Pratum Blog

People often comment that penetration testing or ethical hacking must be one of the coolest jobs around. You get to hack into computers, sneak into secure facilities and create all sorts of mayhem, legally. Kind of like a geeky James Bond. I’ll admit, I love what I do. It’s a lot of fun. What most people don’t understand though is that the fun portion is really only about 25% of a given week. If you’re thinking about a career in information security let me list some of the other “un-cool” tasks the team I and do for every one of our awesome hacking sessions or social engineering tests.

  1. Constantly reviewing journals, web sites, Twitter feeds and other sources for new vulnerabilities, exploits or attack vectors that have changed since….well yesterday.

  2. Fully documenting our procedure and the test to be run to ensure the client’s systems are correctly scoped and we don’t overstep our bounds thereby creating an unexpected outage and lost revenue for the customer.

  3. Researching every nuance of a customer’s business to ensure we are able to find entry points to their systems which they either don’t even know about or have long since forgotten.

  4. Constantly provide verbal or email updates to the client so they are fully aware of our progress and engaged during the process.

  5. Taking dubious notes and screen shots, documenting specific payloads used, monitoring bandwidth and system response times or tweaking tool configurations about 150 times to ensure a test completes successfully.

  6. Spending hours poring over the notes, scan results, system configurations, data flow diagrams and other documentation to make sure vulnerabilities discovered are real and exploitable.

  7. Drafting initial reports of the findings, reviewing these findings with the customer, explaining why a system or facility is vulnerable, negotiating the severity of the issue in the given context and drafting the final report.

  8. And my favorite….listening to a client complain when the test of the same system 6 months later reveals a host of new vulnerabilities even though “nothing significant” in the system changed except for an upgrade of the database version, some “minor” code tweaks, two firewalls were replaced with new vendors, and oh…part of this is now outsourced to a third party.

Yep…this job is WAY fun!

The moral of the story is this. You have to love what you do. All, or at least most of it. If you’re not a detail person, or you don’t want to communicate with your team or clients, or you hate taking notes or writing 5 -25 page reports, or any of the other things I listed, this might not be the career for you. You’ll spend far more of your time doing those tasks than the “cool” stuff. If however most of this sounds like a challenge and adventure then I’d encourage you to dig deeper into the profession.

Penetration testing is one of the fun aspects of a career in information security. Organizations pay us to hack into their systems. We break it, they fix it. A sweet gig if you can get it one might say. The problem is nobody really seems to understand what a penetration test is or how it differs from a vulnerability scan. Here are some of the quotes I’ve heard in the past.

We want a penetration test but don’t want you to send any exploits down the wire.” Huh?

For this test, DDoS, brute force, man in the middle and SQL injections are out of scope.” What?

Please don’t perform any attacks that could lead to a system outage or data corruption.” Really?

I hope you see my point. I’m going to share it with you anyway. Penetration testing engagements that have lots of rules around them aren’t pen tests. They’re scratch and sniff tests. Would you take a used car you want to purchase to a mechanic and say Test it out and let me know if I should buy it, but don’t drive it, turn it off or look under the hood.” Of course not. But that’s what happens a lot during ethical hacking engagements. The bad guys don't work within predetermined boundaries. If you handcuff your penetration tester you will only get a partial picture of your security posture.

Here are some recommendations if you’re considering a penetration test and are really worried about causing an outage or corrupting data.

  1. If you never done an ethical hack, start with a vulnerability scan. They are typically less intrusive and safer to run. You won’t get a good feel for all the bad things that can happen and will have lots of false positives. But at least you’re less likely to have an outage. This is actually one of the first stages of a penetration test anyway.

  2. Consider running a penetration test against a test environment first. Ensure your test environment mimics production as closely as possible. It’s still not going to be a 100% accurate test but at least you’ll get an idea of where you are and can ease into a production system test.

  3. Use a professional ethical hacking firm (insert shameless plug for Pratum here) that has lots of experience testing systems in a way that attacks vulnerabilities in a controlled fashion. While there is always a chance for bad things to happen to a system during a penetration test, it’s better when it happens under the controlled supervision of a skilled ethical hacker and your system admins or developers.

We don’t mind doing scratch and sniff types of penetration testing when our clients request it. We educate them well on the limitations of this type of testing. Sometimes they opt for it based on risk management decisions.  Sometimes time or financial constraints are the drivers. Other times they opt for a full blown test. We just want you to be well informed so that you can make the right decision for your organization. The term ethical hacker doesn’t always translate into ethical businessman or woman. Know what you’re getting for your money and ask lots of questions about a firms experience and process before signing up for a test. Make sure you clearly communicate your expectations to your tester as well so there are no surprises for either party during the test. There's nothing worse than a tester assuming a clients knows things can go south quickly and a client that assumes their hired gun has advised them of all the risks.

Editorial Note: There is no educational value from this post. Only a funny story about a cyberwar breaking out at the Nelson house.

At the Nelson household we start kids on computing pretty early. My 4 year old can out maneuver his mom on her own smartphone. In fact he once pulled it away and clicked through to get Angry Birds by himself because she was lost in the menus. The kids and I were all amused. Mom was not.

By age 8 each of our children get their own account on the computer and an email address. Now this account is very restricted and email is white list only. I teach them about responsibility for activity on their accounts and that they need to protect their passwords. As they show more responsibility over the years, we begin to ease the restrictions but still monitor their activity. As we’ve had discussions about this, my three oldest became very interested in my job this year. They find it cool that people pay us to hack into their computers. My 6 year old thinks it’s awesome that we get to break stuff and don’t have to fix any of it.

We’ve talked a little about information security, protecting our privacy, chatting and instant messaging behavior, etc. In fact, my daughter texted me this week to ask if she could install a game on her Galaxy Player. The message was short and simple but made me very proud. “Dad…can I install (insert game here)? It doesn’t require my location information.” I was actually proud of myself that I was raising such a security savvy bunch.

Reality hit later that night. My daughter came over yelling that her brother had “hacked” her Galaxy Player by memorizing her pattern password. He said that was in retaliation for her brute forcing his computer password. (For the record: Brute force in this case is 3 attempts against a pretty easy password) So now I’m charged with negotiating a cease fire and treaty in this new cyberwar. We went from good security savvy net citizens to little hackers in a matter of hours. Perhaps I should have started my security indoctrination courses during late night bottle feedings. Somehow I think mom would have frowned on that.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.