Thursday, February 12, 2015

Going Pro

Going Pro


If youve read the previous tutorials, by now you should have a solid foundation of hacking. Clearly, hacking is very interesting. Were practically the ninjas of 21st century. We can do the things other cant, were willing to do the things that others arent but it would be of no use if we dont apply it. Our actions, not our abilities, show who we truly are.

So here we are at yet another tutorial :-)
Well be taking a look at what exactly is required of a professional ethical hacker (or penetration tester) by analyzing a couple of job descriptions. Everyone doesnt really need/want to go pro. Hacking, when used like its meant to be used, is great as a hobby. But it cant hurt to know, right? So, below youll find everything you need to know if you ever decide to make a living out of being the modern ninja that you already are.

Heres a pretty average job description that describes the work of a penetration tester. It contains a general description, requirements, additional information and qualifications, written in a formal manner.

-------------------------
Job Description #1

Work as part of a penetration testing team, taking direction from team lead(s) and executing directives in a thorough and timely fashion.
• Perform network and application penetration testing using combination of automated and manual exploitation and creative thinking; analyze results to determine false positives and provide actionable mitigations.
• Report vulnerabilities identified during engagements with possible solutions.

Requirements:
o A solid understanding of network penetration techniques, tools, and methodologies.
o Broad expertise with multiple operating systems such as Linux and Windows, and network services.(HTTP, Databases, WiFi etc.) and their inherent security issues.
o Provide input on security controls to prevent an attack from infiltrating company information or jeopardizing programs.
o Conducting Hands-On Web application penetration test.
o Ability to utilize common penetration testing tools: Metasploit, Nessus, nMap, AppScan, and BurpSuite.
o Previous network penetration testing methods.
o Previous experience writing testing assessment reports.

Additional:
- Knowledge of TCP/ IP protocols and networking architectures.
- Knowledge of Web applications, databases, and Web server design and implementation.
- Knowledge of security development standards and projects, e.g. OWASP.
- Knowledge of open security testing standards and projects, e.g. NVD-CVE.
- Possession of excellent oral and written communication skills. "

Required:
- Bachelors Degree in any computer related field.
- English: Fluent

Preferred
- At least 2 years experience in Network Penetration Testing, Vulnerablity Analysis, Application Penetration Testing.
-------------------------

Quite self explanatory, you should be familiar with most, if not all of the technical terms by now. Penetration testers, usually work in teams of 4-5. Theres a project leader that coordinates with the client whos seeking a security assessment on their network or product and team members who specialize in different areas of penetration testing. Automated, manual, application, web, network -penetration testing, to name a few. A team is given a product or a network, usually with no information and their job is to virtually break in and see how it goes. All vulnerabilities are checked for and reported (ideally), all loopholes and anything exploitable is also checked. A important part of the job is writing reports of the penetration tests that have been performed. These reports should contain a human-readable summary of the pentest for the client and a full description for the technical staff.

Most of the times, clients also seek advice and direction as to how to fix the vulnerabilities, if any are found. These may range from simply updating a software, piece of equipment to reworking the entire network layout and protocols. Most importantly, the pentesting team is being trusted that they will not attempt any exploits and should simply report the vulnerabilities. They are usually given an end point,i.e. if they find something that could be confidential they must not even attempt to go further.

Below is another job description for working as a penetration tester. Almost the same as above, at the first sight, but it contains subtle differences and describes the job from another angle.

-------------------------
Job Description #2

Job Summary:
Security consultant with a proven background in pen testing and vulnerability assessment domain to provide effective security analysis and risk mitigation.

Client Responsibilities:
► Perform network attack and penetration testing
► Perform internal and external vulnerability assessments
► Perform web application penetration testing (Black box, Grey box and White box)
► Use of various methodologies used in Attack & Penetration testing
► Develop and test exploits and scripts (PERL/Python/Bash Scripting)
► Perform log analysis, WASP, Secure SDLC, web application and security configuration reviews, code reviews
► Perform testing using OWASP and Secure SDLC standards
► Perform IT infrastructure/ Application Security configuration reviews
►► Interface with both external internal clients
►► Manage task allocation, ensuring quality of the deliverables in line with industry standards and best practices.

People Responsibilities:
► Should be a good team player.
► Excellent Verbal and written communication skill.
► Should interface well with internal and external clients
► Strong analytical/problem solving skills.
► Should come up with innovative and smart ways of doing work, without compromising on quality
► Should prioritize and manage multiple tasks.
► Understand and follow workplace policies and procedures

Qualifications:
Knowledge and Skills Requirements:
► 2+ years of experience in penetration testing and vulnerability assessments.
► Good knowledge of OWASP and Secure SDLC standards
► Experience in using scanning tools and exploits.
► Experience in performing security code reviews.
► In- depth Knowledge of Linux administration, TCP/IP, Network Security.
► Experience in performing security configuration reviews of IT Infrastructure and security devices, OS, Databases etc.
► Good understanding of networking protocols and application communications
► Good communication skills both written and verbal.
► Good Presentation and customer interaction skills
► Good analytical capability
► Should be able to deliver and work with changes in the market.
► Ability to build and maintain relationships with a diverse group of clients and internal teams
► Preferred certifications : CISSP, OSCP, OSCE, GPEN, CEH, RHCE, CCNA, CCNP, MCS

-------------------------

As you can see, this one goes deeper. The last line lists some preferred certifications. These are all courses or exams that a hacker needs to take to prove that s/he does indeed possess the required skills. CEH - Certified Ethical Hacker is one of the most popular ones. Almost no bachelors course contains anything above an elementary treatment of network or software security. These certifications are an attempt to unify the process of becoming an ethical hacker but as of now majority of the hackers are self taught. I suppose thats the way it should be. Knowledge without passion is useless and if there is passion, knowledge will always follow.

Youll notice the job description lists more than once, the requirement of good people skills. Thats because most of the clients that we work with have little to no knowledge of penetration testing. It is the responsibility of the pentesters to dumb it down for the client as well as provide proper steps for his staff to follow in order to make their products cyber-safe.

So, if you ever decide to give professional pentesting a try, the requirements in the job descriptions above will be an excellent starting point. Most of the jobs these days, require certification of some form so its a good idea to search for the ones that best fit your goals. Other than that, even as a hacking hobbyist the process of expanding your knowledge is endless. Once again, I suppose thats the way it should be. After all, the day we stop learning is the day we stop living.