I’ve been in computer security for over 30 years, and no job has been more challenging and fun than professional penetration testing (a.k.a. pen testing or ethical hacking). You essentially get paid to legally break into computers or devices, and there is no downside. If you hack in past the current defenses, you’ve given the client a chance to close the hole before an attacker discovers it. If you don’t find anything, your client is even happier because they now get to declare their product “secure enough that even paid hackers couldn’t break into it.” Win-win!
This is not to say that ethical hacking is always easy. It isn’t (but you don’t have to have a high IQ, either). It’s also not without its some seemingly insurmountable challenges in different scenarios. If you like to get paid to stay on the cutting edge of technology and break into things, however, then penetration testing is your dream job.
Hacker to penetration tester
Any hacker must take some common steps to become an ethical hacker, the bare minimum of which is to make sure you have documented permission from the right people before breaking into something. Not breaking the law is paramount to being a professional pen tester. All ethical hackers should follow a code of ethic to guide everything they do. The EC-Council, creators of the Certificated Ethical Hacker (CEH) exam, have one of the best public code of ethics available.
Ethical hacking steps
1. Scope and goal setting
It is essential for any professional pen tester to document agreed upon scope and goals. These are the kinds of questions regarding scope you need to ask:
- What computer assets are in scope for the test?
- Does it include all computers, just a certain application or service, certain OS platforms, or mobile devices and cloud services?
- Does the scope include just a certain type of computer asset, such as web servers, SQL servers, all computers at a host OS level, and are network devices included?
- Can the pen testing include automated vulnerability scanning?
- Is social engineering allowed, and if so, what methods?
- What dates will pen testing be allowed on?
- Are there any days or hours when penetration testing should not be tried (to avoid any unintentional outages or service interruptions)?
- Should testers try their best to avoid causing service interruptions or is causing any sort of problem a real attacker can do, including service interruptions, a crucial part of the test?
- Will the penetration testing be blackbox (meaning the pen tester has little to no internal details of the involved systems or applications) or whitebox (meaning they have internal knowledge of the attacked systems, possibly up and involving relevant source code)?
- Will computer security defenders be told about the pen test or will part of the test be to see if the defenders notice?
- Should the professional attackers (e.g., red team) try to break-in without being detected by the defenders (e.g., blue team), or should they use normal methods that real intruders might use to see if it sets off existing detection and prevention defenses?
Sign up for Computerworld eNewsletters.