In this interview, Raul talks about unusual and interesting situations he encountered while working as a penetration tester, outlines practical tips for those interested in a penetration testing career, lists his favorite tools, profiles his upcoming training workshop at SANS Secure Europe 2012, and more!
A great deal of newcomers to the information security field are fascinated by penetration testing. What advice would you give to those interested in making this their career path?
Penetration testing is one of today's cutting-edge information security topics, to some extent influenced by Hollywood, where the main movie character's goal is to break into some IT infrastructure or critical systems to save the world, and also somehow influenced by human nature, considering most people prefer breaking things (if they are given the opportunity to do so) versus fixing them.
After so many years as a professional penetration tester, I am glad I can feel still the excitement of breaking into a new network, system, application, or device, and still have the enthusiasm of discovering new vulnerabilities, and keep my interest on understanding and building new tools. However, newcomers must know this is the grateful part, and penetration testing also involves lots of, sometimes boring, repetitive tasks. You will face multiple disheartening situations where you spend many hours or even days trying to find a vulnerability to get in, and you do not succeed. Almost as you have lost hope of finding anything interesting, you end up finding that key element or flaw that compensates all the tough work.
In order to be a good professional penetration tester (and leaving social engineering apart) it is crucial to possess an in-depth technical background. You must love the technology and always be willing to learn about new things, that is the reason why I like to self-dubbed myself "the apprentice". The more you know and have played and tested how technologies work, the better. It is only through a thorough understanding of how things work, and an insatiable desire of learning all the details, that you will be able to find ways to manipulate them to make them work or behave in an unexpected way they were never designed for. This is the real out-of-the-box thinking and philosophy behind the original and positive hacking term.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.