SecureSet Career Series: The Pen Tester
Ethical Hacker
Did you know that banks will pay you to rob them? We’re not suggesting that you go grab your favorite ski mask and try your luck at your local branch, because you’ll only be paid in the form of a jail cell and a new friend named Bubba. The point is that banks hire individuals to break their systems for the sole purpose of finding the weaknesses so that they can secure them. If that sounds ridiculous, then check out this scene from the classic hacker film Sneakers.
Robert Redford and his crew bypass the alarm of a large bank, trick the security guard, and walk away with an easy $100,000. As Redford withdraws the cash the next day, he appears to be heading for the exit, but ends up making a quick turn upstairs to meet with the bank’s corporate team. He shows the team how much cash he stole while telling them why it was so easy. He then immediately demands a check for his services (not recommended).
While Sneakers is fiction, vulnerability assessment (red) teams are a reality. In the aftermath of 9/11, the CIA developed an experimental red team, known as “The Red Cell.” In cybersecurity, a red team is hired by an organization to break or bypass their security network. These organizations need ethical hackers, who can think and act like a criminal, but who can be trusted to document the vulnerabilities they find and refrain from stealing the valuable assets that they’re capable of procuring for their own personal gain. This is where Security Penetration Testers come in.
What does a Pen Tester do?
Pen testers make their living trying to break things. They are hired to probe computer networks and discover vulnerabilities that a truly malicious hacker could exploit. An organization will hire a pen tester to emulate an advanced threat actor. They allow them to simulate a cyber attack and attempt to breach their network. The insights from a pen tester’s report allow organizations to fill the security holes. Pen testers are an essential tool for mitigating future cyber attacks and preventing an organization from facing serious loss of assets.
Pen testers typically operate in phases when attempting a network breach. Phase one, reconnaissance, consists of sifting through a variety of outside sources (internet searches, social engineering etc.) to note clues that may reveal insights into how the organization’s security network operates. Phase two, scanning, consists of testing a network’s perimeter defense in search for glaring weaknesses. Gaining and maintaining access are phase three and four. These phases involve circumventing security measures and remaining within the network long enough to complete the tasks they’ve been given. This phase tests the security team’s ability to locate, contain the threat and the pen tester’s ability to remain elusive. The process ends with the covering tracks phase, as the pen tester attempts to leave undetected, so that if they were a real hacker, they could return for future attacks.
Skills you’ll need for breaking stuff.
While the level of technical aptitude that a security engineer possesses isn’t necessary to be an efficient pen tester, the more you understand what you’re hacking, the better you can bypass its security measures. Pen testers are experts in several technologies and platforms. They know the operating systems they’ll target, as well as network protocols, scripting languages and forensics (for the covering tracks phase). Pen testers must also be able to harness the mindset of a malicious hacker, so that they can outthink the security defense measures that are currently present in the targeted network. To be an efficient Pen tester, you must be passionate about constantly expanding your technical knowledge in addition to having an intrinsic desire to break something that has yet to be broken.
Perhaps the most imperative soft skill for this role is the possession of a rock-solid moral compass. Pen testers who are successful in their endeavors are faced with the ultimate test of morality. Once they successfully breach a network, their self-control is the only thing keeping them from turning into a malicious hacker and exfiltrating assets for their own personal gain. Imagine breaking into a vault at Fort Knox, and leaving without a single brick of gold. Organizations usually set parameters for pen testing exercises. Operating outside these parameters or exfiltrating data without an organization’s consent can lead to termination of employment and can even incur legal repercussions.
Other soft skills that are advantageous for this role include creative thinking and communication skills.
Heroes reap many rewards.
It’s cool that you get to break into networks with no repercussions, but it’s even cooler that you get paid for it. According to Payscale, the average starting salary for security pen tester is around 71,000 a year. A pen tester’s salary will vary due to previous experience, technical abilities and the location of the job. As you continue to expand your resume as a pen tester, your salary can easily reach the six figure range. Cyber defense is extremely important, but in an ideal situation, an organization would rather prevent a breach, than contain one. Because of the pen tester’s ability to uncover vulnerabilities before a threat actor does, they are in high demand by organizations across all industries.
A complete picture of a security team.
The advancement of cyber threats has led many organizations to develop their own Security Operations Center (SOC). A SOC consists of a cohesive cyber-team made of security engineers, penetration testers, security analysts and data scientists. Each member of the team brings a unique skill set that assists in the efforts of preventing, detecting, analyzing and responding to security threats.
The engineers are the technical experts that build and secure the networks and the detection tools of the company. The data scientists analyze the mass data that a company produces, in an effort to discover network insights. Analysts use these discoveries to actively search for anomalies in their network that might indicate malicious activity. When anomalies are spotted, analysts work with the engineers to set traps and contain threats. These traps can also be set preemptively in what’s known as “active defense.” Pen testers are white-hat hackers who simulate cyber attacks on their own network to discover its vulnerabilities. They report their findings to the team, so that together, they can fill the network’s security gaps.
Every team member in the SOC is an essential piece to the ongoing battle against cyber threats. The question is “which team member do you want to be?”
Where does the Pen Tester fit into the team?
A pen tester’s report is the ultimate preemptive tool in cyber defense. If a pen tester discovers a vulnerability, they can immediately notify the security engineers to patch it up before it’s exploited by a real threat actor. With a security gap fixed, analysts can more easily spot a threat that attempts the same hack, thus making the defense process much easier. In a sense, pen testers give the SOC a clairvoyant advantage when preparing to face threat actors. Battles that may have been fought are already won because a vulnerability is no longer a viable target.
Here’s How You Get Started
SecureSet Academy provides the most complete, immersive and compressed cybersecurity programs out there. Our CORE Program teaches the technical and analytical skills needed to become an effective pen tester. Our programs are a balance of classroom theory and hands-on lab time. This ensures that our students graduate with the level of skill and confidence needed to leave our academy job-ready. A majority of our students are hired within a few months of graduation (many before getting their diploma). The natural progression from general IT to cybersecurity can take five to ten years. CORE gets you there in as little as 20 weeks through deep dive, focused learning with some of the industries top leaders.
While many students who enter our CORE Program tend to have an IT background, you may feel like there are some gaps in your fundamental skill set. We offer a six-week preparatory workshop, SecureSet PREP, that will give you an introduction into Systems, Networking and Python. Passing PREP with a score of 80% or higher will pre-qualify you for our CORE Program, with the ability to deduct your costs from your Program tuition. PREP is a perfect way for you to establish a sturdy foundation for your cybersecurity career.
Are you ready to break systems?
The security pen tester role puts you head-to-head with the black hats (malicious hackers).This role is incredibly unique because the temptations and moral challenges you’ll face can be just as difficult as those that are technical in nature. At the end of the day, someone’s going to break into these security networks, but if you do it with the right intentions, you may be directly responsible for saving an organization millions of dollars or even protecting thousands of people from losing their personal information. If you can resist evil temptations and if you have an innate desire to break things (and get paid for it), then a pen tester career is calling your name.
Learn more about how our CORE Engineering program can help you launch your career in cybersecurity. You can also learn about all of our programs at secureset.com. View our next upcoming cohorts at SecureSet.com/core.
We’ll be talking about the Threat Intel Analyst position in our next Career Series blog. Check out other entries in our ongoing career series: Security Hunt Analyst, Security Engineer.
