2015 – Ten Signs of a Great Penetration Tester

ten personality factors, skill assets, behavioral nuances and simple things to look for in beefing up your security

…ten personality factors, skill assets, behavioral nuances and simple things to look for in beefing up your security…

I have had the privilege of working with some great IT auditors, penetration testers (pen-testers), ethical hackers and social engineering experts. I have worked for them, worked with them and many have worked for me. Here are ten personality factors, skill assets, behavioral nuances and simple things to look for in beefing up your security to a level that gives you rock solid protection against cyber terrorism:

  1. You need the individual that stops at nothing until he finds something. Picture the soda chockablock, smoke filled dark room in some foreign country where
    ...smoke filled dark room in some foreign country where multiple people spend nights on end trying to break into your company...

    …smoke filled dark room in some foreign country where multiple people spend nights on end trying to break into your company…

    multiple people spend nights on end trying to break into your company via IT security vulnerabilities. A successful penetration tester or IT auditor is relentless. Key takeaway: gumption, determination, endurance.

  2. You need the individual that knows how to dig IT penetration holes even through big rocks in the virtual soil. What does this mean? Think about the last time you tried to plant a tree or a bush or some flowers and hit rock just beneath the soil. The metaphoric connection is this: a great penetration tester does not stop when the going gets rough, when it appears that a vulnerability does not exist or that a vulnerability cannot be exploited.
  3. The metaphoric connection is this: a great penetration tester does not stop when the going gets rough.

    The metaphoric connection is this: a great penetration tester does not stop when the going gets rough.

    A great penetration tester does not trust the library of IT assets provided until the list garners trust after stringent testing.jock pereira - no trust Unless otherwise dictated by the client, the tester will:

    • Probe to see if there are other servers (mismanaged and unknown) that belong to the client.
    • Use tools to enumerate subdirectories on each and every server.
    • Use the Back In Time Machine to see what historical data may exist, just not linked to.
    • Use Google dork searches.
    • Use Google cache to see older versions of pages which may contain compromising data.
  4. A great penetration tester respects the UI interfaces for popular tools but can execute requests using command prompt with products like SQLMap.
  5. A great penetration tester knows what SQLMap is and that it now has the ability to spider and receive Google dork commands to locate potentially vulnerable pages.
  6. A great penetration tester knows how to at least read and modify Perl, Python and Shell Script.
  7. A great penetration tester knows how to categorize the jock pereira - categorizeseverity and priority of findings, despite what commercial scanners may indicate (e.g. reflective XSS versus stored XSS).
  8. A great penetration tester knows how to talk to senior management when needed in a way that issues are clearly understood.
  9. A great penetration tester knows how to talk to IT staff in a way that is respectful, collaborative, helpful, meaningful while providing remediation suggestions.
  10. A great penetration tester knows how to write a polished report that not only informs executive management to security issues and concerns, but provides the verbose data behind the summary and the raw data to back it up.
In my mind, this is the individual I would want on my “Red Team” to get the job done!
2015 - Ten Signs of a Great Penetration Tester
Jock
Jock Pereira | http://www.jockpereira.com | jockster@gmail.com | 978-666-4000
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s