A penetration tester is, in fact, an ethical hacker who works for an organization. He is very concerned with performing attacks into the system, attempting to utilize an exploit here or there in the organization’s networks, systems, and web-based applications. Your main function is to be that cool kid who can get into the system legally; that is in fact what your boss pays you for. Along the way, you may make use of some predetermined penetration tools and you may also design some of these tools yourself. Your work is a real simulation of the job of a cyber attacker who wants to break into the system by any possible means. As a result, you help the entire organization to become more secure against such potential attacks, and always ensure that everything that an attacker may think of is in fact secured.
In fact, you may look at this job as an attractive one since you are conceived as the hacker of your organization, yet you should expect working with bits of zeros and ones along this job’s period of time. You have to be patient dude! The main difference between a penetration tester and a real hacker is that a real hacker is unbounded in time while a penetration tester only has some days to get the systems compromised. After these days, a penetration tester should document his approaches to comprise the systems and his findings. Generally speaking, folks in the field consider the penetration testing job as one of the most frustrating jobs in the InfoSec world. The following list gives you an idea about most of the job responsibilities that you should expect for this job.
- You are responsible for conducting penetration tests on the organization’s networks, systems, and web-based applications as well.
- You should perform some physical evaluations on all the network devices, systems, and servers that are used within the organization.
- You should always do your best to generate new tools to use for the sake of penetration testing.
- You should always seek for any existent vulnerabilities that may be hidden in the web applications, fat/thin client applications and standard applications of the organization.
- You have to think as an attacker to determine any methods that could be used for throwing an exploit and messing with the organization’s system. You should always think of logic flaws that exist in the security architecture or networks.
- You are responsible to do a lot of social engineering tasks to uncover what was hidden. This may help discover any security holes that exist such as poor user security practices or password policies.
- You have to always consider the business goals when designing security strategies. For instance, you should take into consideration the loss of earnings that may be associated with downtime or cost of engagement.
- You should conduct your own research on the findings that you documented, and further, discuss them with the concerned IT teams and with the management.
- You have to clearly define and review what is required for applied information security solutions.
- It is also your responsibility to improve the security services which include a continuous enhancement of existing methodology material and supporting assets.
- You have to then provide your feedback and you should verify whenever a security issue gets fixed by the organization.
It is clear that a penetration tester should be very concerned with finding vulnerabilities and exploiting them in order to get access and control into the system. However, Danial Miessler stresses on a very important issue in this regard in The Difference Between a Vulnerability Assessment and a Penetration Test, He mentions that a penetration tester does not have to go all the way when he finds a vulnerability in order to prove his point:
“A penetration testing team may be able to simply take pictures standing next to the open safe, or to show they have full access to a database, etc., without actually taking the complete set of actions that a criminal could.”
There is a slightly different group of folks whom people sometimes confuse with penetration testers. These folks are called Red Team testers. These are in fact some groups of IT professionals who perform some attacks on a broad scope. To elaborate, Red Team tester can launch attacks on important assets such as utilities, military computer systems, financial assets, etc.
There is in fact a major difference between a vulnerability assessor and a penetration tester. A comparison between them both looks like the following:
- A penetration tester on the other hand aims at breaking into a system or exploiting a vulnerability in an application that is presumed to be secure. A client in this case assumes that what they have is already secured and they want the penetration tester to help them make it even more secure against any potential attacks that could be performed from an attacker’s point of view. A typical goal for a penetration tester is to get access into the customer’s database on the internal network, or to get some HR records of the organization modified.
- A vulnerability assessor is focused on developing a comprehensive list of security vulnerabilities with priorities to the recommended actions. The clients here are mostly really aware of the fact that they are not the best at security and they want to make some improvements accordingly. They need the vulnerability assessor to help them detecting the vulnerabilities and prioritizing them according to the hazards associated with them.
In general, a penetration tester is goal oriented while a vulnerability assessor is a list oriented.
There is no one unique route to take in order to become a penetration tester. Some folks rely on their hacking courses and skills that they took in university, while some others depend on their major of Computer Science to further specify and concentrate on the field of cyber security.
Talking of current situations, most employers are often not into hiring you when you are just a fresh graduate. They prefer candidates with experience in IT positions for this job in specific. The following list gives some examples of the jobs that you may begin with before considering applying for a penetration tester position.
- Security Administrator
- Network Administrator
- System Administrator
- Network Engineer
After getting the sufficient experience of one of these jobs and climbing up the ladder and becoming a penetration tester, spend your time there and take enough knowledge and experience for more excitement in your career. You can at this time consider one of the jobs that pay higher and that are higher in the job hierarchy within the organization. Some examples of such jobs are given by the following list.
- Senior Penetration Tester
- Security Consultant
In fact, there are some other common terminologies that are used in the market for the same job functionalities as the penetration tester job. The following list states two of these terms.
- Ethical Hacker
The average salary for a Penetration Tester is suitable for its level in the positions hierarchy. According to PayScale, a penetration tester is paid $71,929 yearly on an average basis. The minimum payment to expect for this job according to the figures is around $44,220 per year while the highest payment you should expect is around $117,398 per year. It is needless to say that all pay figures include your base annual salary, bonuses, profit sharing, tips, commissions, overtime pay and other forms of cash earnings, as applicable. Higher figures do not include benefits.
Surprisingly, there is no specific degree that you should hold to make a competitive candidate for a penetration testing job. More surprisingly, a bachelor’s degree in Computer Science or Cybersecurity does not make difference from a master’s degree in the same filed and with no difference from a non-technical degree as well. The real challenge is to be well experienced and show the employer how skillful you are when it comes to hacking and generating attacks. Real experience can be gained through attending hacking conferences as much as possible and supplement all these skills with professional certifications in the field. In the last section of this page, you will find a list of suggested certifications that would be more than suitable for the penetration testing functionalities. In addition, you should have your own pen testing lab in which you perform your tests and attacks. You should always learn from other pen testers and keep reading on these topics as much as possible. It is also recommended to have a look at SANS courses and learn from them.
In general, employers will be interested in reviewing applicants that have at least 2 years of experience in the field of cybersecurity aided with experience in the tasks of penetration testing and vulnerability assessment. On the other hand, if you are considering a higher job like Senior Penetration Tester, then the years of experience vary according to what scale of an organization you are really considering. Sometimes, employers just require 3 years of experience for this job, while some other employers will need to see from 7 to 10 years of experience in the field.
Penetration testers are expected to attack different systems and platforms. You should have a very solid knowledge of operating systems, communications, and networking protocols. This is because you will be required to do several tasks such as security audits, developing code, automating security processes, performing a lot of reverse engineering binaries. The following list gives an overview of the main technical skills that you should have for this job as a Penetration Tester.
- A perfect candidate has to be experienced in both Windows and Unix like systems (like Linux)
- Programming languages such as C, C++, C#, Java, ASM, PHP, and PERL should be absorbed well by a candidate.
- A candidate should also be familiar with network scanning tools such as Nessus, Nmap, Burp Suite, etc.
- A solid knowledge of both hardware and software systems is highly required.
- Experience with web-based applications and their security is also recommended.
- A candidate should also be familiar with security frameworks such as ISO 27001/27002, NIST, HIPPA, SOX, etc.
- A candidate has to be experienced with Metasploit framework.
- Experience with forensics tools is also a must to have skill.
A perfect candidate should also knowledgeable of the main principles of cryptography and best practices in the field.
You should enjoy a great list of soft skills like problem solving skills, creative thinking, and critical thinking. Having an analytical mind that pays attention to all the details is a very desired skill from the perspective of employers as well. You should show your potential employer your “out of the box” approaches when thinking of any problems. You should also try to prove to your potential employer how high your ethical standards are.
Furthermore, you should enjoy oral and communication skills. These two skills are really essential for any corporate positions because you will deal with both technical staff and no-technical personnel. You should be patient and willing to explain your approaches in a clear way to your colleagues of different levels and backgrounds. Finally, you should be able to write clear technical reports to demonstrate all of your methods to perform your attacks. You should convey your ideas very well in writing as much as orally.
There are a bunch of great certifications that could give you a great push in your career and could help greatly in your job as a Penetration Tester. The following list attempts to state most of the recommended certifications for this job. However, there are a couple of notes to mention before going through the list. First, in the industry nowadays, CEH is considered as a fairly loose certification, so you should take it but don’t depend on it alone. Second, it is recommended to ask your colleagues more about the pros and cons of getting certifications like CPT/CEPT, GPEN and – especially – OSCP.
- CEH: Certified Ethical Hacker
- CPT: Certified Penetration Tester
- CEPT: Certified Expert Penetration Tester
- GPEN: GIAC Certified Penetration Tester
- OSCP: Offensive Security Certified Professional
- CISSP: Certified Information Systems Security Professional
- GCIH: GIAC Certified Incident Handler
- GCFE: GIAC Certified Forensic Examiner
- GCFA: GIAC Certified Forensic Analyst
- CCFE: Certified Computer Forensics Examiner
CREA: Certified Reverse Engineering Analyst