Security experts are, by the nature of their jobs, cautious creatures, which is why you’re unlikely to hear from one of these folk that security can ever be 100 per cent guaranteed. However, this does not stop true cyber security professionals from aiming high when it comes to delivering the best possible security infrastructure to their clients.
In this context, one of the most helpful services the IT security industry can provide is penetration testing. Pen testing differs from other security measures in that it proactively seeks to emulate the enemy. A penetration test simulates a real-world breach of IT security in order to demonstrate, or discover, vulnerabilities in a company’s IT infrastructure. A strong pen test brings home the bacon like no other IT security measure.
Finding out that you have a hole in your bucket is never a comfortable experience, especially for a CTO proud of his or her achievements. However, in this regard, a lot depends on the professional qualities of the pen tester, in terms of making it a smooth ride for the employer. There are plenty of penetration testing jobs going around, but high-quality pen testers are not so easy to find; it’s worth holding out, however, for the best during your IT security recruitment process.
One way of ensuring you get a great hire is to look out for someone who takes a smart approach to pen testing. Let’s look at the qualities of an effective pen tester in some more detail.
First and foremost, a high-calibre pen tester needs to be an excellent diplomat, able to deal with the misconceptions about pen testing that prevail in the business world. One such concern is that pen testing is unsafe and can have unintended consequences. The reality is that, with proper planning and careful scripting, pen testing can be deeply effective, but in the manner of a vaccine. No actual harm is done to a system, though potential harm is lucidly demonstrated. The argument must, however, be put diplomatically.
The pen tester must plan carefully, and work according to professional standards. For instance, a pen tester who adheres to ISO 27001, which requires that “management systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts” will be on the right track. A strong pen tester will follow a clear path, consisting, in summary, of four phases:
“Reconnaissance, enumeration, exploitation and documentation.”
More importantly, these phases will be effectively and concisely communicated.
Moreover, smart pen testers will stay flexible and adopt a fundamentally human stance. They carefully listen to what a company needs, and respond accordingly. They will not “go in with a war plan”, but work with the company to unearth harsh truths.
Finally, this human approach, with an amenable manner, should help plenty when it comes to performing the all-important social engineering part of a pen test. After all, an effective pen tester never forgets that human beings have to remember passwords, and can only too easily surrender them in response to a dollop of slick patter. Indeed, being aware of the all-too-understandable human frailties in an organisation is perhaps the most crucial aspect of an effective pen testing operation.
[su_box title=”About Ryan Farmer” style=”noise” box_color=”#336588″]
Ryan Farmer has worked at Acumin for the past five and a half years as a Senior Consultant and now a Senior Resourcer. With a strong understanding of the InfoSecurity industry and the latest market developments, Ryan sources leading information security candidates for some of the world’s largest End User security teams, start up security vendors and global consultancies.Ryan is heavily involved in the Risk and Network Threat forum, has a keen interest in Mobile Security and is an active blogger and InfoSec writer.[/su_box]
Information security, data protection, and compliance professional.
Blogger, writer, speaker.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.