To be a pentester……

Posted: September 25, 2014 in Uncategorized

At the young age of 32 I decided to move my career path from the hospitality sector but couldn’t decide on which direction to take it, in the end I decided on going back into full time education and to study something I had a real interest in. I knew I loved computers and how they operate so opted to study a degree in computing & web development. Mid-way through my foundation year I quickly learned about computer vulnerabilities and exploits. I took a real interest in this field and decided that maybe I wanted my education to lead me in the direction of becoming a penetration tester. I looked into the career prospects and salary of the job and made the decision that is what I wanted from my university education.

A Penetration tester is basically an ethical hacker, a pentester would attack a system to find vulnerabilities in the software, once the vulnerability was found this would then be exploited. The fundamental difference here between a penetration tester and a hacker here is the ‘colour of the hat’. There is three different colours of hat in this particular world:

  • Black Hat
  • Grey Hat
  • White Hat

A black hat would find the vulnerability, exploit it and then either use the exploit to his/her own means or expose the vulnerability world wide. Black hat  serves to use his/her skills in an illegal manor be it monetary gain or personal gain. They use their skills in most to damage companies and their systems.

pentest_licensed

A white hat works legally and is whats known as an ethical hacker (pentester). White hat would test a system to find any vulnerabilities in the security system, rather than exploit this vulnerability, a white hat would inform the owner of the system of the flaw in its software, white hat would  usually be employed by the company to help avoid hole in their systems.

Grey hats are the group in between, the operate on both sides of the law, sometimes they will inform companies of the flaws found and at other times they will exploit and damaged the servers then gain access to valuable information.

Penetration testing jobs can be found all over the globe. the salary varies massively, a job in the middle east can pay up to £50,000 for a 5 month contract but the average salary in the UK is around £56,000 per annum.

This career is of great interest to myself and numerous skills are needed to advance in this field, most employers request a candidate has the following:

  • Able to conduct PenTests and Vulnerability Assessments using Automated and Manual TTPs
  • Have an understanding of common Web and Systems Application vulnerabilities
  • Must be able to use at least two of the following proficiently and instruct others on them: Nessus, Burp, Metasploit Framework/Pro, and the Social Engineering Toolkit
  • Must have solid working experience and knowledge of Windows and Unix/Linux operating system
  • A familiarity of Network and System architecture analysis. Fundamentals of network routing & switching and assessing network device configurations
  • Scripting (Windowsnix), Java, Bash, Python, Perl or Ruby, Systems Programming

Becoming a pen tester is no easy feat as many of the tactics used are illegal and self teaching can be quite tricky. A potential pen tester needs to be of strong character to know where the line between legal and illegal activities lie, the person has to know themselves very well to know they can stay on the right side of the law.

Logo Exploit

Many of the ethical hackers of the world will hang around known forums or chat rooms to pick up on new exploits. They will assume a legend and operate under a false identity to fit in. This task in itself can pose a huge risk as the people the pen tester are socializing around can be very dangerous people. When doing research for the job, the role of a pen tester can relate to an under cover police officer.

 

Advertisements
Comments
  1. scottbw says:

    Excellent analysis of the role. I hadn’t really appreciated before the “Grey Hat” aspect; I suspect there might be a fair number of “poachers turned gamekeeper” in the Pentest world?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s