A penetration tester could...
|Practice "social engineering" by trying to convince a company's employees to reveal their passwords.||Help a bank find vulnerabilities in its website and help protect customer account information.|
|Try to break through a company's firewall to gain access to its private network.||Test if a website will let a user upload files containing malicious code.|
Key Facts & Information
|Overview||In movies and in the media, computer hackers are often portrayed as the bad guys—criminals who steal money or important information. What if you could be a good hacker? Somebody whose job is to find security flaws in computer systems; but rather than exploiting them for personal gain, you help fix the problems before criminals can find them? That is what penetration testers—also called "white hat" or "ethical" hackers—do. Companies pay them to intentionally try to break into their systems to expose vulnerabilities. It is a bit like paying somebody to try and break into your house so you can fix a broken lock or loose window if they find their way inside. If you have always dreamed of being a hacker, but do not want to break the law, this could be the career for you!|
|Key Requirements||Creativity, analytical skills, attention to detail, problem-solving skills|
|Minimum Degree||Bachelor's degree|
|Subjects to Study in High School||Computer science, algebra, algebra II, pre-calculus, calculus, statistics, English|
|Projected Job Growth (2012-2022)||Faster than Average (14% to 20%)|
Education and Training
Penetration testers typically have a bachelor's degree in information technology, computer science, or a related field. However, sufficient work experience will sometimes be accepted instead of a degree. As the demand for cybersecurity professionals continues to grow, some schools are starting to offer more specific cybersecurity-related degrees. Additional professional certifications, like Certified Ethical Hacker (CEH), may be preferred. Since the field of information security changes rapidly as computer technology advances, penetration testers must stay up-to-date on the latest advances in their industry, including the latest attacks by malicious or "black hat" hackers and the attempts by "white hat" hackers to prevent them. It is important to avoid any illegal black hat hacking activities of your own, as many penetration tester jobs require background checks or security clearances, or even a polygraph test. A history of criminal behavior or illegal hacking, even if it was "just for fun," could ruin your prospects of a white hat hacking career.
Other QualificationsPenetration testers must have excellent creative, analytical, critical thinking, and problem-solving skills. However, it is important to have interpersonal skills in addition to the computer-related skills. Social engineering can be a big part of penetration testing, so interacting with other people, and even gaining their trust (like letting you log in to their account or sharing their password), can be an important part of the job. Penetration testers may also be responsible for preparing reports and explaining to executive staff or management what the damages of a cyberattack could be (for example, loss of customer trust if credit card data is stolen, and the resulting financial fallout) and why it is worth the investment to preemptively fix vulnerabilities.
Nature of the Work
Penetration testers are skilled workers who are hired as "ethical hackers." They are hired by companies and government agencies to expose vulnerabilities in their web and computer systems by intentionally trying to hack into those systems. However, rather than stealing information for personal gain (for example, customer credit card numbers or sensitive trade secrets), the penetration testers tell their clients about the vulnerabilities they have found so they can be fixed. Penetration testers could work for a large company who has internal employees to test its own systems, but many times they work for third-party consulting agencies that may be hired by many other organizations.
A penetration tester's job may take different forms. For example, first a penetration tester might be hired by an outside company to perform penetration testing. The company could hire the tester to do cooperative testing (where the company's employees are aware that the penetration test will take place), or they could do secretive or "blind" testing where the company's employees do not know the penetration tester has been hired. This means they cannot tell the difference between the penetration test and a "real" attack, so it tests how the company's employees will respond. Depending on the level of cooperation versus secrecy, the penetration testers may be given information about and access to the company's systems, or they might have to do their own research and reconnaissance (simulating the situation a real attacker would be in).
A penetration tester may run a variety of tests to test a company's systems. Some of them may be industry-standard tests and some may be unique and developed on a case-by-case basis. For example, one standard test involves testing websites that allow users to upload files to see if they will allow the user to upload a file containing malicious code or a virus (however, the "virus" will be designed not to do any real damage to the company's systems). However, not all tests are electronic in nature. Some tests may involve "social engineering," or exploiting people to gain access to a company's systems. This could range from simply checking to see if employees keep their passwords written on sticky notes near their desks to sneaky actions intended to gain unauthorized access—like convincing a security guard to let you into a building because you forgot your ID card, or leaving a USB drive with a virus on it in the company parking lot, and hoping somebody will connect it to their computer to find out what is on it.
After completing a test or series of tests, penetration testers will usually prepare a report on the results and any vulnerabilities that they found. They may present this report to a manager or company executives to detail the vulnerabilities they exposed, what could happen if a real criminal exploited them, and how they can be fixed to prevent future attacks.
Penetration testers typically spend the majority of their time working in an office environment, usually in front of a computer. They may have meetings with other people in the office during the day, and occasionally travel for conferences and professional meetings. Most analysts work full-time (40 hours per week). Since most of the penetration tests are performed online, they may work remotely. Sometimes they might be hired to do on-site penetration testing for a client, which could require travel.
Like other workers who spend long periods of time typing on a computer, penetration testers are susceptible to eyestrain, back discomfort, and hand and wrist problems, such as carpal tunnel syndrome or cumulative trauma disorder, but preventative measures can be taken.
On the Job
- Do reconnaissance on a target company's potential vulnerabilities (in other words, get paid to spy!).
- Run pre-determined, industry-standard or automated tests on a company's computer system.
- Brainstorm, develop, and implement your own tests and attacks based on your reconnaissance.
- Test physical security, like trying to sneak into a building by pretending to be an employee who forgot his or her ID card.
- Practice social engineering attacks, like trying to get employees to reveal their passwords.
- If an attack is successful, "steal" information to prove that criminals could also access the data.
- Carefully document the results of any exploits or vulnerabilities you find.
- Report your results to management or to a client (if you are hired as a consultant by an outside company) and explain what they need to to do to fix the problems.
Companies That Hire Penetration Testers
Do you have a specific question about a career as a Penetration Tester that isn't answered on this page? Post your question on the Science Buddies Ask an Expert Forum.
- InfoSec Institute (n.d.). Penetration Tester. Retrieved Jan. 19, 2016 from http://www.infosecinstitute.com/jobs/penetration-tester.html
- Symantec (October 2005). Symantec™ Application Penetration Tests. Retrieved April 25, 2016 from http://eval.symantec.com/mktginfo/enterprise/fact_sheets/ent-datasheet_application_penetration_test.pdf
- Payscale (n.d.). Penetration Tester Salary. Retrieved April 25, 2016 from http://www.payscale.com/research/US/Job=Penetration_Tester/Salary
- Geier, E. (2012, February 15). How to Become an Ethical Hacker. PCWorld. Retrieved April 25, 2016 from http://www.pcworld.com/article/250045/how_to_become_an_ethical_hacker.html
- SecureNinjaTV. (2014, October 17). Careers in Cybersecurity - Expert Advice from BlackHat & DEFCON. Retrieved May 16, 2016, from https://www.youtube.com/watch?v=EhIp3b8iGm4&feature=youtu.be
- Titania. (2014, May 23). A Day In The Life Of A Penetration Tester - Ian Whiting, CEO, Titania (CREST Interview). Retrieved May 16, 2016, from https://www.youtube.com/watch?v=Hyr0mbc6bvI&feature=youtu.be
- CREST Videos. (2014, June 3). Tim Varkalis, penetration tester at PWC talks about a day in his working life. Retrieved May 16, 2016, from https://www.youtube.com/watch?v=Xrr0ai0Wjtg&feature=youtu.be