A penetration tester stands by a window, looking at a tablet and smiling.
A penetration tester stands by a window, looking at a tablet and smiling.

How to Become a Penetration Tester

Cyber security

One of America’s biggest cyber security companies has recently been hacked. Could it be the work of an aspiring penetration tester taking a black hat approach to applying for a job?

As a company that usually uses penetration testers to secure the digital assets of other companies, FireEye isn’t the first cyber security firm to experience cyber attacks. They join Bit9, Kaspersky Lab and RSA in highlighting the need for more white hat penetration testers around the world.

According to PwC, 85 per cent of CEOs in Australia see cyber security flaws as the greatest threat to business, even during the ongoing COVID-19 pandemic. In fact, with the shift to working from home and the increase in online collaboration, this focus on cyber security is likely to rise.

It’s no surprise that the number of people working in cyber security is expected to grow very strongly over the next five years. You’ll definitely find it easier to get into a role as a penetration tester than hacking your way into a cyber security organisation.

Let’s take a closer look at the right way to become a penetration tester.

What does a penetration tester do?

A penetration tester (or pen tester) is someone who assesses the weak points across organisational networks and devices and simulates real attacks to gain access to networks and systems. Their job is to help organisations avoid threats and security breaches by finding system vulnerabilities before cyber-criminals.

Rhiannon Nee-Salvador is a penetration tester at Commonwealth Bank. As a lover of games like Dungeons and Dragons, she enjoys searching for vulnerabilities in computer networks and websites.

“I’ll poke around the site to see what it does and if I can ‘break’ anything. My work also involves capturing traffic, analysing HTML and other web code, and writing reports about what I find,” says Rhiannon.

“We try to use the same tools as real-world attackers, which means my work computer is full of hacker tools!”

On the other side of the world, John Treen is a penetration tester in the UK. He describes his role as ethical hacking.

“It's all about trying to get full control of a network, by gaining access and privileges and then informing a business on how to improve their security measures,” says John.

One of John's roles has been to work as part of a red team to create simulated attacks on businesses. In addition to identifying weaknesses in networks, information systems and software, this involves sending phishing emails to employees to test their cyber security awareness.

A penetration tester is standing in a room with lots of computers. She is using a tablet and concentrating on her work.

Work on your technical skills

In addition to hacking software, Rhiannon's laptop is set up with virtual machines, which are apps that provide the functionality of a completely separate computer. Using technology like this in penetration requires some specific technical skills, such as security tools, programming languages and computer systems and networks.

Security tools

Once you’re set up with a virtual machine or two, you can put your penetration testing know-how to the test with security tools like these:

  • Kali Linux – is an operating system that has over 600 pre-installed penetration-testing programs, including all of the other tools on this list.
  • Burp Suite – is a collection of tools for testing web applications.
  • Metasploit Framework – is part of the Metasploit Project which has been created by a cyber security organisation in the USA called Rapid7. With Metasploit you can write and execute exploit-code against a remote target.
  • Nessus – is a broad-based vulnerability scanner that can be used on devices, operating systems, servers, databases and other critical infrastructure. It can identify default passwords that haven’t been changed, denial of service vulnerabilities, missing security patches and more.
  • Nmap – or Network Mapper is a free and open source tool for probing networks to discover hosts and services.
  • Wireshark – is a network security troubleshooting tool that looks at the data traffic and analyses packets while they are in transit or retrospectively.

Programming languages

You don’t have to be a top-level coder or software developer, but having an understanding of a number of programming languages will be to your advantage.

Proficiency in both scripting and web development languages is highly desirable as a penetration tester, so consider gaining skills in a couple of the following;

Scripting languages

  • Bash
  • Python
  • Perl
  • PHP
  • Ruby

Web development

  • HTML
  • CSS
  • JavaScript
  • SQL 
  • ASP.NET

Computer systems and networks

Many penetration testers move into this specialised field after spending some time as system administrators and network engineers. That’s because a deep understanding of systems and networks methodology gives you a head start on understanding their vulnerabilities.

Working with computer systems and networks also gives you an eagle-eye view of how employees interact with networks. While weak passwords and missing security patches can compromise networks, often it’s very human mistakes that create the greatest risk.

Pen testers also need soft skills

Hackers and pen testers like John often use more soft skills than hard skills to test the vulnerabilities of organisations through social engineering. Crafting realistic but fake emails that convince the receiver to click on a link that activates malware is more about communication than penetration.

“As you move into industry, we need people who can communicate, educate, guide and improve the organisation’s cyber posture. You must enhance the governance procedures and develop new approaches to cyber security that don't just rely on technology,” explains Associate Professor Paul Haskell-Dowland. As Associate Dean of Computing and Security in the School of Science at Edith Cowan University (ECU), Paul sees a vital role for both soft and technical skills.

“If all we're doing is relying on a firewall or intrusion detection system, people will find ways around it – or people will incorrectly configure it. Attackers are always looking for the easy way in.” says Paul.

While it may not be easy, developing communication skills (particularly listening), problem-solving skills and leadership can pay great dividends in your role as a penetration tester.

ECU's Associate Professor Paul Haskell-Dowland stands in front of large computer screens featuring word maps and graphs.

Associate Professor Paul Haskell-Dowland, Associate Dean of Computing and Security in the School of Science at Edith Cowan University (ECU)

 

ECU’s Master of Cyber Security gives you a competitive edge

In the past, penetration testers were often reformed cyber-criminals who became ethical hackers to work with organisations and use their powers for good, rather than evil. Today, employers are more likely to favour candidates with a specialised cyber security qualification. And that’s not the only thing that’s changed.

“Over the last few years, we've seen a significant evolution of the threats that organisations are facing and that has triggered an evolution of the courses that we have offered,” explains Paul.

While it still maintains a significant focus on technology, ECU’s Master of Cyber Security has moved away from the traditional deep technical focus on networking and computer operating systems.

“We've evolved into areas of digital forensics, ethical hacking and penetration testing. We’re also looking at higher level issues of governance and in particular legislation – asking questions like, ‘how does the legal framework impact on cyber security?’”

In fact, ECU’s Master of Cyber Security devotes an entire unit to Ethical Hacking and Defence. You’ll develop an understanding of the techniques used to penetrate secure systems so that you can demonstrate vulnerabilities – then identify the steps to reduce the risk of attack.

According to PwC, over the past five years 83 per cent of Australian CEOs have consistently been more concerned about cyber security vulnerabilities having a negative impact on growth. Meanwhile, only 69 per cent of their global peers hold similar fears. This suggests that there’s greater demand in Australia for cyber security experts who have the advanced skills provided by ECU’s Master of Cyber Security.

Penetrate the cyber security industry through networking

Whether you’re planning to upgrade your cyber security qualifications, or already into your studies, you can fast-track your way to a role as a penetration tester by networking with those already in the industry. But don’t worry – you won’t need to print business cards and polish your elevator pitch for an awkward gathering with strangers.

Networking in information technology circles is not only fun and practical – it usually serves a purpose, and often takes the form of a hackathon or Capture the Flag (CTF) event.

A hackathon - a portmanteau of ‘hack’ and ‘marathon’ - challenges teams to develop exceptional ideas and bring them to reality in a timed race of innovation. The hack is an inventive idea, and the marathon is a short but sustained and often gruelling process.

Anand Oswal is Senior Vice President of Engineering in Network Engineering Business at Cisco in the United States and he’s a big fan of hackathons.

Anand identifies two of the major benefits of hackathons as learning to recover from failures quickly and thinking outside your domain. But his number one reason for going to hackathons is for teamwork and collaboration.

“In a hackathon, teams consist of individuals with a variety of experiences – coding, UX and product marketing. In many cases, the individuals in a team have not worked together before, leading to new learning experiences and an opening of the mind to new paths of attacking problems,” says Anand.

A CTF is a competition that challenges teams to solve cyber security problems or attack and defend network systems. Players gain points for winning challenges, and the player or team with the most points at the end wins the competition, earning serious kudos in the process. These competitions can take place over a few hours or even over a few days, and can be in-person or online, so you can collaborate with cyber security experts from all over the world.

At the recent inaugural Country-to-Country Capture the Flag, ECU student Tarun Patel led the winning team to victory in a series of challenges that tested participants skills in techniques like reverse engineering, cryptography and scripting.

At cyber-security networking events, not only can you practice your skills, but you can also make connections that can teach you more about pen-testing and support your career for many years to come.

A cyber security team of men and women are sitting at a table. They are looking at their laptop screens and talking, concentrating very hard.

Working as a penetration tester can open doors in the cyber security industry

Of course, becoming a pen tester isn’t necessarily the final stop in your cyber security career path. While the average salary for penetration testers in Australia is $90,472, that can rise to $122,000 with five years of experience or more under your belt.

Whether you come from a background in networking, software development or systems engineering, the next stop after pen tester is cyber security architect or engineer. According to Payscale, senior roles like these are attracting salaries in Australia up to $182,000.

With ECU’s Master of Cyber Security behind you, your position as a penetration tester can open doors to roles like Information Security Manager, Senior Security Consultant and more.

Take the first step in your career as a penetration tester with a Master of Cyber Security from ECU.