Imagine the exhilaration of slyly hacking into secure systems without the fear of repercussion or imprisonment. Penetration testers (also known as pen-testers) do just that, and are actually paid to hack into secure systems – by the system administrators themselves. Essentially, pen-testers are contracted to hack a system to find holes in security and recommend appropriate measures for patching those holes.
While the action may not be quite as exciting as the 1992 film Sneakers (Robert Redford and Ben Kingsley) or the hokey, stylized 1995 flick Hackers (Angelina Jolie and Jonny Lee Miller), pen-testers work in a constantly evolving field. Staying on top of all the latest hacks, scams, malware, and other hacker techniques is absolutely necessary for those who work in this field.
Pen-testers may even dabble a little in social engineering “field work,” where they will be tasked with trying to get company employees to divulge sensitive information about their networks.
Students desiring to foray into the penetration testing field should first obtain a degree in cybersecurity before proceeding on to the next step. After, or even during their schooling, students can begin to drive their career toward pen testing. Certification courses and licensing exams are available to help prospective pen-testers to qualify for information security positions.
What Is Penetration Testing?
Hackers are skilled in writing and deploying code-based exploits (programs designed to take advantage of a security flaw to gain access to a secure system). Most exploits are constantly customized and shared on hacker forums online and on the deep web. Pen-testers use these same exploits to strengthen a company’s network security.
“During a penetration test, we take on the role of a hacker,” says Anthony Khamsei, founder of Gold Security, in “Protecting Yourself And Your Tech Is Not Optional” in Forbes. “We attack a client using the same techniques adopted by hackers in a genuine security breach. By doing so, we are able to root out any weaknesses that a hacker with malicious intent might be able to exploit.”
Khamsei also notes the difference between vulnerability assessments and pentesting. Vulnerability assessments merely highlight potential flaws while pentesting actively seeks to exploit flaws in a sanctioned attack.
As cybersecurity has improved over the years, however, most hacker exploits won’t work without credentials, login info, password, or other types of sensitive information. Here is where social engineering comes into play. Social engineering involves attempts to exploit the human side of cybersecurity by guessing or getting someone to inadvertently divulge information that could help a hacker break into a system. And if pen-testers are going to fully test a system’s vulnerabilities, they will have to do their own social engineering.
“The nature of the web means there are plenty of opportunities for recon: adding people on Facebook, phoning utility companies for personal information, creating elaborate and believable background stories,” asserts enterprise cloud and security authority Tamlin Magee in his ComputerWorldUK.com blog post, “What Is Penetration Testing? Meet The Security Pros Breaking Into Your Business For Cash.”
The information people share on social networking sites can reveal the names of children, pets, relatives, birthdates, favorite foods, movies, music, and other important personal information. More often than not, a person’s password will consist of elements of such information.
Social engineering also includes scenarios where the hacker (or pen-tester) will pose as IT support and “help” people fix their computers only to get their login credentials so the tester can later access the entire system.
Pen-tester Career Info
The Bureau of Labor Statistics (BLS) categorizes pen-testing under “Information Security Analysts” on its website. The duties required of pen-testers include:
- Monitoring organizations’ networks for security breaches
- Investigating violations
- Preparing reports documenting breaches and the extent of damage caused by each breach
- Conducting penetration tests
- Researching the latest trends in IT security
- Helping organizations plan and carry out a security policy
- Developing new and improved security standards and best practices
- Making recommendations to organizations’ senior IT personnel
The demand for pen-testers is rising steadily, especially with the recent increase in cyber criminal and hacktivist publicity over the past few years. Information security firms and practitioners are finding that they must maintain constant vigilance over the newest hacking skill sets released almost daily on the web. Companies involved with information security and pen-testing are looking for candidates with strong analytical and problem-solving skills, who have the drive to constantly stay on top of new developments in their field.
“Information security professionals are maturing just as the increasing sophistication of cyber-attack capabilities are demanding more experienced infosec professionals,” according to a 2016 Foote Partners, LLC Research Group press release.
Once hired by an information security firm or department, pen-testers can expect to make an average salary of $90,440, according to DataUSA.io’s Information Security Analysts page. The computer systems design industry employs more than twice as many pen-testers as any other industry. Wired telecommunications carriers pay their pen-testers a considerably higher wage than other sectors (almost $140,000 annually). And the estimated job growth over the next ten years is almost 18 percent, whereas the national average is only 6.5 percent.
Pen-testing is a demanding field that requires an incredible amount of attention to detail and dedication to keeping one’s skills current at all times. For those who have these rare qualities, penetration testing may be a career field worth serious consideration.
Maryville University’s online cybersecurity master’s degree offers advanced training in penetration testing, cybersecurity, mobile security, digital forensics, and malware analysis. All skills are learned and practiced in Maryville University’s virtual training lab.
Upon graduation, students may qualify for high-paying positions such as networking consultant, information security manager, pen-tester, security analyst, or network architect in some of the world’s largest tech companies. Check out Maryville University’s online Master’s in Cybersecurity page for more information.