Q&A: Penetration testing
by Mirko Zorz - Wednesday, 26 August 2009.
Thomas Wilhelm is an associate professor at Colorado Technical University and also employed at a Fortune 20 company performing penetration testing and risk assessments and has spent over 15 years in the Information System career field. In this interview he discusses the interesting world of penetration testing as well as his latest book - Professional Penetration Testing: Creating and Operating a Formal Hacking Lab.

Many entering the field of computer security are fascinated with the prospect of working as penetration testers. In your opinion, what are the prerequisites one has to posses in order to become good at this job?

From a personal perspective, an inquisitive mind and thirst for knowledge are critical to perform penetration testing. An inquisitive mind will want to discover how things work and how they can be broken, while a thirst for knowledge will make the long hours of research possible.

From a Human Resource perspective, it used to be that penetration testers had to have years of experience to compete for a spot on a pentest team. Recently, I have seen requests from companies that are looking for college students with zero practical experience to fill security positions. This shift indicates two possibilities: One, that security professionals are in short supply; and two, penetest engineers can be trained. Not too many years ago, the methodologies behind penetration testing were considered obscure and simply not understood by corporate management. Today, companies are understanding the need for "red team" attacks, and able to grasp the processes behind such assessments.

In terms of the future, it is probable that the prerequisites for a position as a professional penetration tester will include college and certifications. And speaking of college, I cannot emphasize enough the value of writing and communication. Students interested in becoming penetration testers will spend a lot of their time documenting their findings and explaining the results in a manner that must be persuasive and understandable by those not familiar with information technology. English classes are your friend - trust me.

What are the main ethical concerns surrounding penetration testing?

Sometimes "ethics" is viewed as an obstacle to the actual attacks during a professional penetration test; the idea is that the black hats don't follow any ethical patterns when attacking a system, so ethics can only prevent a "good guy" from really understanding the risks to a system or network. This isn't a strong argument, since there aren't too many restrictions in a pentest, other than those that might jeopardize the continual operation of production systems; even then, the types of attacks that can disrupt a network or system typically fall under the umbrella of Denial of Service (DoS) attacks. The susceptibility of a system to a DoS attack is often a risk that the system owner acknowledges beforehand. Therefore, ethics doesn't really become an overwhelming issue in the actual attacks against a system (other than expanding the scope of the attacks without permission).


More than 900 embedded devices share hard-coded certs, SSH host keys

SEC Consult analyzed firmware images of more than 4000 embedded devices of over 70 vendors and found that, in some cases, there are nearly half a million devices on the web using the same certificate.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Nov 26th