Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

The misapprehensions of penetration testing hinder security

image of Heather Pilkington of Accuvant

3-Nov-2014 - Academics, managers, and lawyers are thwarting the effectiveness of pen testers.

Many would-be pen testers are focused on the cool factor, and lack the knowledge and passion for information security.

“I think a lot of people have fallen in love with pen testing as an ideal that will help them escape their current jobs, but they don't have familiarity with what it actually involves,” said Accuvant security consultant Heather Pilkington. “They don’t understand the philosophy of what we do. We need to adjust expectations, not just with individuals, but also with academic institutions about the realities in the space. We’re not adequately preparing students for what we do.”

In her impressively thorough SecTor presentation, “So you want to be a pen tester?”, Pilkington included humorous comments and slides to outline the knowledge, training, innate curiosity and abilities that make a good penetration tester. 

Before becoming a pen tester she’d been in corporate security for six years, specializing in incident response and threat and vulnerability management. A requirement of those positions is to keep abreast of new vulnerability announcements.

“One thing they lean on you for is to establish priority, as there’s quite a bit of lead time in patching systems,” she said. “What needs patching now and what can wait 30 days?” 

Vulnerability announcements make that task more difficult by their vagueness.

“Vendors do that intentionally so they don’t reveal the full extent of their weaknesses,” said Pilkington. “While it protects them, it doesn’t help, because they don’t say why they’re putting the patch in place or what the patch does. Knowing how an attacker attacks systems would help me resolve that.”

Most people in the infosec space have worked as network or systems administrators before going into pen testing. They‘ve built a huge amount of knowledge that prospective pen testers aren’t receiving in academic settings.

With hands-on learning and internship it’s possible to get the necessary experience. Unfortunately such programs aren’t common.

“We need those who’ll accept the input from industry professionals,” Pilkington said. “Working experience is as important as academic experience… not just for pen testing or administration, but also for all of IT.”

While organizations are focused on getting bodies into the pen tester chairs, there’s a shortage of commitment to getting the right people into these positions.

“We’ve all seen commercials for the technical institutes, promising people a new career and start with life, and you’ll make lots of money as a systems administrator,” said Pilkington. “People see those commercials, and then they’re completely blindsided when they start having to work 20-hour days as network and systems administrators. Getting the wrong people into these jobs makes them miserable, and they face burnout. We need more inside educational institutions to help people have the right fit.”

In classes students learn to ‘type this’ and ‘follow that checklist’. They’re told, “Your job is to monitor the box”, whereas pen testing is about the unpredictable element.

“Academic training encourages people to follow a checklist, and you can’t detect the unexpected by following a checklist,” Pilkington said. “Attackers do the unexpected thing to get into the system. Learning to think outside that box requires people who can see that. And most importantly, communicate it to the people who need that knowledge. Even determining who to fix it is a challenge.”

Another challenge is that institutions are concerned about the liability of teaching people how to break into and break things. They’re afraid to teach real penetration testing, for fear of teaching malicious attackers. And so the graduates applying to pen testing positons don’t understand what they’re doing.

Nor are organizations helping the situation. They say they want a full time pen tester to make their security better, because they think an in-house attacker is going to magically make them better secured.

“But corporations are rules oriented,” noted Pilkington. “They’re not prepared to give the leeway, creativity, and space to make the new pen tester an effective attacker who’s going to make things better.”

And corporate lawyers are unsettled by people who’ve been hired to deliberately break the rules.

It helps to zoom out and take a larger view.

“The term pen testing is fairly contentious – it means different things to different people,” Pilkington said. “The need is not necessarily clear. It ranges from prospective testers who think they only have to go in and break stuff, to those worried about compliance.

“I think as an industry we need to focus on defining what the goals and objectives are for pen testing, and how those are met, not just with configuration audits or patch audits or vulnerability scans. So I think we have a lot of growth to do from the standpoint of industry and professionals.”

There’s a low sense of collaboration in business today, so well-meaning people have decided to knock down cubicles and walls and put workers together in open, noisy environments. That doesn’t help pen testers, who need quiet to think while assessing and probing for vulnerabilities.

“It’s been proven that if you require any deep thought it’s the worst thing you can do,” said Pilkington. “Allowing people to work from home offices is super important, not because it’s fun, but because geographical considerations drive the desire for a job. We work at all hours. We don’t stop at 6:30. If there are a dozen pen testing jobs on the west coast and all of the available pen testers are unwilling to leave their homes in the northeast, either those jobs are going to remain unfilled or those companies are going to embrace telecommuting. When organizations adapt to the telecommunications model and build workforces that collaborate online, they’ll realize geography doesn’t matter.”

Such modern thinking goes against the well-publicized example of Yahoo, which banned telecommuting, because the new CEO said some telecommuters were goofing off. Pilkington disagrees.

“That’s not the real issue. It wasn’t about working from home… it’s about improperly managing resources. If you don’t manage correctly you’ll have those same problems in the office.”