Q&A: Penetration testing

Thomas Wilhelm is an associate professor at Colorado Technical University and also employed at a Fortune 20 company performing penetration testing and risk assessments and has spent over 15 years in the Information System career field. In this interview he discusses the interesting world of penetration testing as well as his latest book – Professional Penetration Testing: Creating and Operating a Formal Hacking Lab.

Many entering the field of computer security are fascinated with the prospect of working as penetration testers. In your opinion, what are the prerequisites one has to posses in order to become good at this job?
From a personal perspective, an inquisitive mind and thirst for knowledge are critical to perform penetration testing. An inquisitive mind will want to discover how things work and how they can be broken, while a thirst for knowledge will make the long hours of research possible.

From a Human Resource perspective, it used to be that penetration testers had to have years of experience to compete for a spot on a pentest team. Recently, I have seen requests from companies that are looking for college students with zero practical experience to fill security positions. This shift indicates two possibilities: One, that security professionals are in short supply; and two, penetest engineers can be trained. Not too many years ago, the methodologies behind penetration testing were considered obscure and simply not understood by corporate management. Today, companies are understanding the need for “red team” attacks, and able to grasp the processes behind such assessments.

In terms of the future, it is probable that the prerequisites for a position as a professional penetration tester will include college and certifications. And speaking of college, I cannot emphasize enough the value of writing and communication. Students interested in becoming penetration testers will spend a lot of their time documenting their findings and explaining the results in a manner that must be persuasive and understandable by those not familiar with information technology. English classes are your friend – trust me.

What are the main ethical concerns surrounding penetration testing?
Sometimes “ethics” is viewed as an obstacle to the actual attacks during a professional penetration test; the idea is that the black hats don’t follow any ethical patterns when attacking a system, so ethics can only prevent a “good guy” from really understanding the risks to a system or network. This isn’t a strong argument, since there aren’t too many restrictions in a pentest, other than those that might jeopardize the continual operation of production systems; even then, the types of attacks that can disrupt a network or system typically fall under the umbrella of Denial of Service (DoS) attacks. The susceptibility of a system to a DoS attack is often a risk that the system owner acknowledges beforehand. Therefore, ethics doesn’t really become an overwhelming issue in the actual attacks against a system (other than expanding the scope of the attacks without permission).

Where ethics becomes an issue is how we handle our findings and maintain confidentiality. It’s exciting to discover a way into a system, and report the findings to our clients. The risk at that point is how well we retain this data without exposing our clients to additional risks; one thing we always have to remember is that mitigation of risks is a business decision, which may be to not remediate the identified vulnerability. If we release data on the vulnerability, even if we exclude information about the client, there is still a chance that our client may come under attack simply through chance. As professionals, we should not put our clients at additional risks, and need to be careful as to what we do after a penetration test – not just during one.

What kind of hardware do you use and why?
I use a combination of Windows and Linux-based systems, depending on what tools I need access to. I have to admit when looking for laptops, my highest priority is to find a system that has a wireless modem that can be put into monitor and promiscuous mode, for wireless attacks, if and when they come up. I also have begun to favor my jailbroken iPod Touch as an attacking platform for testing purposes, especially since it runs a Unix-compliant Operating System that can compile and run most of the linux-based hacking programs; the size and storage capacity of the iPod Touch makes it a fun tool to work with.

Which software solutions can you recommend?
I often get flack for mentioning some of the high-end commercial tools, such as WebInspect and Core IMPACT, but the time of a penetration tester is simply too valuable to spend looking for low-hanging fruit. The simple ability to automate scans and attacks with Core IMPACT makes it invaluable – plus, there’s additional functionality that makes IMPACT a great attack tool, especially the ability to use exploited systems as attack systems almost trivially.

The commercial software is often just a starting point to save time and get a better understanding of the target network or system. After that, we inevitably need to get are hands dirty and use tools that we have more control over, such as Nmap, scapy, netcat, etc. Out of the “Top 100” network security tools listed at sectools.com, I probably have used half of them at different points in my career; that’s not even including scripts written as needed. To answer your question directly, I would recommend whatever tool is best for the challenge.

What would your advice be for anyone interested in taking up penetration testing seriously?
Professional penetration testing is about helping the client better understand and secure their network and systems. We are not there to make them secure their network – that is a business decision that the client’s management needs to make for themselves. Because we are simply an audit tool in the eyes of our client’s management team, it can be frustrating to see our remediation suggestions ignored; but that is how business works.

I would also like to explain that penetration testing is a lot of work, and involves a lot of research and learning. Keeping up with security trends, reading about the latest exploits, setting up a lab and recreating exploits, and documenting findings can be taxing on a person’s time, especially if one wants to maintain their skills and be an asset to the team.

How long did it take you to write Professional Penetration Testing: Creating and Operating a Formal Hacking Lab? What was the writing process like?
The book took about a year from inception to print; however the training videos on the accompanying DVD had already been developed as part of the online classes at Heorot.net. The book was originally intended to support the training on the DVD, but it took on a life of its own. I ended up writing the book more as a college textbook, that would take the reader from conception to conclusion of a professional penetration test. The impetus behind writing the book in this manner was that I needed a solid textbook to use in my own college classroom at Colorado Technical University, where I teach students how to conduct a professional penetration test. As a result, the book and DVD can be used independently from each other, or together to provide a deep understanding of penetration testing and methodologies.

What new things did you learn while writing the book? How did the technical reviewers help shape the material?
Jan Kanclirz, my technical editor, was extremely helpful in strengthening different aspects of the book. It is a great benefit to having multiple inputs into any project, especially a book. Everyone tends to get myopic when working on a specific task, which is why I promote a more agile approach to projects, not just writing books.

What are your future plans? Any new books in the works?
I am a big believer in giving back to the hacker community, and plan on writing more, offer more security training classes, as well as expand on my current Open Source projects. I feel that hacking in general, and penetration testing specifically, are worthwhile causes that need more positive media attention. We’ll see what comes of that in the near future.