16 Sep A day in a life of pentester
A day in a life of pentester
There is a common belief in the cybersecurity domain that no system is attack proof and all organisational cybers security systems have some of the other vulnerabilities. Sometimes the organisation cannot detect these vulnerabilities until an attack has occurred, which leads to extensive losses. The penetration testers put themselves in the position of the attackers to find threats and vulnerabilities of the system before the bad actors or the hackers do.
What is penetration testing?
Penetration testing encompasses a variety of manual and automated techniques to simulate an attack on an organisations security system. Penetration testing tries to circumvent the cybersecurity controls and gain unauthorised access to the organisation’s system to detect known and unknown vulnerabilities. Pen tests also involve simulating human-based social engineering attacks against the organisation’s employees to find out in what ways people working or connected with an organisation could put the organisation at risk.
What does a pen tester do exactly?
An ethical hacker generally conducts penetration testing or a pentester who tries to break into the corporate security system and identify known and unknown vulnerabilities before an actual attacker or a malicious actor does. The pen tester primarily carries out an active analysis of the target system to identify any potential threats or vulnerabilities resulting from improper system configuration, system infrastructure flaws, or operational incompetencies.
Ideally, penetration testers have a technical background in engineering, physics, mathematics, information technology, and computer science. However, you can be a pentester who is completely self-taught. But to work as a professional pentester, you at least need certain certification courses.
Besides technical abilities, pen tester’s also need cognitive and emotional ability to succeed. The most important ability is to think outside the box to find loopholes in specifications, internal threats or simply unexpected usage. A pen tester should think through all the different types of scenarios and threats to a system and how to test them.
Finally, patience, curiosity, time management and overcoming frustration or failure by being persistent is important for a pen tester since a large part of the work is theorising and speculating how to bypass access controls, which involves a lot of trial and error.
The typical day of a pen tester varies depending upon the scope but mainly involves planning and launching penetration tests, noting down reports of the test, documenting and making a presentation of the pen test results and finally acting as a counsellor and making recommendations or advising the organisation in making security improvements. Based on the type of assessment and other engagements, a pen tester’s day revolves in and around internal and external pen-testing. During am internal pen test, the tester sets up the tools and collects open-source intelligence (OSINT) used to launch attacks. External penetration testing is testing the organisation’s externally located assets. The external process involves collecting intel on open ports, detecting vulnerabilities and threats and finding leaks to launch the attack. Once they’re in, they can move on to the internal pen test. Internal tests involve more detail and complexity, whereas external pen tests are more introductory.
Common tools that pen testers use
Pen testers have a variety of commercial and open-source tools at their disposal. In some cases, based on the complexity and scope of the project, testers can also develop their own homegrown tools. The commercial and open-source tools include port scanners, network scanners, vulnerability scanners, web application scanners, mobile application scanners, decompilers, debuggers and fuzzers.
Homegrown tools are designed keeping a specific project in mind, which generally includes integrating different tools and forming new test cases. Pre dominantly python and PowerShell scripts are used for homegrown tools.
Primary duties and job responsibilities of a pentester
Planning penetration tests: The first and the most important step is planning penetration testing to find vulnerabilities and existing security problems and lapses. Pen testers use the existing tools or design their overload tools depending upon the project to launch an attack. This step also includes project management and time management steps.
Executing penetration tests: This is ethical hacking and simulating attacks from outside to detect internal vulnerabilities and threats. This helps in preventing breaches and building a strong security system.
Advising and making security recommendations: By preparing a detailed report on the vulnerabilities, the pen testers can recommend certain security measures to address the system’s weaknesses and threats. The main responsibility in this stage is to mitigate weakness and build a strong security system.
Documenting and preparing reports: The test reports are generally documented, and the findings are presented to the organisation to act as a reference point to further build a robust security system and prevent future attacks.
Mount incident responses: Although this is not a primary job of a pen tester, the first 48 hours is critical after an attack. Hence, having a pen tester file an incident report may limit the damages.
Track new cybersecurity developments: The threat landscape is forever changing, and the malicious attackers are finding new and different ways to breach the system. The penetration testers should keep themselves updated about the evolving threat landscape and emerging threats by following professional publications or completing certifications.
Problems and perks of being a pentester
The main problem that pen testers say they have is the limited amount of time and the limits of engagement about a problem. Due to time and engagement constraints, they cannot dig deeper into a problem. Also, the constant interference of the clients also affects the engagement timeline and the test process, as altering the scope of the project often means redoing the entire project again. On the other hand, being a pentester is often rewarding, as although the pen testers carry out an attacker’s job and prevent an actual attack from taking place. The general consensus among the pen testers is that the field is like any other complex and intricate field and requires continuous learning.