Justin Christopherson
Doctor Armistead
CYSE – 201S
2 December 2023
Career Paper: Penetration Tester
The term penetration testing was coined in the 1960’s by government agencies that had come to the realization that having so many people on one system posed an inherent risk. The National Institute of Standards and Technology defines Penetration testing as “Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network.” On a day-to-day basis penetration testers depend on social science research and principles. The primary social science principal that pen testers rely on is social engineering. Another principal they rely on is self-control. Lastly but not inclusively they rely on their own determinism. The following will explain how penetration testers use social science research and principles to conduct daily operations.
Social engineering is defined by the National Institute of Standards and Technology as “The act of deceiving an individual into revealing sensitive information, obtaining unauthorized access, or committing fraud by associating with the individual to gain confidence and trust.” A penetration tester uses social engineering to do these things with one goal in mind to circumvent the security of a company which allows them access to said companies’ systems. An example of this would be a penetration tester befriending the security guard of a major corporation and using his friendship to gain access to the building by asking to use the restroom. Once inside the building the pen tester can then photograph access badges for IT personnel from a distance as he is walking back out causing no suspicion. Armed with a photo the pen tester can now make a replica of the badge and return on another day to again access the building. Once inside the pen tester will be able to talk their way into restricted areas. This all relies on the principle that people are inherently trusting, and if they see what appears to be one of their badges it puts them at ease.
AT this point the penetration tester has gained access to restricted areas, just by presenting a facsimile of a badge. Once in the restricted areas penetration testers begin the real work of accessing the data of the corporation. The unforeseen problem with them social engineering their way in is that it gives them the ability to become malicious. This is where the theory of self-control comes into play. “Self-control theory focuses on the inhibition of strong impulses.” Whilst they could receive fame and fortune for locking a corporation out of their systems there is also the consequences of being thrown in jail. To prevent pen testers from going rogue, a corporation will have them fill out a contract that lays out what they can and cannot do. If they deviate from the contract, they risk jail time, and possibly loss of technology privileges.
One thing that has gotten quite a few penetration testers in trouble is their determinism. Determinism is defined as “occurrences in nature, or social or psychological phenomena are casually determined by preceding events or natural laws.” The pen tester is now in the system of the corporation and has exhibited self-control by not locking everyone out of the system. If there were a hiccup and initially the pen tester could not get into the system, their past may come up to haunt them. No one wants to be the pen tester that cannot effectively get into a system, so they become determined to get into the system. This is where penetration testers get into trouble, because once they deviate from defined parameters, they are again risking jail time.
Overall social sciences and principles play a huge roll in the daily operations of a penetration tester. For them to conduct the first phase of penetration testing, reconnaissance. A penetration tester must be able to identify the week points of the social system, in this paper that was identified by the security guard. Once this is complete, and the pen tester gains access the tester must exhibit self-control to keep themselves out of jail. If there is a hiccup and their inherently will be, a pen tester could possibly get themselves in trouble because they become so determined to get in that they deviate from the assigned parameters.
Works Cited
Bin Arfaj, Bandar Abdulrhman, Shailendra Mishra, and Mohammed Alshehri. “Efficacy of Unconventional Penetration Testing Practices.” Intelligent Automation & Soft Computing 31.1 (2022).
De Paoli, Stefano, and Jason Johnstone. “A qualitative study of penetration testers and what they can tell us about information security in organisations.” Information Technology & People (2023).n the current document.
Editor, CSRC Content. “Penetration Testing – Glossary: CSRC.” CSRC Content Editor, csrc.nist.gov/glossary/term/penetration_testing. Accessed 2 Dec. 2023.
Kelly Miller, BA. “What Is Self-Control Theory in Psychology?” PositivePsychology.Com, 26 Apr. 2023, positivepsychology.com/self-control-theory/.
Opedal, Olav. Comparing personality traits between penetration tester, information security, and it professionals from two cohorts. Diss. Capella University, 2019.
T. H. Szymanski, “The “Cyber Security via Determinism” Paradigm for a Quantum Safe Zero Trust Deterministic Internet of Things (IoT),” in IEEE Access, vol. 10, pp. 45893-45930, 2022, doi: 10.1109/ACCESS.2022.3169137.