Beruflich Dokumente
Kultur Dokumente
Copyright 78118 2015 eLearnSecurity S.R.L. All rights reserved. This material may not
be reproduced, displayed, modified or distributed without eLearnSecuritys express
consent. For more information, please visit: www.eLearnSecurity.com.
Copyright 78118 2015 eLearnSecurity S.R.L. All rights reserved. This material may not
be reproduced, displayed, modified or distributed without eLearnSecuritys express
consent. For more information, please visit: www.eLearnSecurity.com.
Companies, governments, financial institutions, hospitals, military and other businesses are using advanced
technologies to store and process a great deal of confidential data on computers and mobile devices. These data
are transmitted across networks to other computers. Corporations pay a premium to safeguard records and
ensure that systems are protected.
An even more important sector, aside from companies and businesses, is national security. The government is
faced with threats from global cyber syndicates, hackers for hire, terrorists and state-sponsored hackers. It is a
different war as these crimes involve seeking state secrets, technologies, ideas and classified information.
Malicious attacks can be executed simply from a laptop so practically anyone who has the knowledge and skills
to committing these crimes can do so at the comfort of their home. Therefore, it is a MUST to protect sensitive
information and avoid putting the business or organization at risk.
Copyright 78118 2015 eLearnSecurity S.R.L. All rights reserved. This material may not
be reproduced, displayed, modified or distributed without eLearnSecuritys express
consent. For more information, please visit: www.eLearnSecurity.com.
Having the right IT infrastructure is critical to strengthen cybersecurity and there are three main classifications to
prevent various forms of cyberattacks: hardware solutions, software solutions and smart-thinking solutions.
Hardware Solutions USB dongles, disabling ports, drive locks, mobile-enabled access etc. provide the
physical assurance that networks and systems can only be accessed by authorized persons using these
devices.
Software Solutions Viruses, worms, denial of service (DOS) attacks, phishing, etc. are some forms of
cyber-attacks and countermeasures for them are anti-virus software, firewalls, intrusion detection &
prevention systems, data encryption, etc. Keeping software up-to-date is also necessary to constantly
combat new and advanced attacks.
One of the steps that companies make to ensure that their system is up-to-date is by hiring a penetration tester.
This is where YOU come in.
Copyright 78118 2015 eLearnSecurity S.R.L. All rights reserved. This material may not
be reproduced, displayed, modified or distributed without eLearnSecuritys express
consent. For more information, please visit: www.eLearnSecurity.com.
A penetration test, also known in its short form as a "pentest", is the process that aims to evaluate the security of
one or more assets (such as the IT infrastructure, a web application, a mobile application, a software and so on)
by running a series of planned attacks with the goal of finding and exploiting vulnerabilities.
The areas where a tester could get into a system during a penetration test can be very wide: going from testing
the Operating Systems or the appliance configurations to Social Engineering attacks that aim to 'exploit' human
vulnerabilities. But the penetration test is not only about attacks! A professional pentest includes proper analysis
and reporting with the goal of improving overall security.
A penetration tester is a professional who conducts the penetration test and creates one or more reports about
findings and vulnerabilities, classifies the severity of the risks (high risk, medium risk, low risk) and explains the
reasons why these risks are vulnerable. An analysis report is created and delivered to the company, educating
executives and the IT department what needs to be done in order to solve the researched security flaws.
As an important note, pentesters do not fix, but mainly report the vulnerabilities. They do not change anything
in the system, they report the weak spots.
A good pentester provides recommendations and advises the most suitable and cost-effective countermeasures
to the vulnerabilities discovered. They can share their ideas on hardware, software and methodologies the
company should use, and help ensure the investments done for the company are worth it.
Copyright 78118 2015 eLearnSecurity S.R.L. All rights reserved. This material may not
be reproduced, displayed, modified or distributed without eLearnSecuritys express
consent. For more information, please visit: www.eLearnSecurity.com.
Reporting is an integral part of this job position. After identifying and classifying
the risks of the vulnerabilities, the penetration tester should be able to
communicate them on a CEO level making sure that the report is understandable
to the C-Level Management of a company.
Not all of the management of a company speak IT. Hence, the pentester should
be able to explain carefully and effectively the risks of these security flaws;
avoiding jargon and describing the report to the CEO-level who makes the final
business decisions.
There might be some confusion with the terms used to describe a penetration
tester. Sometimes, it is referred to as an Ethical Hacker or a White Hat Hacker.
Among these terms, clearly, a penetration tester is far from being labeled as a
Black Hat Hacker. To help you understand better, here are the differences.
Black Hat Hacker A Black Hat Hacker only needs to find a single flaw in
whichever area in a system, attacks it, and uses the information for
personal gain or in bad faith (e.g. stealing information, selling classified
data).
White Hat hacker / Ethical Hacker A White Hat Hacker (also termed as
an Ethical Hacker) also finds a single flaw in a system, but uses the
information to help improve the system (e.g. reporting the flaw to the
company).
Hackers (whether Black Hats or White Hats) only need to find one vulnerability
flaw and they attack everywhere. How they use the discovered vulnerability is
what differentiates one (White Hat = Good) from the other (Black Hat = Bad).
Penetration Testers, on the other hand, are the most-skilled compared to Black
Hat Hackers or White Hat Hackers as they need to find ALL vulnerabilities. The
scope of penetration testers is focused on a particular area in a
system/network/application, yet they have to scan all possible doorways.
Copyright 78118 2015 eLearnSecurity S.R.L. All rights reserved. This material may not
be reproduced, displayed, modified or distributed without eLearnSecuritys express
consent. For more information, please visit: www.eLearnSecurity.com.
A penetration tester needs to think like a hacker and use many of the same techniques that a hacker does. But
unlike hackers, a penetration tester works under strict rules of engagement you go into specific areas only, and
have limits on your actions. The purpose is to discover weaknesses, not break into the system for its own sake.
You are the professional here, and definitely the good guy.
Copyright 78118 2015 eLearnSecurity S.R.L. All rights reserved. This material may not
be reproduced, displayed, modified or distributed without eLearnSecuritys express
consent. For more information, please visit: www.eLearnSecurity.com.
Copyright 78118 2015 eLearnSecurity S.R.L. All rights reserved. This material may not
be reproduced, displayed, modified or distributed without eLearnSecuritys express
consent. For more information, please visit: www.eLearnSecurity.com.
We conducted a research among penetration testers and asked them about the exciting and not-so-exciting
aspects of the job. We find it helpful that you hear it from these practicing professionals to give you a better
insight on some of the pros and cons of pentesting. Heres what they have to say.
Note: Some of the penetration testers we contacted preferred to be Anonymous.
Anonymous
Summarizing the comments from various pentesters, the least favorite part is writing reports. On the other hand,
the most favored is the intellectual and challenging aspect of finding vulnerabilities and learning as you progress
in this career.
If you manage all the data and information you gather during an engagement correctly, and if you know how to
structure your report correctly, writing it can be easier.
Copyright 78118 2015 eLearnSecurity S.R.L. All rights reserved. This material may not
be reproduced, displayed, modified or distributed without eLearnSecuritys express
consent. For more information, please visit: www.eLearnSecurity.com.
10
According to a report by Ponemon Institute for CNNMoney, 47% of adults in the US had their personal
information exposed by hackers during the first half of 2014.
With the current situation in information security, businesses and organizations are hiring penetration testers to
test their networks, applications and computer systems. The claim for a secure environment could not be any
more demanding.
One of the great things about this job is that you do NOT need to have a college diploma/degree to become a
Pentester. However, you should have a deep interest in information security if you want to make it a career.
Penetration testing is a set of skills and in order to acquire this skillset, you can
Regardless of the source, the end result should make you confident to conduct a penetration test in the real world.
Copyright 78118 2015 eLearnSecurity S.R.L. All rights reserved. This material may not
be reproduced, displayed, modified or distributed without eLearnSecuritys express
consent. For more information, please visit: www.eLearnSecurity.com.
11
What do you do then when you do not have the experience? Gain it.
In the world of Information Technology, experience is an advantage
especially when landing a job. Search for training courses that offer not
only theories, but also practical training that will prepare you towards a
real-world penetration test.
There are a lot of things you can pick up online but it is time consuming
as resources are scattered everywhere. There are IT Security training
courses dedicated to penetration testing and they range from $50$10,000. It is good to find a course that properly explains the theories
and provides enough hands-on material with matching labs for you to
practice various exercise scenarios.
Exam certifications are available and it is up to you to find one that will
develop your skills to make you confident in conducting an actual
penetration test. A multiple-choice exam will test your acquired
knowledge, but it is more effective when you are tested based on
practical knowledge. Remember, you do not answer multiple-choice
questions when a company hires you.
A career in IT Security is one of the most in-demand jobs today. Having the skills to conduct security audits and
look into a companys network and system also carries a lot of responsibility.
Learning penetration testing can be done via coursework, and will enhance your value to the organization. But
you need to select the right course; you want one that gives you practical experience and a comprehensive
understanding of where threats come from. You also want a course that delivers a solid foundation to analyze all
the ways a hacker might breach your security using various techniques.
Copyright 78118 2015 eLearnSecurity S.R.L. All rights reserved. This material may not
be reproduced, displayed, modified or distributed without eLearnSecuritys express
consent. For more information, please visit: www.eLearnSecurity.com.