A Penetration Tester (‘Pen’ Tester) or Ethical Hacker is the person you want attempting to break into your network, computer system, web or mobile application in order to find the holes before the criminals do. All organisations are riddled with vulnerabilities and the Pen Tester’s job is to find them so they can be fixed and thus lessen the risk of a cyber-attack.
Pen Testers will work on both external hacks, which are attacks coming from outside the organisation, and internal hacks, in which case the network has already been breached. The methodology for treating them is essentially the same but the tools used differ slightly. For external hacks, a Pen Tester will utilise tools like Metasploit, Nessus, and Nmap while for internal hacks they’ll be looking at tools such as Kiwi, responder, and Incognito. With these tools under their proverbial belt the process will see them gather information and scan the system/app/server/network to reveal the points of weakness that the Pen Tester will then cover in their report to the client.
The Pen Tester or so-called ‘white hat’ hacker is a computer security expert whose aim is to break something down to its bare bones in order to see if it can still run properly. They’ll be looking for an app, for example, to do unexpected things and glitch, which serves to expose its weaknesses which they can then investigate further to see the extent to which a ‘black hat’ hacker, or malicious hacker can cascade a larger attack.
You will find that some Pen Tester jobs exist within a company’s internal security team, though many outsource the function to consulting or professional services firms.
It may be surprising to learn that for this type of cyber security job, the hours are relatively mundane with most Penetration Testers working a 9-5 day. As for what the day itself holds for someone working in penetration testing, the mornings will typically start out relatively busy with the testing kicking off from the outset. Much of the day will be spent testing, punctuated by client meetings aimed to ensure everyone is on the same page.
With a project manager at the helm, Penetration Testers will work on projects for anywhere between 3-5 days to 2-3 weeks depending on the size of the client and the specific engagement.
Depending on the day, working in cyber security as a Pen Tester could see you addressing wireless assessments, external and/or internal network assessments, social engineering, and web application assessments among other things. In fact, web app pen testing is proving to be a pretty lucrative branch of cyber security on its own merit with plenty of opportunity for those looking for Ethical Hacker jobs. For those targeting web application Pen Testing jobs, a key tool to have in your arsenal is Burp Suite or Burp Suite Pro.
In addition to the technical duties, there is also the report writing and debriefs which accompany every engagement as the pen tester conveys his or her findings to the client to help improve their security.
Each week will see a Pen Tester apply him or herself to a different system, different software, and tools as they work on mobile applications, web applications, cloud applications and so on. It’s the kind of job that has its proponents consistently learning on the go.
Aspiring penetration testing experts should have a basic understanding of tech, from navigating networking protocols and being familiar with the likes of TCP/IP (Transmission Control Protocol / Internet Protocol) and ARP (Address Resolution Protocol) as well as being able to read code or program a small app. Penetration Tester jobs require individuals to be inherently curious as their job centres around how things work and how to break things down. In this respect when you spend your days trying to break things, the nature of the game means you will come up against the defences an organisation does have in place to prevent intruders. So, it’s important to be prepared to persevere and to expect to spend more than a few hours in front of a computer screen.
That being said, with all the hard graft involved when working on a project, breaking through a firewall or similar is even more rewarding when it eventually happens. Certainly, it’s working as a Penetration Tester is the type of job that keeps you on your toes.
You may also be interested in the below articles: