Penetration Testers on the Front Lines of Cyber Security
Penetration Testers Of all the interesting careers in the field of information security and cyber security, the critical role of the penetration tester, or pen test specialist, is one of the most fascinating. The term “ethical hacker” is often used to describe the work of pen testers, whose job involves infiltrating computer systems to detect and address vulnerabilities that non-ethical hackers could exploit to cause untold havoc. The job requires you to possess cutting-edge technical skills, communication skills and also confidence, because part the job is to outsmart some very savvy bad guys as the stakes grow higher every day. Cybersecurity Ventures.com estimates that the cost of cyber crime worldwide will skyrocket to $6 trillion a year by 2021, with hackers hitting high-profile organizations like Target, Facebook, Equifax and even government agencies like the NSA and the Department of Homeland Security.
Penetration Testers Needed [The Cyber Security Skills Gap]
With so much at stake, and with the high level of technical expertise required for such key information security positions as pen tester and vulnerability assessor, it is extremely challenging for employers to find qualified individuals to fill a growing number of jobs. The talent shortage has led to widespread reporting on a “dangerous” cyber security workforce skills gap.
This is also one of the key factors driving the high salaries paid to cyber security professionals. For example, the website CyberSeek.org, which works to “help close the cyber security skills gap (by providing) detailed, actionable data about supply and demand in the cyber security job market,” lists the average salary for Penetration and Vulnerability Testers at $102,000.
The average salary for information security analyst, a related position, is listed by the U.S. Bureau of Labor Statistics at $98,350.
But what does a penetration tester do? Of course, the primary objective of pen testing is to identify security weaknesses in both systems and policies. To excel in this role, you will need a wide range of skills:
- Coding skill required to infiltrate any system
- Comprehensive knowledge of computer security, including forensics, systems analysis and more
- Insight into how hackers exploit the human element to gain unauthorized access to secure systems
- Clear understanding of how computer security breaches can disrupt business, including the financial and managerial implications
- Exceptional problem-solving skills
- Communications skills to document and share your findings
Penetration testing is typically tailored to the individual organization and the industry it operates in; some industries, such as health care and banking, rely on pen testing to maintain compliance with industry security standards.
The work is often performed by outside contractors who are brought in to uncover potential blind spots missed by developers who build the systems, applications and software. These ethical hackers run the gamut from experienced developers with advanced degrees and pen testing certifications to self-taught hacker savants; some are even former black-hat hackers who use their talent and skill to help organizations safeguard their systems.
Penetration Tester Job Description
In addition to the skills described above, an unwritten part of your job description as a penetration tester also includes an ability to “think like the enemy” in order to combat the full range of techniques and strategies that hackers might employ, or even to anticipate new ones. Your work will likely also involve planning and executing tests, documenting your methodologies, creating detailed reports about your findings and perhaps also being involved in designing fixes and improving security protocols.
Cybrary, a cyber security and IT workforce development and networking company, also lists the following job requirements:
- Perform penetration tests on computer systems, networks and applications
- Create new testing methods to identify vulnerabilities
- Perform physical security assessments of systems, servers and other network devices to identify areas that require physical protection
- Pinpoint methods and entry points that attackers may use to exploit vulnerabilities or weaknesses
- Search for weaknesses in common software, web applications and proprietary systems
- Research, evaluate, document and discuss findings with IT teams and management
- Review and provide feedback for information security fixes
- Establish improvements for existing security services, including hardware, software, policies and procedures
- Identify areas where improvement is needed in security education and awareness for users
- Be sensitive to corporate considerations when performing testing (i.e. minimize downtime and loss of employee productivity)
- Stay updated on the latest malware and security threats
Penetration Tester Career Path
An article by industry website DarkReading.com (“So You Want To Be A Penetration Tester”) explains that the job involves elements of both excitement and tedium, but chances are your work will not involve scenes like “Tom Cruise in ‘Mission Impossible’ hacking into a CIA computer while dangling horizontally from cables in a heavily protected room.” The advice offered there includes starting out as a programmer or systems administrator, gaining essential knowledge about how systems work that finding flaws in them almost becomes “second nature.” Hands-on experience is strongly emphasized.
The article urges would-be pen testers to be aware that it is a service that has a beginning, middle and end — and quotes security consultant David Maynor as saying, “The beginning is the assessment, the middle is the fun part like breaking into a system, and the end is the documentation and communication of those findings to a client. If you don’t do all those things, I don’t think you are doing pen testing very well.” For penetration testing consultants, much of the work can involve telecommuting, with long hours spent at the keyboard, but the job can also include considerable travel to and from job sites.
In addition to government agencies that hire in-house pen testers, a recent listing on LinkedIn showed thousands of penetration tester job openings at such companies as:
- Bank of America
- Blue Cross Blue Shield
- Booz Allen Hamilton
- JP Morgan Chase
- Hewlett Packard
- Capital One
- BAE Systems
- H&R Block
There is often overlap in job descriptions and responsibilities in the world of cyber security; several job titles that are sometimes closely associated with pen tester include such positions as information security analyst, as well as security specialist, analyst, auditor, engineer, architect and administrator.
According to Infosec.com: Many companies treat the above titles as stem words, adding another term like “cyber,” “application” or “network” to denote the job scope and area of specialization.
Penetration Tester vs. Vulnerability Assessor
Another closely related job is that of vulnerability assessor or vulnerability tester. The key differences between a penetration test and a vulnerability assessment are summarized as follows by the highly respected cyber security writer and consultant Daniel Miesller.
Vulnerability assessments are designed to yield a prioritized list of vulnerabilities and are generally for clients who already understand they are not where they want to be in terms of security. The customer already knows they have issues and simply need help identifying and prioritizing them. The deliverable for the assessment is, most importantly, a prioritized list of discovered vulnerabilities (and often how to remediate).
Penetration tests are designed to achieve a specific, attacker-simulated goal and should be requested by customers who are already at their desired security posture. A typical goal could be to access the contents of the prized customer database on the internal network, or to modify a record in an HR system. The deliverable for a penetration test is a report of how security was breached in order to reach the agreed-upon goal (and often how to remediate).
Bug bounty programs are another cyber security strategy that also employs techniques common to penetration testing. Companies that administer bug bounties offer cash “bounties” to ethical hackers who identify vulnerabilities or “bugs” in their systems.
One of the differences is that in pen testing a limited number of specialists are typically looking for specific vulnerabilities, whereas bug bounty programs welcome any number of specialists to find uncertain vulnerabilities. Additionally, pen testers are typically paid hourly or annual wages, while bug bounty participants operate on a pay-for-results model that offers greater compensation for higher-severity bugs discovered.
Penetration Tester Certifications
While hands-on experience in pen testing, both general and specialized, is the gold standard when it comes to employers looking for talent, many organizations may also prefer or require applicants to hold industry certifications in ethical hacking, penetration testing or other aspects of IT security.
Some of the leading penetration tester certification programs include:
- Certified Ethical Hacker (CEH)
- Certified Penetration Tester (CPT)
- Certified Expert Penetration Tester (CEPT)
- GIAC Certified Penetration Tester (GPEN)
- Licensed Penetration Tester (LPT)
- Offensive Security Certified Professional (OSCP)
- Certified Mobile and Web Application Penetration Tester (CMWAPT)
- CompTIA PenTest+
Benefits of Academic Degrees for Penetration Testers
It is widely acknowledged that penetration tester is among the information security jobs for which you do not necessarily need a degree, however a master’s in cyber security can be valuable in several ways:
- Experience is highly valued in the world of penetration testing, and top cyber security degree programs have built-in opportunities to gain hands-on experience.
- If you are seeking to advance your career by moving into a senior-level or leadership role, a master’s degree in cyber security can help position you to supervise pen test teams.
- As the need for penetration testers and vulnerability assessors continues to expand, competition for these jobs is expected to become more rigorous and a degree can give you a competitive edge.
- You’ll have the opportunity to learn from pen test experts (for example: Paul Keener, an instructor with the University of San Diego’s online master’s degree in Cyber Security Operations & Leadership, has experience developing and leading cyber penetration teams within the Department of Defense).
- Because the nature of potential threats is always evolving, penetration testers must constantly update their skills, methods and overall knowledge about current (and future) threats and defense technologies.
- A solid grounding in the fundamentals of the business and management environments you’ll be operating in is also extremely helpful.
- In addition to technical skills, penetration testers and vulnerability assessors need strong written and oral communication skills to document detailed reports and convey the results of their findings.
Are you an information technology professional considering a move into the specialized field of penetration testing? An experienced pen tester looking to advance into a senior-level or leadership role? As you explore your options, consider starting a conversation about whether earning your master’s degree in cyber security online can help you achieve your goals.