Competent Penetration Tester – A Definition
A Penetration Tester is one who conducts a security-directed probe on an organization’s computer system or network to identify design weaknesses, technical flaws and vulnerabilities. The Tester then delivers a thorough report of detailed findings including risk ratings, root causes, observations, impact and recommendations both tactical and strategic. (A Penetration Tester is not some “reformed” hacker).
PERSONAL QUALITIES AND ABILITIES
The Penetration Tester has the following personal qualities and abilities:
- abides by a code of ethics demanding behavior and practice beyond personal moral obligations.
- is prepared to apply his knowledge and exercise his skills in the interest of others.
- good inter-personal traits and the ability to maintain ease among employees while conducting services.
- good command of English with articulation skills both oral and written.
- ability to put across technical issues to non-technical audiences.
- awareness of the legal issues associated with the services provided.
GENERAL SKILLS
The Penetration Tester has the following general skills in respect of Penetration Testing:
At Specialist Skill Level
- is distinguished by or measures up to the technical and ethical standards of Penetration Testing.
- is accepted by the public as possessing special knowledge and skills relating to Penetration Testing.
- has derived such knowledge and skills from research, education and training.
- in-depth knowledge and experience in providing Penetration Testing services.
- thorough competence derived from continuous training and wide-ranging practice of Penetration Testing.
- mastery in the art of Penetration Testing as evidenced by individual skill in the execution of such services.
SPECIFIC SKILLS
By virtue of attending courses, practical training, ongoing training, seminars, experience in the field and lecturing on the subject, the Penetration Tester would have gathered an array of skill sets for conducting Penetration Testing. The following is a listing of specific skills a Penetration Tester would have to have.Skills Obtained Prior to a Formal Course
- A minimum of 12 months experience in networking technologies
- Sound knowledge of TCP/IP
- Computer hardware knowledge
- Knowledge of Microsoft packages
- Network+, Microsoft Security+
- Knowledge of Linux
- Specialist knowledge of Penetration Testing before attending an advanced (expert) course
Skills Obtained at a Formal Course
At a formal course The Penetration Tester should have obtained skills relating to:
Specialist Course
- Business and Technical Logistics for Penetration Testing
- Information Gathering
- Linux Fundamentals
- Detecting Live Systems
- Enumeration
- Cryptography
- Vulnerability Assessment Tools
- Hacking Windows
- Advanced Vulnerability and Exploitation Techniques
- Malware, Trojans, Viruses and Botnets - Sandboxes
- Cracking Wireless Networks
- Packet Sniffing - Session Hijacking
- Attacking the Firewall and IDS
- Attacking Databases
- Attacking Web Technologies
- Penetration Test Overview
- Refresher on The Attack Stage
- Core Impact (or similar) : Initial Pen Test
- External/DMZ Assessments
- Wireless Site Surveying
- Attacking Bluetooth Devices
- Incidence Response & Forensics
- Internal Penetration Testing
- Physical Security
- Delivering a Report
DOES CERTIFIED MEAN COMPETENT?
It is entirely possible for one to gather the above mentioned skills through a formal course or self-study, sit for an examination, and receive a certificate attesting to the fact that one is a certified Penetration Tester. However, it would be a mistake to conclude that such certification equates to competence. The road to competence is launched at the outset of the formal course and must include satisfactory answers to the following issues:
- At a minimum, does the course include all of the skill sets listed above?
- Are there laboratory sessions for demonstrations and practical project assignments?
- Are laboratories up-to-date in research and development in Penetration Testing?
- Do instructors benefit from being dynamically linked with consultants in the field?
- Do the instructors then pass down such benefits to students?
- Does the course promote process-centric skill sets rather than skills with toolsets?
- Does the course vigorously de-emphasize the practice of testing by running a few security scanners and submitting a report based on such results?
- On the subject of legal issues associated with testing, does the course include an awareness session?
- Do students understand the risk implications of Penetration Testing?
- Do students understand why high risk testing may be excluded from insurance cover?
- Does the course include contract preparation awareness, especially when an organization would want the Tester to take full responsibility for the effects of testing?
- Does the course coach how the Tester can put across technical issues to non-technical audiences?
The above questions require a resounding “yes” answer to satisfy the meaning of a certified and competent Penetration Tester.
MILE2 RESEARCH & ANALYSIS
Mile2 has been developing a worldwide team of security training experts following the threat to national and corporate security in the aftermath of 9/11. Utilizing trustworthy input from our global representation, we have done an analysis of major certifications relating to Penetration Testing. In the final analysis, our finding is that the Certified Penetration Testing Specialist (CPTS) course and the Certified Penetration Testing Expert (CPTE) course best meet and exceed the skills and issues outlined above. Moreover, CPTS and CPTE have been foremost in meeting military, government security agency, private sector and institutional specifications.
THE FINAL PROOF
The final proof is that CPTS and CPTE have come up to the very stringent US Military Specification (US MILSPEC) for security training requirements; we shall be happy to furnish such evidence.
© Copyright Mile2 UK, LLC 2007
