Security experts are, by the nature of their jobs, cautious creatures, which is why you’re unlikely to hear from one of these folk that security can ever be 100 per cent guaranteed. However, this does not stop true cyber security professionals from aiming high when it comes to delivering the best possible security infrastructure to their clients.
In this context, one of the most helpful services the IT security industry can provide is penetration testing. Pen testing differs from other security measures in that it proactively seeks to emulate the enemy. A penetration test simulates a real-world breach of IT security in order to demonstrate, or discover, vulnerabilities in a company’s IT infrastructure. A strong pen test brings home the bacon like no other IT security measure.
Finding out that you have a hole in your bucket is never a comfortable experience, especially for a CTO proud of his or her achievements. However, in this regard, a lot depends on the professional qualities of the pen tester, in terms of making it a smooth ride for the employer. There are plenty of penetration testing jobs going around, but high-quality pen testers are not so easy to find; it’s worth holding out, however, for the best during your IT security recruitment process.
One way of ensuring you get a great hire is to look out for someone who takes a smart approach to pen testing. Let’s look at the qualities of an effective pen tester in some more detail.
First and foremost, a high-calibre pen tester needs to be an excellent diplomat, able to deal with the misconceptions about pen testing that prevail in the business world. One such concern is that pen testing is unsafe and can have unintended consequences. The reality is that, with proper planning and careful scripting, pen testing can be deeply effective, but in the manner of a vaccine. No actual harm is done to a system, though potential harm is lucidly demonstrated. The argument must, however, be put diplomatically.
The pen tester must plan carefully, and work according to professional standards. For instance, a pen tester who adheres to ISO 27001, which requires that “management systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts” will be on the right track. A strong pen tester will follow a clear path, consisting, in summary, of four phases:
“Reconnaissance, enumeration, exploitation and documentation.”
More importantly, these phases will be effectively and concisely communicated.
Moreover, smart pen testers will stay flexible and adopt a fundamentally human stance. They carefully listen to what a company needs, and respond accordingly. They will not “go in with a war plan”, but work with the company to unearth harsh truths.
Finally, this human approach, with an amenable manner, should help plenty when it comes to performing the all-important social engineering part of a pen test. After all, an effective pen tester never forgets that human beings have to remember passwords, and can only too easily surrender them in response to a dollop of slick patter. Indeed, being aware of the all-too-understandable human frailties in an organisation is perhaps the most crucial aspect of an effective pen testing operation.