security system vulnerabilities by attempting to exploit them and then devising solutions to resolve the weaknesses to keep their organization’s information safe.A normal (we use that term loosely) day for a Penetration Tester may include the following tasks:
- Perform penetration tests on computer systems, networks, and applications
- Create new testing methods to identify vulnerabilities
- Perform physical security assessments of systems, servers, and other network devices to identify areas that require physical protection
- Pinpoint methods and entry points that attackers may use to exploit vulnerabilities or weaknesses
- Search for weaknesses in common software, web applications, and proprietary systems
- Research, evaluate, document, and discuss findings with IT teams and management
- Review and provide feedback for information security fixes
- Establish improvements for existing security services, including hardware, software, policies, and procedures
- Identify areas where improvement is needed in security education and awareness for users
- Be sensitive to corporate considerations when performing testing (ie.e minimize downtime and loss of employee productivity)
- Stay updated on the latest malware and security threats
What are the core requirements and skills to become a Penetration Tester? While it may be possible to land a job as a Penetration Tester based solely the right set of skills, most employers prefer to hire penetration testers who have previous, relevant work experience.Some employers want employees who have at least a bachelor’s degree; the U.S. Bureau of Labor Statistics indicates that employers prefer to fill entry-level positions in the field of information security analysis with applicants who have a bachelor’s degree in computer science, information security, or another comparable field of study. Additionally, employers may want penetration testers to have programming skills in specific programming languages and operating systems. Finally, employers may require that Penetration Testers hold certifications in ethical hacking and other IT security areas.In addition to education, Penetration Testers are required to have certain skills:
- Plan a specific penetration test
- Create or select the appropriate testing tools
- Perform the penetration test on networks, applications, or systems
- Document methodologies
- Identify vulnerabilities using the data gathered
- Review and evaluate findings
- Establish possible solutions to the weaknesses
- Provide feedback and recommendations to management or clients
Join the LIVE "Level Up Penetration Tester" webcast, July 18th @11 AM ETWhat are some items that a Penetration Tester’s resume might include? If you’ve performed some of the work detailed below, your resume might include the following responsibilities/items:
- They must have excellent computer skills to be able to attempt hacking systems.
- They require solid analytical skills to evaluate and analyze the processes involved in resolving existing and potential security threats.
- It’s also important for Penetration Testers to have proficient communication skills, as they will be writing reports and working closely with other IT professionals and departments.
- Penetration Testers must also have exceptional problem-solving skills to determine the best course of action when resolving issues and protecting networks from potential threats or breaches.
A quick word on customizing your resume: Your resume should be customized for each job you’re interviewing for. The desired skill sets the employer is looking for should be listed on the top of your resume. Most people tend to put their most recent or best skills first. That’s OK, but it’s better to put the requested skills on top where the hiring manager can see them.Are you ready to start interviewing? If so, here are twenty questions to review. You may be asked these (or similar) questions on your Penetration Tester interviews:
- Expert knowledge of at least one mobile platform (iOS, Windows Mobile, Android, Blackberry)
- Expert application reverse engineering skill set, which can be applied to mobile platforms
- In-depth understanding of mobile code (Objective C, Java, etc)
- Expert manual code review skills
- Strong knowledge of information security frameworks and standards such as ISO17799/27001 and their application into diverse environments
- Strong understanding of the security mechanisms associated with Windows or Unix operating systems, switched networks, web-based applications, and databases
- Demonstrated ability to solve complex technical problems
- Competent to discuss the underlying technology with product developers
- Able to describe major phases, activities, checkpoints and deliverables of the application development lifecycle
- Understand the security controls/processes required to implement a robust secure application and can clearly articulate the risk associated with the failure of those controls/processes
- Detailed knowledge of the purpose of - and approaches to - security testing
- Strong web application testing experience
- Keen understanding of network security architecture
- Experience in reverse engineering or disassembly
- Technical risk assessment experience
- Application Security Code Review (e.g. looking at a client's home-grown web-facing application and reviewing the security of the code)
- Able to identify specific information security technical build guides and best practice deficiencies within the global organization; develop and drive cross-functional correction strategies
- Able to identify security requirements for business applications and dataExperience in evaluating the design effectiveness of IT security controls
Should you ask questions during your interviews? Yes! Interviewing is a two-way street. Remember that, just as much as the company is interviewing you, you are interviewing the company to ensure there’s a good fit. Don’t be shy about asking questions. They’ll allow you to show interest and discern if the company culture and environment is right for you. Here a few questions to consider asking your interviewer(s) during your interviews:
- Do you filter ports on the firewall?
- How does tracerout or tracert work?
- Can you name the three parts of a TCP handshake?
- What are the strengths and differences between Windows and Linux?
- How can you encrypt email messages?
- What kind of penetration can be done with the Diffie Hellman exchange?
- How do you add security to a website?
- What are some ways to avoid brute force hacks?
- Do you perform any scripting?
- What tools are available for packet sniffing?
- What is the difference between asymmetric and symmetric encryption?
- What is the importance of a penetration test?
- What is SQL injection?
- Describe how SSL and TLS work
- How will you protect the data during and after testing?
- What are the phases of network penetration?
- Discuss a recent project or role
- Pretend I’m a layperson and explain how e-mail works to me
- What is a ‘Threat Model’? How do you go about designing one?
- What is the difference between a vulnerability scan, a risk analysis, and a penetration test?
What should you do after the interview? If you’re interested in the job, make sure you tell the interviewer you really want it. Many jobs have been offered to candidates who seemed highly interested in the job, even if they had a little less experience or qualifications than others. Follow-up emails and letters can’t hurt but don’t stalk the interviewer. If they want you, they will call.What does a Penetration Tester earn? According to a 2016 PayScale salary survey, the median salary for a penetration tester is approximately $78K USD annually, with a range from $44K on the lower end to $124K on the higher end. The survey notes that career duration is the biggest factor affecting pay for penetration testers, followed by geography; and the majority of workers are highly satisfied with their job.Pay also depends on the amount of training and certification a professional has. According to Eric Geier, a freelance tech writer, in a PCWorld post, the Certified Penetration Tester (CPT) salary ranges from $50,000 USD to $100,000 USD per year or more although it really depends on “the company that hires you, and on your IT experience and education.” Additionally, Sharon Florentine, a Senior Writer at CIO.com who covers IT careers, noted that Elaine Varelas, managing partner at Keystone Associates stated “salary is based on value and contribution to the company, combined with the ‘going rate’ for your particular skills and experience in your geographic region. [Salary might also include] the specific perks and benefits you receive at your job….” There are also salary differences between the public and private sectors: in the public sector, monthly earnings may be lower, but professionals might enjoy more job stability, better retirement benefits and standard pay raises not so heavily linked to productivity and results.What’s the state of the job market for Penetration Testers? The penetration testing market is increasing, and many professionals are moving into this market segment. In many markets around the world, they’re switching for higher salaries, better opportunities, and more complex challenges. UK IT company ITJobsWatch published statistics in 2016 on pentesting employment reviewing IT jobs advertised across the UK with “Penetration Tester” in the job title. When comparing data with the same period in 2015, the company found the job ranking went up by 145 positions.What’s next? In summary, if you’d like to make penetration testing a career, you should develop security-relevant skills not just through studies in information security, but also through hands-on practice. To future-proof your career in today’s job market, it’s also important to become certified. Your certifications can help show current and future employers that, as a professional, you have up-to-date knowledge in the field and are truly skilled for the jobs for which you’re applying. Education/training and certifications also allow professionals to stand out against the competition for jobs.Penetration testing professionals should prepare themselves for a challenging yet rewarding career that may not always be as glamorous as the movies, but that offers long-term satisfaction from protecting a company’s systems and software from harm. Sources and Resources:
- What is the most important/valuable thing you have learned from working here?
- What is unique about working at this company that you have not experienced elsewhere?
- What is the most fulfilling/exciting/technically complex project that you’ve worked on here so far?
- What are the strengths and weaknesses of the current team? What is being done to improve upon the weaknesses?
- How do you see this position evolving in the next three years?
- Who is your ideal candidate and how can I make myself more like them?