What it’s like being a Penetration Tester/Ethical Hacker
By Lyan Ware Contributor
Penetration testers or ethical hackers conduct different types of cyber security assessments for their clients, figuring out their vulnerabilities by hacking into their networks and then offering their expertise on the proper ways to combat those vulnerabilities. Some pen testers work remotely, but depending on the client’s needs, they may have to visit the physical sites directly.
Some of the different assessments you will be expected to conduct include:
- Web applications
What to expect from each type of assessment:
- Network: When conducting a network assessment, pen testers will have to perform both an internal and external infrastructure penetration test. Internal assessments generally take a lot longer to conduct than the other assessments, sometimes twice as much time.
- Web Applications: Assessments of web applications can potentially be much more profitable, since clients will have numerous web apps that you can charge for individually versus charging for a singular network assessment. A tool like Burp Suite is highly recommended for web applications testing.
- Wireless: For a wireless assessment, you can expect to use an injectable wireless adapter to test a network’s password strength. You’ll also be assessing what kind of sensitive data you could potentially gain access to through the network.
- On-site/physical: These types of assessments usually involve trying to physically gain access to critical/secure spaces by sneaking into the building of the site itself. This can be done by acting friendly with the employees who might be on a smoke break, and then seeing if you would be able to walk in with them. Not everyone is comfortable with conducting this type of assessment, but they can be very exciting for a person who enjoys the thrill of the challenge.
- SOC: For an SOC assessment, your job will be to try and exploit the network and ask the client’s SOC team if they are able to find/see what you are doing.
A less fun aspect of being a penetration tester involves writing up the reports of your findings and debriefing the client on what you did and what steps they need to do after. Having competent communication skills will be a required skill for this job, since you will be expected to do reports and debriefs for every assessment you perform.
If penetration testing sounds like an exciting cyber security role for you, then a few of the tools you will be expected to know how to use include, but are not limited to: Nmap, Cobalt Strike, Nessus, and Metasploit.