Penetration Testing: Hacking for a Cause
BackBy Agatha Gilmore — October 2009
Imagine you’re on your way to work. Your train is running late. While waiting on the platform, you whip out your smart phone to make a quick call to the office. Then, you pass some time by updating your Facebook status, logging on to your bank’s Web site to pay bills and checking the weather forecast for the weekend. You suddenly remember it’s your sister’s birthday tomorrow, so you go online to buy flowers to be delivered to her home. Just as you’re clicking “complete purchase,” you hear the rumbling of the train as it pulls into the station. And that’s all before your morning cup of joe.
Our world today is run by networks. We communicate with various technological devices, and these devices communicate with each other. As a result, unprecedented amounts of data — much of it sensitive — are floating about in a virtual world. Without appropriate gatekeepers, these networks could open up users to a world of trouble.
Enter the penetration tester: This IT professional serves as a kind of digital spy, deliberately hacking into companies’ networks to identify weaknesses and fix them, preferably before an actual breach occurs.
“You’ve got to switch your white hat into a black hat,” explained Billy Austin, chief security officer for Saint Corp., a provider of network vulnerability assessment and penetration testing services. “Due to the daunting number of vulnerabilities that come out on a daily basis, we understand that just identifying the vulnerabilities is not good enough. What we have to do is become more offensive-type minded people. It’s crucial to have the characteristics or mindset of understanding what the attacker’s moves are going to be, and what those processes and procedures and all the different routes that someone can take [are].”
That creative, flexible mindset comes in handy for a number of reasons. Not only is it helpful given the nature of the job — finding loopholes — but penetration testers must constantly learn and adapt to new technologies. In fact, Austin got his start creating applications and devices that intercepted SMS messages between pagers and telephones, and then his company began applying these techniques to computer systems.
“When I look at penetration testing today, it’s not just against a computer; it’s against any device that communicates,” Austin said. “And pretty much anybody that’s going to become a penetration tester needs to understand the communications and protocol stacks and the popular operating systems and networking components that allow us to traverse across the Internet.”
Familiarity with the programming language of PEARL — and preferably C as well — is critical, since “most exploits are developed in the PEARL language,” Austin said. “At least knowing how to get along in that language would help people be able to modify exploits or modify attacks and be able to automate the process a little bit more.”
The major operating systems that penetration testers should know are Windows, Unix and Linux, and they should be comfortable navigating in heterogeneous networks. Companies likely will be looking for matching Microsoft, Novell and Cisco certifications to prove the pen tester has a basic understand of the core operating systems and network protocols, Austin said.
Other advantageous certifications for pen testers include the Certified Ethical Hacker (CEH), followed by the GIAC Certified Penetration Tester (GPEN).
“[The CEH exposes] somebody that may have been a network engineer who wants to get into the industry to different tool sets, different techniques and methodologies,” Austin explained. “If you want to start taking it up to the next level, there’s [the] GPEN. In my opinion, that’s probably one of the better courses out there.
“[Additionally], most vendors offer two-day courses where you can get hands-on with specific tools that allow you to go and perform the attacks on a target lab,” he continued. “Any time you’re performing attacks on a target lab, that exposes you to hands-on experience not just with the tools, but you end up learning other things about different [operating systems] and network devices. That’s one thing that’s real popular that we’re seeing, is a lot more new people expanding in the penetration testing area end up taking the vendor certification.”
Austin cautioned that none of these certifications is meant to serve as a replacement for hands-on experience, which is crucial for success in this job role.
“If you think about it from a high level, you’re launching attacks. So it would be the same analogy as if the Navy or Army decided to hire fresh people and throw them into the fire,” he said. “Even though someone goes through boot camp, [it] doesn’t give them the experience unless they’ve had a chance to sit next to their captain or staff leader or sergeant.”
For this reason, junior pen testers can expect to shadow seasoned veterans at least a few times before embarking on a project on their own. It’s also a good way to get hands-on experience to move up the ranks, Austin said.
“Being able to sit along with one of the veterans on real-time jobs and being able to learn and comprehend the process [is key],” he said. “People need to get some experience, not by just throwing them into the fire and saying, ‘Here’s your first penetration job,’ because the customer’s not going to be satisfied; they need to be accompanied by a seasoned pro.”
Academic background is less important when it comes to hiring penetration testers, although a solid footing in computer science or related field would come in handy. It’s industry knowledge that really counts, Austin said.
“Industry knowledge is imperative,” he said. “Sometimes the penetration teams are very small, and sometimes they’re just one person. So this one person not only has to understand all the technical knowledge, but they also have to understand probably each and every regulatory requirement.”
In the financial and commercial sectors, for example, pen testers will need to know all about the Common Gateway Interface (CGI), which is the standard for external gateway programs to interface with information servers, Austin explained.
“If you’re focused on the electronic grid, it’s going to be NERC [North American Electric Reliability Corp.]. It could be the banks, which might be related to GLBA [Gramm-Leach-Bliley Act]. For public companies, it could be SAS 70. That list literally goes on and on,” Austin said. “What I personally believe is we’re going to see a new industry regulatory compliance coming out every two years, if not every year. [And as a pen tester], you’ve got to dedicate time to understanding what those new requirements and modifications are going to be.”
Austin said he thinks some industries will soon mandate that penetration testing occur on a regular basis and be performed either by an internal employee or by a third-party provider, which would entail significant growth for the profession. The PCI Security Standards Council is a major driver behind this initiative, he added.
“Whenever something that large actually provides a mandate for the whole industry, that’s basically where you’re going to see a big shift in education, you’re going to see new training centers pop up, and you’re going to see curriculums pop up,” he said. “I see a big expansion in this area in the next couple years.”
Successful pen testers will also supplement their solid technical knowledge with good communication skills.
“There’s still a lot of confusion out there in the market space, so one has to be able to educate on what the difference is [between] this kind of penetration test versus a vulnerability assessment, [or] what the advantages of client versus remote exploit are,” Austin said. “It’s communication skills, documentation skills.”
A typical day for a penetration tester is varied yet full. The initial stages of a project involve working with a client to identify goals.
“So the first phase may be identifying how large their network is, what components they want to identify, and then create a longevity plan in terms of identifying all the risks and exposures,” Austin said. “Then what we’ll do is actually create the penetration testing phase — some people will call that the simulated hacking process — and that’s where we’ll try to compromise the systems, devices and applications from a hacker’s perspective.”
The next stage involves explaining to the client how the penetration testers managed to break into the networks and offering a remedy.
Austin said another aspect of his job involves networking with other penetration testers across the globe to stay abreast of attack trends, methodologies and requirements.
“One of the biggest things that you have to stay up on is education, and not necessarily just certifications,” he explained. “The certifications are really just the foundation. A good penetration tester has to dedicate time almost on a weekly basis just to stay up to date on all the latest threats or techniques that are changing almost daily.”
Once a pen tester has worked his way up the ranks, he can expect to do a fair amount of traveling. Austin said he logs about 100,000 air miles each year.
“Part of my job is actually going out and giving public presentations,” he said. “[Each year], I probably give 60 public presentations on what the latest attacks or trends or new techniques are, so I’m kind of always in a different city.”