Career Spotlight: Penetration Tester

View all blog posts under Articles | View all blog posts under MSCS

Just one flaw is all it takes for a hacker to gain access to sensitive information.

More than in most other fields, pen testers must stay on top of a rapidly changing landscape where new hacks are discovered almost daily.

Penetration testers (also known as ethical hackers or pen testers) working for Foregenix, an information security vendor, discovered critical vulnerabilities in EMC Corporation’s data protection platform in May 2018, according to Chris Mellor’s The Register article, “Penetration Tester Pokes Six Holes in Dell EMC’s RecoverPoint Products.” These flaws, left unchecked, would have provided tools through which hackers could easily have gained access to RecoverPoint’s network and to the underlying Linux operating system.

Dell’s EMC data storage and management software have senior pen tester Paul Taylor of Foregenix to thank for discovering these dangerous flaws before they were put to malicious use by unethical hackers. At the time Mellor’s article was published, Dell had already addressed three of the six flaws uncovered by Taylor.

Penetration testing is one of the more intriguing cyber security careers available for those who earn an online cyber security master’s degree. Certified ethical hackers can work for corporate employers, infosec (information security) consultancies, and state or federal government agencies. More than in most other fields, pen testers must stay on top of a rapidly changing landscape where new hacks are discovered almost daily. So, graduation for pen testers is not the end of learning. Many students who are interested in pen testing, however, are lifelong learners by nature who are attracted to ethical hacking because of its unpredictability.

 

The Duties and Responsibilities of Penetration Testers

So, what is penetration testing exactly? It is one major tool in cyber security, a field that is generally viewed as a crucial, requisite part of an organization’s IT department. The threat of security breaches by hackers is ever-present in the minds of board members and upper management. Just one flaw is all it takes for a hacker to gain access to sensitive information such as Social Security numbers, credit card data, account info, and even classified corporate or government secrets.

Security measures can be implemented in an effort to block attempts to gain access to networks, and software and hardware firewalls may be used to add an extra layer of protection between sensitive databases and the public. But unless organizations can view their network through the eyes of real hackers, they will never really know for sure how secure (or unsecure) their system is.

“Companies engage ethical hackers to break into their computers or devices to test the organization’s defenses,” columnist Roger A. Grimes explains in “What Is Ethical Hacking? How to Get Paid to Break into Computers” on CSO Online.

“From the penetration tester’s point of view, there is no downside: If you hack in past the current defenses, you’ve given the client a chance to close the hole before an attacker discovers it. If you don’t find anything, your client is even happier because they now get to declare their systems ‘secure enough that even paid hackers couldn’t break into it.’ Win-win!”

Ethical hackers are hackers in every sense of the word. Some will even engage in social engineering activities, which involve “undercover work” designed to trick company employees or vendors into divulging sensitive information, including passwords, usernames and answers to security questions (mother’s maiden name, name of first dog, or first street they lived on, for instance). They can then use the information to access private company databases.

“Social engineering is the term used for a broad range of malicious activities accomplished through human interactions,” says Imperva Incapsula in “What is Social Engineering” on its company blog. “It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.”

 

Education and Certification Requirements for Pen Testers

Cyber security master’s students interested in pen testing careers should make sure that their school offers coursework in cryptography principles, secure communication protocols, Internet of Things (IoT) applications, cloud computing and advanced software engineering/programming languages.

On top of the cyber security program curriculum, aspiring pen testers should also be familiar with Windows, Unix and Linux operating systems; networking tools such as Nessus and Nmap; security frameworks; web-based applications; security tools such as Fortify and AppScan; vulnerability analysis; reverse engineering; Metasploit; and forensics tools, according to CyberDegrees.org’s “Become a Penetration Tester.”

Certification programs for ethical hackers are available through a number of different extracurricular sources. In “Top 10 Penetration Testing Certifications for Security Professionals,” Infosec Institute lists the most popular and widely accepted certification offerings:

  • EC-Council Certified Ethical Hacker (CEH)
  • EC Council Licensed Penetration Tester (LPT) Master
  • Certified Mobile and Web Application Penetration Tester (CMWAPT)
  • Global Information Assurance Certification Penetration Tester (GPEN)
  • GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
  • Offensive Security Certified Professional (OSCP)

Each certification covers a slightly different aspect of pen testing at varying levels of expertise. Students interested in learning more should research the certifications before deciding on which one to pursue.

 

Employment and Salary Outlook for Pen Testers

Certified penetration testers can work in almost any industry at any size organization, or they can take freelance gigs on their own via any number of online freelance marketplaces (Elance, Upwork and even Craigslist). Multinational corporations have as much need for pen testing as small franchises, healthcare companies, government agencies and even sole proprietorships. The FBI, for example, hires ethical hackers to test its IT infrastructure, according to Infosec Institute’s “Penetration Testing: Career Path, Salary Info, and More.”

Payscale.com reports the average salary for pen testers at just over $80,000. Some companies, including IBM, have paid pen testers six-figure salaries. And salaries can be expected to approach $120,000 per year after 10 to 20 years of experience in the field.

 

University of North Dakota’s Master of Science in Cyber Security Program

In a connected world, where everything from smartphones to watches, vehicles, TVs, appliances and even warehouse inventory equipment are on a computer network, cyber security is the first line of defense against our Internet of Things devices being used maliciously against us. And penetration testers provide a look “through the enemy’s eye,” so to speak, at the strength of organizations’ cyber security measures.

UND’s online cyber security master’s degree program is accredited by the Higher Learning Commission and ranked in U.S. News & World Report’s Top 25 Most Innovative Schools (2018), alongside such prestigious institutions as Stanford, Harvard and MIT.

UND prepares students for careers in cyber security, with concentrations in Autonomous Systems Cyber Security, Cyber Security and Behavior, Data Security, and General Cyber Security.

For more information on UND’s MSCS online program, visit the program’s website.

 


Sources:

Penetration Tester Pokes Six Holes in Dell EMC’s RecoverPoint – The Register

What is Ethical Hacking? – CSO Online

What is Social Engineering? – Incapsula.com

Become a Penetration Tester – CyberDegrees.org

Top 10 Penetration Testing Certifications – Infosec Institute

Penetration Testing: Career Path, Salary Info, and More – Infosec Institute

Average Penetration Tester Salary – Payscale.com