Introduction:
1、Penetration testing explained: How ethical hackers simulate attacks
2、Can you hire Penetration testers on an hourly basis or for project-based tasks?
Penetration testing explained: How ethical hackers simulate attacks ♂
Definition: Penetration testing is a process in which a security professional simulates an attack on a network or computer system to evaluate its security—with the permission of that system’s owners.
Don’t let the word “simulates” fool you: A penetration tester (or pen tester, for short) will bring all the tools and techniques of real-world attackers to bear on the target system. But instead of using the information they uncover or the control they gain for their own personal enrichment, they report their findings to the target systems’ owners so that their security can be improved.
Because a pen tester follows the same playbook as a malicious hacker, penetration testing is sometimes referred to as ethical hacking or white hat hacking; in the early days of penetration testing, many of its practitioners got their start as malicious hackers before going legit, though that is somewhat less common today. You might also encounter the term red team or red teaming, derived from the name given to the team playing the “enemy” in war game scenarios played out by the military. Penetration testing can be carried out by teams or individual hackers, who might be in-house employees at the target company, or may work independently or for security firms that provide specialized penetration testing services.
In a broad sense, a penetration test works in exactly the same way that a real attempt to breach an organization’s systems would. The pen testers begin by examining and fingerprinting the hosts, ports, and network services associated with the target organization. They will then research potential vulnerabilities in this attack surface, and that research might suggest further, more detailed probes into the target system. Eventually, they’ll attempt to breach their target’s perimeter and get access to protected data or gain control of their systems.
The details, of course, can vary a lot; there are different types of penetration tests, and we’ll discuss the variations in the next section. But it’s important to note first that the exact type of test conducted and the scope of the simulated attack needs to be agreed upon in advance between the testers and the target organization. A penetration test that successfully breaches an organization’s important systems or data can cause a great deal of resentment or embarrassment among that organization’s IT or security leadership, and it’s not unheard of for target organizations to claim that pen testers overstepped their bounds or broke into systems with high-value data they weren’t authorized to test—and threaten legal action as a result. Establishing in advance the ground rules of what a particular penetration test is going to cover is an important part of determining how the test is going to work.
There are several key decisions that will determine the shape of your penetration test. App security firm Contrast Security breaks test types down into a number of categories:An external penetration test simulates what you might imagine as a typical hacker scenario, with an outsider probing into the target organization’s perimeter defenses to try to find weaknesses to exploit.An internal test, by contrast, shows what an attacker who’s already inside the network—a disgruntled employee, a contractor with nefarious intentions, or a superstar hacker who gets past the perimeter—would be capable of doing.A blind test simulates a “real” attack from the attacker’s end. The pen tester is not given any information about the organization’s network or systems, forcing them to rely on information that is either publicly available or that they can glean with their own skills.A double-blind test also simulates a real attack at the target organization’s end, but in this type of engagement the fact that a penetration test is being conducted is kept secret from IT and security staff to ensure that the company’s typical security posture is tested.A targeted test, sometimes called a lights-turned-on test, involves both the pen testers and the target’s IT playing out a simulated “war game” in a specific scenario focusing on a specific aspect of the network infrastructure. A targeted test generally requires less time or effort than the other options but doesn’t provide as complete a picture.
App security firm Synopsis lays out another way to think about varying test types, based on how much preliminary knowledge about the target organization the testers have before beginning their work. In a black box test, the ethical hacking team won’t know anything about their targets, with the relative ease or difficulty in learning more about the target org’s systems being one of the things tested. In a white box test, the pen testers will have access to all sorts of system artifacts, including source code, binaries, containers, and sometimes even the servers running the system; the goal is to determine how hardened the target systems are in the face of a truly knowledgeable insider looking to escalate their permissions to get at valuable data. Of course, a real-world attacker’s preliminary knowledge might lie somewhere between these two poles, and so you might also conduct a gray box test that reflects that scenario.
While each of these different kinds of penetration tests will have unique aspects, the Penetration Test Executing Standard (PTES), developed by a group of industry experts, lays out seven broad steps will be part of most pen testing scenarios:Pre-engagement interactions: As we’ve noted, any pen test should be preceded by the testers and target organization establishing the scope and goals of the test, preferably in writing.Intelligence gathering: The tester should begin by performing reconnaissance against a target to gather as much information as possible, a process that may include gathering so-called open source intelligence, or publicly available information, about the target organization.Threat modeling: In this phase, the pen tester should model the capabilities and motivations behind a potential real attacker, and try to determine what targets within the target organization might attract that attacker’s attention.Vulnerability analysis: This is probably the core of what most people think about when it comes to penetration testing: analyzing the target organization’s infrastructure for security flaws that will allow a hack.Exploitation: In this phase, the pen tester uses the vulnerabilities they’ve discovered to enter the target organization’s systems and exfiltrate data. The goal here is not just to breach their perimeter, but to bypass active countermeasures and remain undetected for as long as possible.Post exploitation: In this phase, the pen tester attempts to maintain control of the systems they’ve breached and ascertain their value. This can be a particularly delicate phase in regard to the relationship between the pen testers and their clients; it is important here that the pre-engagement interactions in the first phase produced a well-defined set of ground rules that will protect the client and ensure that no essential client services are negatively affected by the test.Reporting: Finally, the tester must be able to deliver a comprehensive and informative report to their client about the risks and vulnerabilities they discovered. CSO spoke to a number of security pros about the traits and skills an ethical hacker should have, and many of them said that the communication skills necessary to clearly convey this information is close to the top of the list.
The penetration tester’s suite of tools is pretty much identical to what a malicious hacker would use. Probably the most important tool in their box will be Kali Linux, an operating system specifically optimized for use in penetration testing. Kali (which most pen testers are more likely to deploy in a virtual machine rather than natively on their own hardware) comes equipped with a whole suite of useful programs, including:nmapMetasploitWiresharkJohn the RipperHashcatHydraZed Attacksqlmap
For more details on how all these weapons work together in the pen tester’s arsenal, read about the top penetration testing tools the pros use.
Pen testing is an area of specialization in the tech industry that has so far resisted consolidation. To put it another way, there are a lot of companies out there that offer penetration testing services, some of them as part of a larger suite of offerings and some of them specializing in ethical hacking. Research and advisory company Explority put together a list of the top 30 pen testing companies in Hacker Noon, and outline their criteria for inclusion and ranking. It’s a fairly comprehensive list, and the fact that there’s almost no overlap with Clutch’s list of top-rated penetration testing companies or Cybercrime Magazine’s penetration companies to watch in 2021 goes to show how diversified this field really is.
The fact that there are so many pen testing firms should be a clue that pen testers are in high demand and there are good jobs out there for qualified candidates. And the jobs aren’t just at standalone security firms: Many big tech companies like Microsoft have entire in-house penetration testing teams.
North Carolina State University’s IT Careers department has a good outline what the outlook is in this career category. They tracked over 16,000 open jobs in 2020 alone. One caveat, though, is that NC State combines penetration testing and vulnerability analyst careers in that overview. The two career tracks have many skills in common, but vulnerability analysts focus on finding holes in the security of applications and systems while they’re still in development or before they’re deployed, while pen testers probe active systems as we’ve described here.
The ethical hacking industry was founded by hackers who had once been less than ethical looking for a path to a mainstream and legal way for them to make money from their skills. As is true in many areas of tech, this first generation of pen testers were largely self-taught. While there’s still room for those who’ve developed their skills in this way, penetration testing is now a common subject in computer science or IT college curricula and online courses alike, and many hiring managers will expect some formal training when considering a candidate.
One of the best ways to show that you’ve been cultivating pen testing skills is to get one of several widely accepted certifications in the field. The licensed training offerings that accompany these certs are a great way to acquire or bone up on the relevant skills:EC-Council’s Certified Ethical Hacker (CEH) and Licensed Penetration Tester (Master) (LPT)IACRB’s Certified Penetration Tester (CPT), Certified Expert Penetration Tester (CEPT), Certified Mobile and Web Application Penetration Tester (CMWAPT), and Certified Red Team Operations Professional (CRTOP)CompTIA’s PenTest+GIAC’s Penetration Tester (GPEN) and Exploit Researcher and Advanced Penetration Tester (GXPN)Offensive Security’s Certified Professional, Wireless Professional, and Experienced Penetration Tester
Can you hire Penetration testers on an hourly basis or for project-based tasks? ♂
We live in an era of persistent cybersecurity threats, from discussions around banning TikTok in the US to a video-phishing incident that cost tens of millions of dollars. Organizations of all sizes are clamoring for skilled penetration testers to help secure their networks, web and mobile applications, and APIs against unauthorized access. The global penetration testing services market is projected to nearly triple from 2023 to 2032 amid the escalation of cyberattacks, as well as industry countermeasures such as the anti-fraud credit-card handling standard, PCI DSS 4.0. Whether prompted by legislation or not, companies worldwide are seeing the need to shore up against vulnerabilities by reexamining everything from tech stacks to staff training policies.
Finding skilled pentesters remains challenging. Ethical hacking certifications can validate a candidate’s foundational knowledge, but further validation of a candidate’s skill set comes from real-world experience with vulnerability assessments, incident response, and application penetration testing. Many roles demand expertise in specialized areas such as social engineering, wireless network security, or automated pen-testing tools — the search for cybersecurity talent is certainly nuanced.
This guide brings clarity to the complexities of recruiting penetration testers, including practical steps for writing effective job descriptions and insightful interview strategies. By understanding the subtleties of this critical role, you can identify the right talent to protect your organization effectively.
A penetration tester identifies and mitigates security vulnerabilities. Their primary responsibility is to simulate real-world attacks, uncovering potential weaknesses before they can be exploited by malicious hackers.
Effective pentesters have encyclopedic technical knowledge and show a markedly creative methodology in leveraging it. For instance, they approach web application testing knowing the standard OWASP guidelines, but their scrutiny of authentication mechanisms, session management, and API interactions will let them uncover flaws that may be invisible to automated vulnerability scanning tools.
However, automated scanners are a useful starting point. Hands-on experience both with proprietary vulnerability scanners like Burp Suite or Nessus and open-source tools like the Metasploit Framework, Wireshark, and Nmap is a given in the pen-testing space. Standout candidates will know reverse engineering techniques and how to use languages like Python or JavaScript to craft custom exploits on the fly.
Quality penetration testers don’t just find vulnerabilities — they prioritize vulnerabilities based on potential business impact, concisely articulating recommended remediation strategies to stakeholders. And since they don’t normally execute these strategies themselves, it’s critical they have a track record of excellent collaboration with security engineers and software development teams.
The right penetration tester depends on your organization’s specific goals — and skill gaps. Maybe you already have in-house web application security pen-testing, but need a social engineering expert to regularly test your staff for policy compliance. Maybe your business is expanding into a new area, exposing it to unfamiliar cybersecurity requirements. Or maybe your company already has a solid cybersecurity team and would like to verify their efficacy.
Defining a scope will help you target candidates with the right expertise. For example, if your primary goal is assessing APIs, look for testers experienced in application security testing and OWASP standards. For mobile applications, you’ll want a candidate familiar with your app’s platform (e.g., iOS, Android, or both) and specialized tools like MobSF. If phishing is a concern, experience with social engineering simulations is a must. Additionally, auditing Linux or Windows servers can be quite different from each other — a strong background in your organization’s specific environment(s) is the only way to evaluate server configurations and permissions effectively.
Certifications—if relatively current—can help verify a pentester’s baseline knowledge and practical skills. The full landscape of certifications is beyond the scope of this guide, but it’s good to be aware of two in particular: OSCP (Offensive Security Certified Professional) demonstrates practical skills in penetration testing and exploit development, while CEH (Certified Ethical Hacker) is restricted to theoretical aspects.
But real-world experience in a similar technical context or past successes with ethical phishing (as applicable) are at least as valuable. The question is, how much experience is appropriate for the role you’re filling?
Junior penetration testers are best suited to tasks like routine vulnerability scanning, conducting security assessments under supervision, or assisting senior testers. They often have 1-2 years of experience and may need practice with more complex techniques. Their experience may also be limited to a specific area, like corporate firewalls, mobile apps, or a specific operating system. That can be appropriate — a freelancer specialized in hacking mobile apps may uncover just as much viable attack surface as a more experienced generalist — but only if their past experience is an exact match for the role.
Mid-level penetration testers can handle standalone assessments, including exploiting vulnerabilities in web apps and mobile applications. They generally have 3-5 years of experience and can often readily adapt to various scenarios, from auditing an organization’s social engineering resistance to testing for SQL injection vulnerabilities in a web app.
Senior penetration testers are security experts who design and execute comprehensive testing strategies. With over five years of experience, they often lead red-team exercises to test a company’s incident response and conduct advanced social engineering simulations, they are used to providing effective remediation guidelines with clear technical details.
The definitions of and delineations between “penetration tester” and “ethical hacker” continue to be a source of industry disagreement. Some experts simply use the terms interchangeably as we’ve done here. However, the choice between the two role names for your job description isn’t as important as being specific about the expected scope of work. In fact, the role you have in mind may include enough adjacent elements that a system security expert job description template might be a good starting point.
Be sure to clearly outline your organization’s needs. Specify whether you need expertise in web app penetration testing, wireless network security, or social engineering, and name any skill requirements related to frameworks, whether they’re general pen-testing ones (like PTES) or use case–specific (like PCI DSS). Highlight desired certifications and tools, and highlight not only the required years of experience but also how the role fits into the relationship with existing members of your team.
Include expected deliverables, even standard fare like providing detailed pen-testing reports, articulating remediation strategies, and collaborating with security professionals to implement solutions. But for candidates to best understand the role, be sure to include as much detail as possible about the expected types and scope of penetration testing itself.
Lastly, emphasize whether the position is full-time, freelance, or part of a broader security consulting engagement and to what extent remote work fits your policies. Clear job descriptions will save you time by attracting candidates who are better aligned with your objectives.
It’s worth quizzing candidates on common security mistakes (for example, how they might exploit or patch various web security vulnerabilities) but don’t neglect broader discussions in gauging their ability to apply information security principles. The following are designed to enable hiring managers — with the aid of in-house security experts — to identify top talent.
What is your process for integrating automation into penetration testing?
Automation enhances the efficiency and consistency of penetration tests. Which tools does the candidate use for repetitive tasks, such as vulnerability scanning or code analysis?
Look for a clear understanding of where automation ends and manual testing begins, particularly for nuanced vulnerabilities like business logic flaws. Ask for examples of how they’ve adapted automation tools to a specific project, as well as examples of when they’ve created ad-hoc pen-testing scripts in languages like Python.
Can you walk us through a recent penetration test you conducted?
With this broad opportunity to showcase their methodology and communication skills, strong candidates will reference frameworks like PTES or OWASP’s WSTG, emphasize both systematic and adaptive application security testing, and discuss their tooling preferences.
A good answer will cover security measures that the candidate encountered — such as firewalls and intrusion detection systems — and how they were able to bypass them. It will also cover which security controls they recommended, such as applying patches, hardening configurations, or implementing network segmentation.
Consider it a yellow flag if a candidate fails to prioritize vulnerabilities based on real-world impact or to propose clear, actionable remediation strategies.
How do you approach testing legacy systems, such as outdated PHP applications?
PHP is still widely used, particularly in legacy systems, even though PHP 8.0 hasn’t been officially supported since late 2023. If your tech stack involves (or may involve) an outdated PHP deployment, it’s highly relevant to check your candidate’s familiarity with PHP-specific risk factors, such as the misconfiguration of the long-deprecated or the use of the weak session ID generation mechanism that was once PHP’s default. Ask candidates to recommend methods for hardening legacy applications; responses can include securing PHP configuration options, adding modern authentication practices like 2FA, and integrating tools like PHPStan into build processes.
This question can be easily adapted to other languages and frameworks, especially in any projects in your organization with an under-active maintenance schedule.
评论已关闭