Robert Shimonski - Penetration Testing For Dummies

Considering cybercrime

Doing your first pen test

Penetration (or pen, for short) testing is one of the hottest up and coming skills any IT professional needs to have. As more and more technology takes over our world, the need to ensure it’s safe and secure is at the forefront. Companies are actively looking for professionals with a background in IT security and the ability to do penetration testing.

As a pen tester, you need a solid understanding of how an attacker can access your systems and how they can conduct attacks. Not to fear, I walk you through these attacks and the mind of the hacker. You have to truly think like a hacker to be a good pen tester, which is why pen testers are called white hats, grey hats, or ethical hackers, which I explain in more depth in Chapter 2.

I also lay out everything you need to know about security vulnerabilities and introduce you to the tools, techniques, and skills that today’s most elite pen testers use on a daily basis to conduct penetration tests that keep their company’s assets safe.

I get to all that and more throughout the book, but in this chapter, I cover the basics, starting with what roles a pen tester can hold in a company. I move from there into the importance of getting certified and what skills are required. I end the chapter with a couple sections that can set you on the path to becoming a competent and sought-after pen tester.

The security arena has myriad names applied to anyone who does good or bad security stuff. If you’re new to pen testing, all that can be highly confusing. To clear up any and all confusion on the matter, I dedicate this section to describing the good guys who do pen testing and what roles you might have as a pen tester. (See Chapter 2for a breakdown of the baddies.)

The pen tester’s role is to penetrate and to ethically hack to find weaknesses within a company’s IT security program. Securing the weaknesses might be someone else’s responsibility. You may or may not be responsible for making recommendations based on the weaknesses you uncover, but I discuss that task in Chapter 12.

You must have permission to conduct penetration testing if you don’t work in the field or for a company hired to conduct it. Even if you’re hired to pen test an organization’s security, you likely still need permission for certain types of pen testing activities. See Chapter 9for more on that issue.

As big data grows as a concept and more and more systems grow in complexity and size, especially as companies move into cloud architecture and outsourced solutions, there is a need to leverage additional resources to stay on top of all the latest risks, issues, and threats. As more and more systems join massive compute models and virtualized systems are used in new architectural models, the global community of good guys (white hat hackers) can bring a wide array of benefits to the table.

Crowdsourcing is a form of security where pen testing is done via group-based team efforts of enthusiasts (who can also be experts) for the purpose of testing systems managed by enterprises much the same way a constant group may. For example, a crowdsource pen test group may be contacted to run the same types of attacks against you that a consultant may and report on their findings.

Crowdsourced pen testing is no different than any other crowdsourced solution. You’re using multiple resources to conduct your tasks to get a better outcome by leveraging a large pool of resources, knowledge, and abilities. But if you’re concerned about privacy and legal exposure, go with a consultant.

You can find crowdsourcers at sites such as www.hackerone.com . Join and offer your services or find pen testers to help you out with a project.

In-house security operations versus consulting services for hire (which I discuss in the next section) are generally how pen testers work in the field. Large companies and government agencies generally employ in-house operations engineers who conduct pen tests for the business they work for.

Smaller organizations can’t always afford to keep staff of this kind, and they often don’t have enough work to keep them busy. Sometimes conducting pen tests isn’t a dedicated position but is a task given to a systems administrator, a network engineer, or other IT professional in the organization.

An in-house employee who’s dedicated to securing the organization’s interests, assets, and reputation is often called a security analyst. This is someone employed full-time by a company, firm, or business (public, private, non-profit, government, military, or otherwise) who is responsible for providing security services. That’s a broad term for what can be a very detailed role requiring a variety of security functions, the skills needed, and the tools that are used.

Depending on the organization and the exact role, security analysts might have many other names, such as these (not a complete list):

Chief Information Security Officer (CISO)

Security architect

Security engineer

Security operations staff

Risk analyst

Forensics technician

Security practitioner

These are obviously more detailed roles within security, but they all work with security, and they all analyze security at some level of degree.

Generally, to become a good security analyst you need to absorb, learn, or train in many other areas so you have a holistic view of the enterprise you are charged with securing. I discuss what you need to know in the later section, “ Gaining the Basic Skills to Pen Test.”

You can hire a consultant to conduct a pen test for you or your firm. Consultants are for hire either as independent contractors or as part of firms you can hire. This may save you time and money in the future.

Consultants at times work for firms that specialize in security or provide security services under a contract. This means that they can scan remotely (externally) or come onsite and scan internally and do more intrusive testing. Either way, consultants allow a smaller organization to retain top talent for a reasonable price and still get the services needed to be current and secure. This route also paves the way for those entering into the field of pen testing an opportunity to gain employment through a company or a contract to conduct security services.

Professional organizations and vendors both offer industry standard, generalized and specialized certification programs, as well as those based on specific vendor tools. Some of them mix the two.

For example, one of the biggest and most focused pen testing certifications on the market today is CompTIA’s pentest+ certification. Although it covers general topics on pen testing, it also goes in depth on the tools you use the most. There are also other certifications, such as the CEH (certified ethical hacker certification) and the SANS GIAC Penetration Testing certification (covered in Chapter 16).

You can also start with general security certifications such as the CompTIA Security+ or the ISC2 CISSP.

It would also benefit you to learn how to write and submit reports and present your findings. I cover these topics in detail in Part 4.