A Penetration Tester, sometimes known as an IT Pen Tester or Ethical Hacker, is normally responsible for probing for and exploiting any IT security vulnerabilities in a clients IT networks, systems and websites.
They are basically professional paid hackers that work for the good guys; those that want to prevent themselves from being hacked by the bad guys!
They will use a suite of penetration testing tools and techniques in order to compromise the IT Security defences of their pre-assigned target networks, servers, websites or other IT systems, looking for and recording any weaknesses and vulnerabilities that they find.
The job may involve developing automated penetration scripts, and using off the shelf tools, to penetrate web based applications, IT networks and computer systems.
The role encompasses the simulation of real world cyber attacks, reporting on results in order that the organisations can use the outputs from the penetration testing in order to improve its IT Security.
The Penetration Tester will need to produce a comprehensive report showing where these identified weaknesses are with suggestions around how to mitigate against them in future.
The fun bit of the job revolves around the ‘ethical hacking’ of the target systems; the more mundane elements of the role revolve around producing a professional report for the client as already outlined!
More specific Penetration Tester responsibilities may include:
1) Planning and performing relevant penetration tests on computer systems, networks or web-based applications.
2) Designing and implementing new penetration testing tools and techniques that can be deployed during Penetration testing on behalf of the client.
3) Conducting a physical security assessment of an organisations systems, including servers and networks, ensuring that any unauthorized external physical interference is not possible.
4) Pinpointing the methods that attackers would use to gain access to the clients systems and underlying data, identifying exploits and weaknesses within the organisations IT Security defences.
5) Uncovering inadequate security practices, password policies and other human errors using social engineering techniques. Recommending processes and procedures to mitigate against human error in future.
6) Ensuring that file, directory and login permissions are restricted to those that need access to them and no one else.
7) Collate all findings together into a formal document with the report highlighting all issues uncovered together with recommended remedial actions that should be taken by the client.
8) Present the penetration testing findings to all interested parties such as senior IT management, directors and their impacted teams. Explaining the details of the individual findings, where required, and your experience and recommended next steps.
9) Highlight the project scope and requirements necessary for the organisation to patch, fix and isolate any of these newly discovered IT security flaws. Training, or indeed re-training, of the impacted systems users, may also be necessary. This work should take place alongside the creation of new documentation supporting both new and existing systems going forwards.
10) Recommending a process of penetration and vulnerability testing that the organisation could carry out themselves in future. Penetration and vulnerability testing of the live or production environment on a regular basis is necessary in order to maintain a secure environment as new threats and exploits emerge.
11) The Penetration Tester should be able to verify the client’s remedial actions, providing feedback and verifying their fixes to any highlighted security issues. Often a final Penetration Test will be necessary to confirm success!
The job of Penetration Tester is often a daytime role, working an average 40 hours per week. Short-term IT Penetration Tester Contractors and Consultants may be paid a day rate where any additional work is chargeable.
What can you expect to earn as a Penetration Tester? The position of an IT Penetration Testing specialist is an intermediate level role. Salaries will of course vary depending on your experience, qualifications, the organisation and sector plus whether you are employed on a full-time, short-term Contractor or Consultant basis.
According to Payscale* Salary expectations for the role of Penetration Tester are $46,757 to $128,987 or £35,966 to £99,220 at a conversion rate of 1.3 for USD/GBP.
Sources:
* Payscale – http://www.payscale.com/research/US/Job=Penetration_Tester/Salary