This article discusses one particular role in the cybersecurity career landscape, the Penetration Tester, and examines the job responsibilities, skills, and personality traits that allow an individual to thrive in that role. We also examine how one might learn those skills and position oneself optimally as a candidate for employment as a Penetration Tester.
What Is a Hacker?
The term “hacker” has several meanings, beyond the obvious, which is “one who hacks.” Originally a derogatory term for someone lacking sufficient skills to do a task with finesse, “hacker” has come to mean an individual with sufficient knowledge to misuse computer software or infrastructure to achieve results that are inconsistent with their design and purpose. Simply put, a hacker uses computer resources in ways that achieve their own ends, not those of the owners. Very often this means the theft of valuable sensitive information for monetary gain. In fact, this is the type of hacker that we hear most about, because news of large breaches are shocking, scary, and newsworthy. This type of hacker is a criminal and is breaking the law as they go about their work.
What Is a Professional Hacker?
A “Penetration Tester,” on the other hand, is employed or engaged by an organization to test its defenses and report any vulnerabilities discovered and how they could be exploited. This individual has a highly valued skill set that allows them to examine an organization’s software and infrastructure and make specific recommendations on how better to secure them. Penetration Testers are in great demand and command impressive compensation.
A Penetration Tester is a professional hacker.
What Skills Are Needed?
Clearly, penetration testing requires extensive knowledge as well as a broad and advanced skill set. This includes a strong grasp and effective mastery of the following:
◈ Computer networking concepts, protocols, appliances
◈ Software, web-applications, including architecture, and the software development lifecycle (SDLC)
◈ Penetration Testing methodology, tools
◈ Vulnerabilities, malware, and weaknesses
◈ Cybersecurity best practices
◈ Communication Skills, written and verbal
◈ It is not for the faint of heart, but nor is it out of reach. With planning and a deliberate approach, each of these topics can be mastered in time.
IT technical roles can be broadly categorized into two categories: software development (a.k.a. applications) and infrastructure (a.k.a. networking), so it is often the case that Penetration Testers master one side or another early in their career before bolstering up the other side. The greater the degree to which an individual has mastered the areas above, the more versatile (and therefor more employable) is that individual as a Penetration Tester.
Skill Development
As we noted above, other roles in IT can provide a springboard into cybersecurity and penetration testing positions. An individual with strong expertise in networking or infrastructure will often just require concentrated training on core Penetration Testing skills and tools to round out their qualifications. Indeed, there may be much in the way of review in the journey.
Of course there are training courses that can help you acquire the necessary skills, some more focused and concentrated than others. College and university offerings are likely to be the most in-depth, albeit at greatest cost and time. Private training classes are another option, but be sure to have a comprehensive plan to ensure that all relevant subject matter is addressed within whatever patchwork of offerings are cobbled together. Yet another approach, which is faster and less expensive than the others, is to study specifically for the Penetration Testing role. This can be an effective approach for individuals with significant overlapping IT experience.
Certification
One important way to distinguish yourself from the competition and land that next job may be to earn one or more relevant industry-recognized certifications. This demonstrates a commitment to the profession and role to which you aspire, as well as an independent endorsement that a certain core knowledge base has been achieved.
In fact, in the face of high demand for qualified Penetration Testers and a low supply of qualified applicants, hiring managers will be practical and will naturally bias towards hands-on ability vs. formal education. This means the right certification(s) can get you past the gatekeeper for an interview.
Our favorite for Penetration Testing is the EC Council Certified Ethical Hacker (CEH) certification. Hiring managers know that a CEH certified candidate for a Penetration Testing role has made a commitment to the field and is familiar with all the relevant skill areas. A certification such as CEH can be a discriminating factor in landing you a job.
Familiarity With PenTesting Tools
Penetration Testing relies extensively on software tools, and while there is no official tool-set, there are certain tools and commands that you simply must be familiar with in order to have any credibility in the field. Note that we are not describing a superficial knowledge; to be productive you must have hands-on expertise with a certain critical core set of tools.
Another advantage of Penetration Testing-oriented training is that those tools will be covered, and you will have the opportunity to work with them. More importantly, you will come to understand the problems they solve and when they are the “right tool for the job.”
I have asked job candidates questions such as, “what would be a good tool choice in the following situation…?” as well as, “what are the trade-offs between using tool X and Y in this scenario?” This approach separates the book learners from the hands-on practitioners.
Certified Ethical Hacker (CEH) Certification
One of the reasons we rate the EC Council CEH Certification so highly is that we are very familiar with it. Affinity IT Security is an EC Council Accredited Training Center (ATC), and we offer CEH Certification preparation training. The CEH Certification coverage is both broad and practical, and it includes the opportunity to get hands-on experience with a large set of Penetration Testing tools. The examination is carefully engineered to assess both the taker’s knowledge and abilities by including real-world scenarios and questions about specific tools.
Preparing for and passing the exam is one means by which you can acquire and strengthen the necessary skills to be a professional Penetration Tester, enhance your credentials, and distinguish yourself from the competition.
More information on Affinity IT Security CEH Training can be found here.
Is Hacking For You?
In addition to the technical skills and credentials discussed above, the ideal candidate for the role of Penetration Tester must possess the following personality traits:
◈ Strong analytical skills
◈ Natural tenacity and persistence
◈ Curiosity about how things work
◈ A pathological willingness to upend designer expectations
◈ Strong communication skills
◈ A strong moral compass
0 comments:
Post a Comment