SO YOU WANT TO BE A PENETRATION TESTER?
The term “hacking” has different meanings to different people, and greatly depends on the context in which it is used. Through the evolution of computing and the popularization of cyber security, the term hacking is often described as the process of gaining access to computer resources, without passing through the proper channels of authentication and authorization. These resources can be anything ranging from files stored on an internet-facing server, to network access, or obtaining private information. In the cyber security realm, hacking is gaining unauthorized access to an otherwise protected resource.
Types of Hackers
In a very general sense, there are two types of hackers, often referred to as “black hats” or ”white hats”. The black hats (AKA the bad guys) are the ones who often make the news, using their skills to carry out criminal and fraudulent activities. These people often steal information and sell it on the dark web – a part of the internet where information and illicit goods are traded for money. Some black hats even sell non-public exploits to other black hats for a premium, while others leverage their technical skills to make political statements.
The white hats, on the other hand, use the same techniques and skills as their counterparts for good. Organizations often employ or contract the white hats – professionally known as penetration testers – to assess their security posture. The key difference is that penetration testers have explicit permission to carry out the same activities as criminals. Instead of running off with the organization’s data, penetration testers report the vulnerabilities identified, describe the potential damage an attacker may cause if successful in exploiting them, and provide recommendations to ensure the organization implements proper security controls to prevent or mitigate the vulnerabilities.
Is Penetration Testing the Right Career Choice for You?
Regardless of one’s intentions, it is important to ask why one would want to become a penetration tester in the first place. This is important because most people do not understand what it takes to become a penetration tester, and what the process of traversing networks and applications entails.
Penetration testers must continuously educate themselves in order to become successful and remain relevant in the field. Technology, programming, and security practices are constantly evolving, and exploiting systems usually require a comprehensive understanding of the communication protocols and architectures deployed.
Aspiring penetration testers should be prepared for challenges every time. No two networks or applications are the same, so a one-size-fits-all approach (e.g. the easy way) will not often work. Also, because the purpose of the entire process is to get software or hardware to behave abnormally, penetration testing involves an incredible amount of troubleshooting and research in order for exploits to work. Spending several days or weeks attempting to exploit a specific functionality is not uncommon.
Penetration testing, especially in the corporate world involves more than just technical wizardry. It is incredibly fun to go into a client site and take over their entire network, but at the end of the engagement, the client is going to expect a report, and sometimes some type of presentation as well. This means describing every vulnerability discovered in detail so a non-technical person can understand. In other words, budding penetration testers should be prepared to speak in front of small groups and spend a good portion of their time writing reports.
How to get started?
At a minimum, penetration testers should aim to master the following domains: operating systems, network communications, and web technologies. From the beginning to the end of the process, penetration testers will be interacting with operating systems, whether it’s their own or the target’s. The Linux operation system is a great place to start, so take the time to learn how to use it, with a focus on the terminal (command prompt). Exploitation rarely involves a graphical interface, so it is important to become comfortable with the command line. Try an operating system built for security professionals, such as Kali or Black Arch. Both run different Linux flavors yet offer a myriad of security and networking tools.
Once acquainted, one should test their skills. There are many free resources available, such as vulnhub.com and hackthebox.com that allow people to learn penetration testing. This is a great opportunity to learn cybersecurity and see what it takes to become a penetration tester. A few months of practice will help one decide if penetration testing is for him or her. If it is, great! Start working on a certification and consider an internship with a cyber security company, or perhaps moving into your own company’s security team.
To learn more check us out on our website