Penetration testing is a mandatory component of any thorough information security program, as security pros know. Company networks are vast and complex, and security teams have the (often thankless) job of protecting everything that falls under the general category of “IT” or “IS.” While security teams must keep track of all the hundreds or even thousands of places on or touching the network that could be exploited, a threat actor needs only find one vulnerability in the system to inflict harm. Enter: the penetration tester.
Penetration testers have the sometimes fun, always challenging job of seeking out the weak spots in a company’s systems, giving organizations an opportunity to remediate problems before an attacker gloms on. Pentesting isn’t a new category of security practitioner, but given the quantity and severity of problems, the field is experiencing a bit of a surge in interest. At InfoSec World 2016, Mike Saurbaugh, Director of Technical Alliances at PhishMe, presented some interesting data he gathered through interviews with students in higher education technology programs. Saurbaugh found that 52% of students want to be a security analyst, engineer, or pentester upon graduation. The primary reasons given for wanting to explore this field of work: the ability to continually learn new things and grow personally, and make a difference (defend against hackers) in choice of career.
Pentesting is not always as “sexy” as it sounds on paper, and even other practicing security professionals occasionally foster misunderstandings of the field. To provide an insider’s point of view, Infosec Insider spoke with longtime pentesters Kevin Johnson and Rob “Mubix” Fuller to set the story straight.
How did you get into pentesting? What tools were available (or not) when you started?
Johnson: I actually kind of stumbled into it. I was a nerd my whole life and got involved with the BBS scene early in my teens. (It was a long time ago.) As my career started (right out of high school), I was an admin and a developer at a variety of companies. About 15 years ago, the company at which I worked was hacked and I was asked to help out. This was my first real introduction to security. Shortly thereafter, about 10 years ago, I was asked to test my workplace. Things just went from there...
Fuller: I started in pentesting not that long ago, about 2009-ish, so the tools were very much the same as they are now (just with fewer features).
As for how I got my start, I simply applied for a junior level position. What I think netted me the job was my drive to learn, home lab, and previous experience in IT (Cert, Systems/Network Admin).
Explain some of the misconceptions about what a pentester is and what s/he does.
Johnson: Part of me finds it funny [how people misinterpret my occupation], and part of me is bothered by how worried people become when they find out what I do. Believe it or not, I have actually had waitresses stop serving my family because they thought I was going to steal their identity while eating.
Another time, shortly after being contracted to perform a pentest for a religious organization, I was asked to sign a morality clause. Part of the clause was that I and my team had to agree not to lie during the duration of our work. I had to explain to my contact that he was actually hiring me to lie—social engineering, even if it’s for the purposes of pentesting, is lying, in effect. And social engineering is absolutely part of a pentest! It was incredibly awkward because, as a rule, pentesters don’t go around lying, cheating, or stealing just because they may be able to. A lot of people think pentesters use our skills to our advantage outside of the workplace when, actually, it would hurt my career if I weren’t honest.
Fuller: I think the biggest misconception from fellow IT people is that pentesters can magically break into anything. On the friends and family front, they want you to break into stuff for their gain. I've fielded requests for changing school grades to installing key loggers on girlfriends’ laptops.
The biggest, most common misconception from those trying to be pentesters is that it's all glam and glory—finding the one flaw that will save the company from the Russians/Chinese/organized hackers. In reality, pentesting is just like [the sport of] boxing; boxers get their big breaks and front-page feature stories once in a while, but what people don't normally see are the countless hours in the gym, getting beat up by trainers or better boxers in order to learn their trade. Pentesting is in no way a 40 hour per week job. It's more like 80, and finding problems isn’t always a knockout.
More college programs exist now than 5-10 years ago. School learning is important, but what else should a person do if they are serious about becoming a pentester?
Fuller: Build networks, break them down, and build them up again. The more ways one tries to build out a network, the more ways she or he will learn to break it. This type of learning can't be taught in a school setting. Taking a course will show you how “X person” broke into a network; building one will teach all the ways one can be broken.
Johnson: Learn how to do IT. It actually worries me that so many people are trying to jump right into security without understanding IT basics—how a network is architected, which systems are dependent on others, etc. If a person doesn't know how to manage a server or build an application, how can that person possibly know the right solutions to the problems?
What are three top skills you use when you’re conducting a pentest?
Fuller: Perseverance, patience, and repetition.
Perseverance is incredibly important because failing is the name of the game. You will fail often, and that is actually really great because it means the customer is doing a good job security-wise. Pentesters have to be able to feel good about that. It's not easy to mentally overcome the idea that failure is positive.
Patience is also necessary. If a pentester rushes through the test, mistakes will be made. (N.B., the adversaries are taking their time getting into your networks; shouldn’t you take the same care when trying to prevent them?). To quote a very old military saying: "Slow is smooth and smooth is fast"
Finally, the ability to endure repetition is important, because sometimes it's only once you have tried something that 101st time that it finally works.
Johnson: A good pentester is a master of solving puzzles. He or she understands networking and applications at a deep level. A pentester must also be incredibly persistent. (I’m not sure that last one is a skill, but Rob took liberties with his answers too.)
What skills do you think you’ll need to learn or improve upon for the future?
Johnson: Despite the clichés, I think focusing on business is important. Security has to understand what the business needs and how it functions in order to target the right areas of a company’s network and most sensitive assets. A good pentester knows what types of adversaries look for which kind of data, and as security grows into a more mature field, it will help the business be more proactive about protecting those assets. That’s what pentests are all about anyway: finding problems before the bad guys do.
Fuller: That is a really long list. I want to learn C++ better so I can code my own back doors better. I want to learn more about NoSQL and web application frameworks because everything is already a web app of some kind. I want to learn how to break apart iOS and Android apps. I want to get more practice with physical engagements and learn radio frequency better. Just to name a few on the top of my list. The best pentesters I know are always learning and growing.