It is the classic case of thinking like a criminal in order to catch one. A penetration tester should not be culled from the ranks of your average computer science major or CIO, as they lack the necessary “underground” experience and mentality to truly think the way professional exploiters do.
So what qualities should be looked for in a penetration tester, to find one that will think like a criminal without actually being one? Here are some hallmarks.
A good penetration tester must be able to take disparate or incomplete data sets and, from them, fill in the gaps to discern possible attack vectors and approaches. Linear thinking is not enough — the thought process of a pen tester should allow him to take one piece of data and figure out all the ways that data can be applied in conjunction with other, seemingly unrelated data. This requires a high I.Q. and a tremendous amount of persistence.
As security methods increase in sophistication, pen testers should be able to adapt and explore non-obvious ways to penetrate a system. This includes phishing and social engineering attacks against live staff to test real-world vulnerabilities. One could conceivably go so far as to walk around an office at night, as if one were a janitor, to discover whether login information is available on yellow Post-Its stuck on monitors.
Furthermore, thinking outside the box is required for a tester to come up with new attacks, rather than simply Google existing ones like a script kiddie.
Penetration testers should keep in mind that the end goal is not bragging rights or the simple thrill of popping a target box, but to improve the enterprise’s security protocols to protect both it, and potentially millions of customers, from financial or privacy loss. As there are usually time and budget concerns, the pen tester should therefore focus on discovering the critical vulnerabilities with the highest potential impact first, then move on to secondary and tertiary layers of vulnerability.
As such, they need to demonstrate the ability to see the big picture of why a system would be attacked and what the intruder would be trying to achieve once they gain a foothold. Compromising one machine on a network would not be enough; the attack should be carried out until all further vulnerabilities now possible from that one compromised box are discovered — especially ones that lead to social security numbers, bank account information, or trade secrets — which are the areas a hacker group would most likely be targeting.
It is not enough to infiltrate a system and report the findings. The true value of a penetration tester lies in his or her ability to provide recommendations to fix all vulnerabilities found. It is here where the hacker hat is taken off and replaced with the consultant hat to advise on the best possible solutions to lock down a network.
Pen testers should also offer follow-up tests or provide means for in-house IT staff to verify holes have been patched.
Lastly, a pen tester must be able to communicate in non-technical terms to executives and others reading the final report. Complex jargon and scripting recommendations should be reserved for the enterprise’s IT staff, coming after a plain English summary with illustrative graphics and charts that your average business person can grasp. Try reading a sample report from the tester and seeing if you can make heads or tails from it. If not, move on.
Penetration testing is intensive work. Anyone can use software to scan for common vulnerabilities, but only a real pro can go beyond the automated tests and delve into the nooks and crannies, just like a live, criminal hacker gang would.
John Dayton is a freelance writer who contributes to LWG Consulting, a company that provides forensic consulting services, including computer security.