test an organization’s security, you likely still need permission for certain types of pen testing activities. See Chapter 9 for more on that issue.
Crowdsourced pen testers
As big data grows as a concept and more and more systems grow in complexity and size, especially as companies move into cloud architecture and outsourced solutions, there is a need to leverage additional resources to stay on top of all the latest risks, issues, and threats. As more and more systems join massive compute models and virtualized systems are used in new architectural models, the global community of good guys (white hat hackers) can bring a wide array of benefits to the table.
Crowdsourcing is a form of security where pen testing is done via group-based team efforts of enthusiasts (who can also be experts) for the purpose of testing systems managed by enterprises much the same way a constant group may. For example, a crowdsource pen test group may be contacted to run the same types of attacks against you that a consultant may and report on their findings.
Crowdsourced pen testing is no different than any other crowdsourced solution. You’re using multiple resources to conduct your tasks to get a better outcome by leveraging a large pool of resources, knowledge, and abilities. But if you’re concerned about privacy and legal exposure, go with a consultant.
You can find crowdsourcers at sites such as www.hackerone.com. Join and offer your services or find pen testers to help you out with a project.
In-house security pro
In-house security operations versus consulting services for hire (which I discuss in the next section) are generally how pen testers work in the field. Large companies and government agencies generally employ in-house operations engineers who conduct pen tests for the business they work for.
Smaller organizations can’t always afford to keep staff of this kind, and they often don’t have enough work to keep them busy. Sometimes conducting pen tests isn’t a dedicated position but is a task given to a systems administrator, a network engineer, or other IT professional in the organization.
An in-house employee who’s dedicated to securing the organization’s interests, assets, and reputation is often called a security analyst. This is someone employed full-time by a company, firm, or business (public, private, non-profit, government, military, or otherwise) who is responsible for providing security services. That’s a broad term for what can be a very detailed role requiring a variety of security functions, the skills needed, and the tools that are used.
Depending on the organization and the exact role, security analysts might have many other names, such as these (not a complete list):
Chief Information Security Officer (CISO)
Security architect
Security engineer
Security operations staff
Risk analyst
Forensics technician
Security practitioner
These are obviously more detailed roles within security, but they all work with security, and they all analyze security at some level of degree.
Generally, to become a good security analyst you need to absorb, learn, or train in many other areas so you have a holistic view of the enterprise you are charged with securing. I discuss what you need to know in the later section, “Gaining the Basic Skills to Pen Test.”
Security consultant
You can hire a consultant to conduct a pen test for you or your firm. Consultants are for hire either as independent contractors or as part of firms you can hire. This may save you time and money in the future.
Consultants at times work for firms that specialize in security or provide security services under a contract. This means that they can scan remotely (externally) or come onsite and scan internally and do more intrusive testing. Either way, consultants allow a smaller organization to retain top talent for a reasonable price and still get the services needed to be current and secure. This route also paves the way for those entering into the field of pen testing an opportunity to gain employment through a company or a contract to conduct security services.
Getting Certified
Professional organizations and vendors both offer industry standard, generalized and specialized certification programs, as well as those based on specific vendor tools. Some of them mix the two.
For example, one of the biggest and most focused pen testing certifications on the market today is CompTIA’s pentest+ certification. Although it covers general topics on pen testing, it also goes in depth on the tools you use the most. There are also other certifications, such as the CEH (certified ethical hacker certification) and the SANS GIAC Penetration Testing certification (covered in Chapter 16).
You can also start with general security certifications such as the CompTIA Security+ or the ISC2 CISSP.
Gaining the Basic Skills to Pen Test
You’re going to need a wide variety of skills throughout your pen testing career, but the biggest (or most important) skills to have are in the realm of networking and general security, which I discuss in this section.
TAKING A HOLISTIC VIEW OF SECURITY
Having an understanding of an organization’s business model and industry will enable you to take a holistic approach to security practices. Gaining that holistic view may require programming, network engineering, and system engineering, as well as understanding endpoints, desktops, storage, and many other systems and services. This doesn’t mean you can’t practice security if you don’t have all these other skills, but it definitely makes a difference on your ability to strategize and lead a security effort, and/or be able to respond to security threats, breaches, and attacks with better efficiency.
Security in a holistic view is also known as defense in depth. Confidentiality, integrity, and availability (CIA) make up a triad and defense in depth and pen testing helps to secure it, which is essentially the entire holistic view of practicing security in an organization.
To be able to conduct a pen test with any amount of confidence, the more you know about security and network architecture, the better. For example, to run a basic pen test, you need to enter a network address or subnet range in your scanning tool.
You need to also know the difference between vulnerability scanning and pen testing and why they’re similar and how they’re different. Figure 1-1 shows
