Career Paper – Pen Tester
The field of penetration testing within a red team is one that has always interested me. It is a challenging and constantly changing environment where testers are faced with a range of client challenges. A pen tester is essentially a gun-for-hire that specialize in validating an organizations security posture or finding vulnerabilities that could be exploited. It can be a difficult career due to the ever-changing nature of attacks; equally it can be very rewarding because every contract brings new challenges.
Pen testers should be familiar with a suite of programs in order to be successful. These programs include but are not limited to Wireshark, Hashcat, John the Ripper, Kali Linux, Metasploit, and Nmap. Every program they are proficient at increases their ability to find more vulnerabilities. They also have tools such as Rubber Ducky and Flipper Zero which gives them less conspicuous abilities when they do physical pen tests. Additionally, they should have certifications that not only prove they can operate as a tester but are current in their knowledge. PenTest+ from CompTIA and OSCP cert from OffSec are a few of the certifications that can verify the testers capabilities. However, pen testers require a lot of different skill sets to be successful; relying on technical skills alone is not enough. Some pen testers should also have skills that an unethical hacker would have such as social engineering skills which is the most common ability that hackers use to commit cybercrimes.
Social engineering is a complex and multifaceted field that requires an in-depth understanding of human behavior, psychology, and sociology. By leveraging the principles of these disciplines, both ethical and unethical hackers can manipulate people’s trust and exploit their vulnerability to gain access to sensitive areas that would otherwise be off-limits. In essence, social engineering allows attackers to exploit to weakest link in any security system, namely the human factor. Therefore, a successful pen tester must have the same social engineering skills that an unethical hacker would have, as it is a critical component of identifying vulnerabilities and providing effective recommendations for remediation.
When it comes to marginalized groups, I believe there is a need for incorporating a diverse range of people as pen testers. The advantage of having people from all walks of life increases the effectiveness of any pen testing team. And while this may be a personal observation, it seems that organizations mainly focus on a person’s technical skills, rather than considering the value that a diverse team could bring to the table. While strides have been made to improve opportunities for everyone regardless of race, gender, religion, etc. there is still much work to be done.
Pen testers play a critical role in improving the overall security posture of organizations they are hired to test. Their work helps to identify vulnerabilities and weaknesses in systems and applications and provides recommendations for remediation. Ultimately, this process helps organizations improve the confidentiality, integrity, and availability (CIA) of the data within their responsibility. By identifying and addressing vulnerabilities, pen testers help to reduce the risk of cyberattacks and data breaches which could have devastating consequences for organizations and individuals alike. In this sense, the work of pen testers is an important contribution to society, as it helps to improve the overall security of the digital landscape. By enhancing security measures and protecting sensitive data, pen testers contribute to the greater good and help to create a safer and more secure online environment.
References:
https://journals-sagepub-com.proxy.lib.odu.edu/doi/full/10.1177/0162243921992844
https://www.packetlabs.net/posts/4-effective-techniques-for-social-engineering-penetration-testing/
https://redteamer.tips/so-you-want-to-be-a-pentester-and-or-red-teamer/