What is a penetration tester

Old No Comments on What is a penetration tester 8

Penetration Testers are also sometimes referred to as ‘pentesters’ and their job is to assess the security of a computer system or network, or online computing systems. Penetration testers carry out this process is by simulating an unauthorized breach by a malicious hacker who might attach from either from the outside or the inside of the system. The role of a penetration tester and the knowledge that is needed is usually above that of a company’s information technology (IT) sector. This is why companies hire experts from the outside, usually opting to hire through an established company of penetration testers. This is favored because of the stringent vetting and background checks that penetration testing companies perform on their employees.

Being a Penetration Tester involves performing various scans against computer perimeter defenses, boundary routers, firewalls, switches, network devices, servers, and workstations to see which devices are within a given environment and to determine the overall plan of the network and topology. Once this has been gathered, penetration testers can then collate this information and then look at an attack vector to try and penetrate identified systems to see if they can be compromised by using known vulnerability scans, attacks and denial of service attacks. Penetration testers are essentially taking on the role of the hacker. They use tools like PING to detect if hosts are live, port scanners for any hosts that may deny ICMP Echo/Reply requests (PING’s) and to also identify which ports are open on devices that allows them to create a footprint of what these devices are used for. The overall job of the penetration tester is to map out the entire network and to make sure any vulnerable devices are known and patched frequently.

An analogy which is used to describe the necessity of penetration testers is the use of locks and alarms on homes. We do everything in our power to keep our homes safe from intruders as the damage they can cause is high; in the same sense companies want to protect their computer systems and websites from break-ins that have the ability to cause untold amounts of damage or lead to theft of money or personal information or other fraudulent activities being undertaken. Although many companies have their own IT staff, they are not trained in the same methods that a penetration tester is. The pentester takes the role of the malicious hacker and tries to take advantage of weaknesses in a system. These areas that are possible exploitation avenues are not recognized by the IT staff that put it together most of the time, and takes an outsider to attempt a break in to deduce how safe the site is.

The penetration tester carries out tests from outside the firm’s defenses, in a way that simulates the activities of criminal hackers, or else it can be performed with various degrees of insider knowledge, to simulate the effects of perimeter breaches or of insider activity. The major difference between a penetration tester (also called a ‘white hat’ or an ‘ethical hacker’) is that they are following specific rules of engagement. This includes obtaining written and signed permission from senior management over the website or security systems they will be attempting to breach, and that their reason for attempting it is working on behalf of the rightful site owners. Penetration testers need to identify which systems will be included in the test, establish a time line and scope for the work, and understand the legal parameters under which they are entitled to work. As the basis of the penetration tester’s job is hacking, and hacking can be illegal in certain circumstances, it is important for them to know where this line lies, and understand that simply gaining a company’s permission to attack their site might not make every aspect of it legal, so the parameters they set for the job is important.

http://www.sans.org/reading-room/whitepapers/testing/penetration-101-introduction-penetration-tester-266

http://mobiledevices.about.com/od/glossary/g/Definition-Of-Penetration-Testing.htm

http://penetrationtesting41.tumblr.com/

 

 

Author

Michael Mulcreevy

Michael Mulcreevy is a writer and researcher and studied sustainability. He has special interests in technological advancements in the computer age and writes on all things current and future based such as systems for community resilience.

Related Articles

Leave a comment

Back to Top