Penetration testing and certification

Stephen Sims works at Wells Fargo in San Francisco as a security architect and is a certified instructor for the SANS Institute. In this interview he discusses the prerequisites for penetration testing, the ethical considerations surrounding the job, IT security certifications as well as his training course at SANS Secure Europe Amsterdam 2011.

Many entering the field of computer security are fascinated with the prospect of working as penetration testers. In your opinion, what are the prerequisites one has to posses in order to become good at this job?
Many consider penetration testing to be the sexy side of information security. There has certainly been a huge increase in interest by both information security professionals and companies seeking testing. In my opinion, there are a wide range of prerequisite skills that can help to make up a great penetration tester.

Certainly, exposure to a wide range of technology and experience working in many positions is invaluable. Often, penetration tests are under tight deadlines and budgets. Those with the experience and skills to jump right in without having to perform much research on the technology they are testing will have more time to focus on the actual testing. If you have to Google everything then the scope of the test will likely be affected.

A question that often comes up is whether or not penetration testers need to have programming experience. There are certainly different types of penetration tests, each benefiting from fundamental knowledge, as well as specialized skills. Experience with a scripting language such as Python, Perl, and Ruby will absolutely make your life easier during many types of testing. In some cases it is not required at all as many penetration testing frameworks do the majority of the work for you.

Again, this all depends on the scope of the testing. When getting more into product security testing, proprietary encryption algorithms, obscure and proprietary protocols, 0-day bug hunting, patch reversing, and when dealing with various operating system and compiler protections, programming experience becomes a requirement. Experience with reverse engineering is also a valuable skill. I would have to say that creativity is a large factor in a good tester.

The ability to think outside of the box and design solutions to complex problems is important. As a professional, a tester must also be great and documenting the testing, as well as having great communication skills.

As a professional, a tester must also be really good at documenting the test process, explaining the findings, and communicating their business implications so that our work can help improve the security of the target organization.

What are the main ethical concerns surrounding penetration testing?
The word “hacker” has often in some peoples’ minds carried a negative connotation, hence the term “Ethical Hacker.” Every company, government, and other institutions has a requirement to protect sensitive data. This is driven from a wide range of factors like regulatory compliance and the protection of financial and medical data, to intellectual property and military data classification models. Just as many companies enforce principles such as “need to know” and “principle of least privilege,” the same concepts must be applied to penetration testing.

This is most often accomplished through the rules of engagement, statement of work (SOW), and scoping processes. These are artifacts which dictate everything involved in the testing such as the types of systems being tested, systems which should not be tested, the depth of testing, the hours of testing, information on the actual testers, and many, many other details. This helps to ensure that the testers fully understand how to stay within the confines of the test plan, and also helps the company being tested from falling victim to scope creep. Many penetration testers undergo background investigations to help ensure a candidate is a good fit for a company.

Many are wondering if certifications related to ethical hacking are worth the money. What’s your take on being certified?
I have honestly gone up and down on this topic many times. I think that some certifications and their governing bodies are great, while others have commoditized the technology certification process solely for profit. I think that Global Information Assurance Certification (GIAC) program and the Council of Registered Ethical Security Testers (CREST) are examples of testing entities who care deeply about the integrity of the certification process.

As someone who has hired, or been involved in the decision-making process of hiring candidates, I can honestly say that there are many factors that play into the process. Experience certainly plays one of the largest factors into the process. Degrees and certifications are great, but a candidate has to have the essential skills, the ability to back them up, and the ability to work under pressure. Some candidates do not interview well and certifications can help their resume rise to the top of the stack.

I think it is a common thought that those professionals who take the time to study and take certifications demonstrate a strong work ethic, and are proud of their profession. Many companies get a very large number of resumes for an open position, especially in the penetration testing field. It is common that the recruiters will filter out candidates who do not possess a desired certification. I suggest finding some good certifications that reflect your skill-set and what you want to be doing, and going for them!

What does your SANS training course look like? What skills can attendees expect to acquire?
SANS Security 660, Advanced Penetration Testing, Exploits, and Ethical Hacking is a course written by Josh Wright, Bryce Galbraith, me and contribution by Pieter Danhieux. As the lead author, I worked closely with Ed Skoudis and the rest of the team to identify the skills required to work as a senior level penetration tester. SANS Security 560, Network Penetration Testing was written by Ed and is an essential course for any penetration tester. It covers a wide range of skills necessary to perform almost any type of test. Security 660 builds off of Security 560, with a focus on some specific areas.

Day one focuses on Windows Domain Attacks and the skills needed to gain complete control of an enterprise domain within hours. Insider testing to mimic that of an employee, contractor, or vendor is growing in popularity. Many penetration testers do not know what to do once gaining access to a system. This day focuses on leveraging even the smallest amount of access with the goal of getting the keys to the kingdom.

Day two jumps into advanced network attacks. We take a look at identifying and defeating network admission control (NAC), man-in-the-middle attacks against encrypted sessions, leveraging weak simple network management protocol (SNMP) configurations, routing protocol attacks, virtual local area network (VLAN) hopping and much more.

Day three dives into Python scripting, packet crafting with Scapy, fuzz testing, and how to approach penetration testing against encryption algorithms. Days four (Linux) and five (Windows) get heavily into bug discovery and exploit-writing. We live in software debuggers for these days, focusing on how to write your own buffer overflows against proprietary and commercial applications, and how to defeat modern operating system controls such as address space layout randomization (ASLR), data execution prevention (DEP), security cookies and canaries, as well as others.

Each day is full of exercises and labs against live networks. Day six is a final day, which serves as a capture the flag game. It allows students to put their skills to the test against sixteen challenges based on the topics covered in the course. Interested students can contact me at stephen@deadlisting.com with any questions.

For more information about SANS training in Amsterdam go here.