Penetration testers, often referred to as ethical hackers, are tasked to find and fix the vulnerabilities in networks, systems, and web-based applications. Their job is to help their employers (private companies, government agencies, SMBs) discover what malicious hackers could exploit to get access to data and systems. They often use the same tools and techniques that malicious hackers use as well as they try to apply the same mindset. Many companies are now hiring ethical hackers to run penetration tests routinely on their network; consequently, the market for these professionals is in continuous expansion.
IT security analysts, who are already or have decided to become legal hackers, might want to get a realistic insight into what the job entails and what is the life of a penetration tester beyond what’s portrayed in movies. To have a glimpse of the day-to-day life in the ethical hacking world, a professional cannot refer to books and courses; conferences and real-life examples are probably the most effective ways to come in contact with this peculiar part of the IT world.
Why Penetration Testing is Important
Penetration Testing has a significant Return on Investment for any companies. A good pentester can identify issues before they become problems by assessing vulnerabilities and possible procedural failures as well as measure the capability of the defense systems in place when under attack. They can then make improvement recommendations that, in the end, can save companies from having to pay the consequences of data breaches and systems failures during a malicious attack.
Penetration testers will simulate attacks, attempt to gain unauthorized access through technical and phishing techniques and circumvent security controls; they then provide feedback to their client (through Penetration Test Reports) about the infrastructures’ insecurities and advise on how to better secure networks and which countermeasures can be deployed to reduce risks.
The practical reason for hiring pen testers, aka “white hat” hacker is obvious. American security technologist Bruce Schneier says “defending [computer systems] often requires people who can think like attackers” with the ultimate goal of defeating them, uncovering potential insecurities and protecting systems before they fall in their hands. Their services are indispensable “to make sure a system is truly secure,” says Brent Conran, Security Magazine, who explained, “When it comes to hacking, it’s black or white. Or gray.”
Pen Testing and Ethical Hacking – Making it a Career
Is penetration testing a career worth pursuing? It’s a very interesting field for those who have a dedicated interest in IT Security and are fond of Ethical Hacking assessments using different toolsets for the sake to provide actionable feedback about a system’s robustness against attacks. To become a penetration tester, professionals will need to be not only knowledgeable but always remain up-to-date on latest security trends and attack methods. Those that are qualified and meet criteria may potentially earn a very good paycheck (see PayScale) – anywhere from $50,000 to $100,000 per year, or more, “depending on the company that hires you, and on your IT experience and education,” says Eric Geier, PCWorld.
Working in this profession requires appropriate job experience, the right skillset, standard occupational certifications (in hacking or penetration testing) and proper formal education as IT security analyst. Pentesting requires a lot of hands-on training and attendance of courses like ethical hacking training or a 10 Day Boot Camp style courses. InfoSec Institute’s Hacking and Penetration Testing Track, for example, can also help.
As Ellsmore, head of business development for Stratsec says: “What is necessary is a passion for the industry, […] Learn the tools, the techniques, and practice. Read constantly. Surround yourself with other people who are interested in the topic and learn from each other […] If you find it easier to learn with a ‘finish line,’ do some certifications specifically about pen testing, but don’t expect that to teach you all you need to know.” Those on the mission to become Penetration Testers or Ethical Hackers at a more advanced level will need to consider becoming a CPT Certified Penetration Tester (IACRB) or CEPT Certified Expert Penetration Tester (IACRB). The ethical hacking certification (Certified Ethical Hacker, or C|EH) from EC-Council, is a License Penetration Tester program also recognized worldwide.
Learn More about Pen Testing and Hacking – Why Not Attend a Conference?
Much knowledge can be gained attending security conferences where experienced speakers in the field talk about the purpose, goals, and desired outcomes of pen testing. To stay abreast of real-world pen testing trends today, professionals need to be fully involved in the computer hacking community and take part in events worldwide to stay current with the latest developments. Conferences are valuable and engaging experiences to receive training and education by industry pros, as presentations are not only informative but practical, and to share experiences and lessons-learned. One not only sees live examples but also learn how to simplify and speed up the pen testing process. It is also a setting where many come to learn of key changes concerning security testing services performed by some different third-party vendors.
The lectures from significant speakers at national and international security events allow attendees to engage in a discussion that makes them learn and progress in their career field. Just by simply talking about their latest experiences and challenges overcome, members of the audience can gain insight into best practices in penetration testing methodologies. Considering the common activities at hacker conventions and types of pentest topics covered and sessions available, the kind of participation from spectators can strike up many interesting conversations and exchange of info on What/ Where/ Why / and HOW pen testing can occur.
Often, hacking conferences also attract ‘wannabe-ethical-hacker’ security practitioners with an interest to know more about and understand the value of pen testing; many might revive their careers after attending such conferences and gain interest in this growing field.
An important conference has already taken place: the TROOPERS16, was held March 16-17 in Germany, but registration is already ongoing for the event scheduled for Troopers17 on 20-24 March 2017, the 10th-anniversary edition. It will be a week of hands-on training, roundtable discussions and multi-track conferences. The tracks will include latest research and attack techniques with input from the hacker community, infosec management and how to prepare for threats, SAP security and special topics that might include, as in 2016, Medical Devices, the Internet of Things, and Connected Cars.
The InfoSec World Conference & Expo 2016
The InfoSec World Conference & Expo 2016, instead, took place in Florida 06-08 April and had key speakers (like Joshua Pitts, Senior Penetration Testing Engineer, Okta and Tom Eston, Manager, Penetration Testing, Veracode) tell about some of the offensive techniques being used in pen tests today; over 1000 professionals attended from 20 different countries. Demonstrations were performed with an aim for the audience to learn how to strengthen their security, Tom Eston, Manager of Penetration Testing at Veracode, of the 2016 Advisory Board for InfoSec World 2016 Conference & Expo, said. Next year the conference will be held on 3-5 April 2017.
21st Infosecurity Europe 2016
Recently, at the 21st Infosecurity Europe 2016 conference, key speaker Ken Munro, Partner and Founder of Pen Test Partners (a UK-based firm of penetration testers) that is a CREST Registered Tester (CRT), showed to a crowd meaningful penetration testing at Stand E85 in London during June 07-09 event. Workshops and talks covered topics like Security & Risk Management, Malware investigation techniques, and Dynamic Risk Management. Next year’s event, probably in June 2017, promises to be another big success and should be on the radar of any pen testing professional.
In ShowMeCon, which is hosted and sponsored by ethical hacking firm Parameter Security and its training counterpart Hacker University is a Hacking & InfoSec Conference that plans to attract the best in the field; this year’s edition was held on June 13-14 and focused on giving the hacker’s viewpoint. Participants witnessed “live hacks and mind-blowing presentations by professional hackers and cyber security ninjas. […] By gaining insight into the mind hackers, you can better protect your networks and critical data.” Information on the 2017 edition is still not available.
Future Summits – More Opportunities to Participate
The Black Hat USA 2016 community event, open to one and all, from July 30 – August 4 at Mandalay Bay | Las Vegas, NV, brings the brightest professionals and researchers in the industry who will participate in hands-on technical training, followed by lectures on the latest research and vulnerability disclosures. For example, Wesley McGrew who currently oversees and participates in penetration testing in his role of Director of Cyber Operations for HORNE Cyber Solutions will be giving a 50-minute brief on “Secure Penetration Testing Operations: Demonstrated Weaknesses in Learning Material and Tools”. Ofri Ziv, Research group leader, Guardicore, will give a 25-minute brief on “Unleash the Infection Monkey: A Modern Alternative to Pen-Tests” on the two scheduled briefing days (August 3 or 4).
For those unable to attend the USA summit, there’s Black Hat EUROPE 2016 Training/Briefing at the Business Design Centre, London, UK, from November 1-4 and Black Hat Asia 2017 Training/Briefing to be held in Singapore from March 28-31. The Black Hat Trainings offer attendees discussions on topics ranging from the latest in penetration to specific tracks in network defense. Speakers like Nikhil Mittal (a hacker, InfoSec researcher, speaker, and enthusiast, noted for interest in attack research, defense strategies and post exploitation research and his training/briefings on PowerShell for Penetration Testers for various corporate clients in US, Europe, and SE Asia) will be on hand at one of the summits to hold sessions that will give hands-on demonstrations on offensive security tactics and methodologies.
Ethical Hacking Training – Resources (InfoSec)
DEF CON 24
This is said to be the world’s best known ‘hacker convention’ and is held every year (since June 1993) in Las Vegas, Nevada, USA. This event linked to computer security/hacking is set to attract the hacker community this coming 04-07 August 2016; attendees will receive group presentations with village speaker workshops to feature talks on internal/external pen testing. Also, some of the guests are sure to take part in some fun contests (hacking tournaments) or obtain hacker merchandise.
Conference presentations with key speakers will take place September 15-16, 2016. This event presented by EC-Council Foundation is held annually in Atlanta, Georgia. Intended audience: ethical hackers, penetration testers, security analysts, and operatives in information security.
Some of the world’s best InfoSec gatherings at hacker conferences can be found abroad. For one,
ROOTCON 10 will be held in the Philippines on September 22-23, 2016. This annual summit has topics about information security and penetration testing; pen testers/ethical hackers come to discover new things, play challenging hacking games and learn new solutions, says Jay Turla, InfoSec Institute. It is the place to be for key talks by qualified speakers, demos, and info on new hack tools.
A Midwest InfoSec community summit and hacking conference that provides like-minded security researchers with an interest in hacking-related stuff and security counter knowledge will take place in Grand Rapids, MI on October 6-7, 2016.
t2’16 InfoSec Conference
The conference focuses on newly emerging InfoSec research with topics on code auditing and pen-testing and security and defensive strategies with a particular emphasis on safety-critical environments. This CON is held October 27-28, 2016 in Finland.
This annual conference for the hacker community, 27-28 October 2016 in Belgium, is an open-minded gathering of people discussing all things computer security who will be paying attention to current trends and issues; the summit will discuss and present security research on white-hat hacking and InfoSec-related defense or response techniques.
The hacker-run conference on 17-18 December 2016 in New Zealand will gather a crowd of professional penetration testers and security gurus with hacker-related presentations that build on enterprise security solutions designed to make it harder for attackers to take advantage of systems successfully.
Pen tests are the go-to tool to ensure today’s threats are not capitalizing on existing vulnerabilities, whether that be human mistakes, poor security policies, and planning or else the deployment of insufficient defense strategies. To defeat malicious hackers, organizations are hiring ethical hackers to conduct penetration tests to gain important insights into a company’s secure network to evaluate the effectiveness and adequacy of an IT infrastructure.
Pentesters are specialists in scenario-based penetration testing in a variety of applications, platforms and technologies and offer security services to clients that want to measure how effective their security is and where it needs work. The professional penetration tester’s goal is to provide a vulnerability assessment of various systems to improve the level of resilience to risks by making recommendations for addressing issues that might affect business.
As malicious hackers are always devising new ways to penetrate systems, it is important that these skilled IT professionals arm themselves with the most current knowledge. Conferences are the best way to share experiences and learn new tricks in the fight against online criminals.
Such hacker and pen test conferences are suitable ways to learn about cutting-edge techniques in pen testing from industry-leading experts who share their best tips and advice with others in the profession.
Computer Futures. (n.d.). The Growth Of Penetration Testing. Retrieved from http://www.computerfutures.com/en/news/articles/the-growth-of-penetration-testing
Conran, B. (2014, March 1). Why Not to Hire an Ethical Hacker. Retrieved from http://www.securitymagazine.com/articles/85263-why-not-to-hire-an-ethical-hacker
Dalziel, H. (2015, July 16). 10 ‘Must Go To’ Cybersecurity Conferences DEF CON, ToorCon, SchmooCon and more! Retrieved from https://www.concise-courses.com/security/conferences-top-ten-must-go-to/
Geier, E. (2012, February 15). How to Become an Ethical Hacker. Retrieved from http://www.pcworld.com/article/250045/how_to_become_an_ethical_hacker.html
Hacker Conferences Database. (n.d.). Major Hacker and Computer Security Conferences in the World. Retrieved from https://hacker-conferences-database.silk.co/
Pauli, D. (2011, June 27). Get a job: Ethical hacking. Retrieved from http://www.itnews.com.au/news/get-a-job-ethical-hacking-261568
Pearson, A. (2014, March 20). What is Penetration Testing and Why is It Important? Retrieved from http://www.securityinnovationeurope.com/blog/what-is-penetration-testing-and-why-is-it-important
Schneier, B. (2010, June 10). Hiring Hackers. Retrieved from https://www.schneier.com/blog/archives/2010/06/hiring_hackers.html