I have had the privilege of working with some great IT auditors, penetration testers (pen-testers), ethical hackers and social engineering experts. I have worked for them, worked with them and many have worked for me. Here are ten personality factors, skill assets, behavioral nuances and simple things to look for in beefing up your security to a level that gives you rock solid protection against cyber terrorism:
- You need the individual that stops at nothing until he finds something. Picture the soda chockablock, smoke filled dark room in some foreign country where
multiple people spend nights on end trying to break into your company via IT security vulnerabilities. A successful penetration tester or IT auditor is relentless. Key takeaway: gumption, determination, endurance.
- You need the individual that knows how to dig IT penetration holes even through big rocks in the virtual soil. What does this mean? Think about the last time you tried to plant a tree or a bush or some flowers and hit rock just beneath the soil. The metaphoric connection is this: a great penetration tester does not stop when the going gets rough, when it appears that a vulnerability does not exist or that a vulnerability cannot be exploited.
- Probe to see if there are other servers (mismanaged and unknown) that belong to the client.
- Use tools to enumerate subdirectories on each and every server.
- Use the Back In Time Machine to see what historical data may exist, just not linked to.
- Use Google dork searches.
- Use Google cache to see older versions of pages which may contain compromising data.
- A great penetration tester respects the UI interfaces for popular tools but can execute requests using command prompt with products like SQLMap.
- A great penetration tester knows what SQLMap is and that it now has the ability to spider and receive Google dork commands to locate potentially vulnerable pages.
- A great penetration tester knows how to at least read and modify Perl, Python and Shell Script.
- A great penetration tester knows how to categorize the severity and priority of findings, despite what commercial scanners may indicate (e.g. reflective XSS versus stored XSS).
- A great penetration tester knows how to talk to senior management when needed in a way that issues are clearly understood.
- A great penetration tester knows how to talk to IT staff in a way that is respectful, collaborative, helpful, meaningful while providing remediation suggestions.
- A great penetration tester knows how to write a polished report that not only informs executive management to security issues and concerns, but provides the verbose data behind the summary and the raw data to back it up.