Even before we released CompTIA PenTest+, I had a strong feeling that not all was well in the pen testing world. You see, there have been so many environmental changes:
- Morphing Endpoints: With the internet of things (IoT) and (years ago) mobile, the endpoint has changed radically in a short period of time.
- Dissolved Perimeters: The terms ingress and egress mean radically different things today, now that we’ve seen true cloud adoption over the past three years.
- Suspect Hardware and Software: We’re seeing an absolute flood of software and IoT devices that, frankly, aren’t ready for prime time. This has led to an unprecedented spike in the size of our collective attack surface.
With these changes, even the very term penetration test, which implies an inside and outside, appears outdated.
In addition to these environmental changes, we’re also seeing some organizational challenges:
- Lack of Skill: I’ve talked with many people who have encountered pen testing services but find that the skills of the people conducting the service are not much greater than a script kiddie. Even those pen testers who know their stuff may not be able to differentiate between a pen test and a glorified hacking attempt.
- The Checkbox Mentality: Some organizations still labor under the idea that a pen test is something you do to fulfill a quarterly obligation. If you don’t follow up on the pen test, you’ve got problems.
- The Whack-a-Mole Mentality: I was discussing pen testing with a savvy group of IT pros recently and heard detailed stories about how some executives want to use pen testers alone to find and eliminate hacks. This type of approach doesn’t work very well and leads to a selective approach to security, to put it nicely. It’s a selective approach that doesn’t work very well.
- Unclear Terminology: Some cybersecurity pros use the terms red team and pen testing team interchangeably, but others differentiate between the two. Those that differentiate say that the red team pursues the kill chain across an entire company while a pen tester attacks a specific vulnerability on a specific server or platform. If we can’t define our terms, then how can we move forward at all?
- Seeking Automation: For almost 20 years, I’ve heard about how automation can replace a pen test. One IT pro even told me how he had to explain that the free Amazon Web Services (AWS) vulnerability scanner wasn’t the same as a pen test. While it’s important to respect an executive’s urge to save money and automate repetitive tasks, vulnerability management just isn’t the same thing as a pen test.
- The Gandalf Mentality: In response to my comment in a presentation that “we’re not Gandalfs,” an IT pro said to me, “Actually, we are wizards – we’re the ones that have the knowledge.” He’s got a good point. But, do you really need the pen testing prince of darkness to show up every time? I’ve received a decided “no” from almost every hiring manager and pen tester I’ve asked.
As you can see, there are a few problems in how organizations are responding to today’s environmental and business challenges. But, all is not lost. Even the checkbox, Gandalf and whack-a-mole folks agree that successful pen testers need hands-on experience. And, more companies are realizing that you have to take the information that pen testers generate and then have teams analyze that data.
Why Pen Testers Need Hands-On Experience
But, that experience message keeps resonating in my mind. Most courses get people to a certain peak of knowledge. Any good course does more than teach acronyms. It can teach best practices, as well as offer lab-based learning. That’s terrific and useful. But, hiring managers are looking for what I call a second peak of knowledge. It’s a peak that students often find elusive.
This second peak is attainable only if a specific set of conditions is met.
- First, you need an authoritative resource and mentor to teach that information.
- Second, you need immersive experience.
- Third, you need validation of that experience so you can start thinking more deeply about your knowledge base.
Only then will students be able to think independently and engage in the kinds of troubleshooting and problem solving that we look for in a pen tester. I’d call this my twin peaks analogy, but I don’t want David Lynch to sue me.
How to Get Hands-On Pen Testing Experience
How do you get to that second peak? One option is by participating in mini bootcamps, train-the-trainer courses, pen testing contests and other hands-on activities.