Just as schools and workplaces test fire alarm systems throughout the year, companies implement penetration testing, or pen testing, to confirm that the security protocols sufficiently protect the network, systems, and facilities to the greatest extent. Pen testing isn’t just a means of bolstering shareholder confidence or fulfilling industry standards; rather, it’s also a way of preventing attacks through a proactive security policy. Looking to learn more about the pen test certification process? Our experts can help. Read on to learn more now!
Pen Tester Responsibilities
Pen testing involves an ethical hacker, also known as a white-hat hacker, trying to break into systems and discover weaknesses. Companies hire these white hat hackers to uncover vulnerabilities before black hat hackers, threat actors with malicious intent, have the chance to exploit them. Pen testers often work in teams to identify weaknesses and, even more importantly, to offer solutions. By being proactive and testing systems, physical security, and applications, companies seek to avoid costly breaches that can lead to legal issues and a loss of consumer trust.
Steps to Become a Pen Tester
- Obtain a degree related to IT or cybersecurity. – While a degree is not always necessary, it helps to have a technical background on which to build. Understanding operating systems, programming languages, network tools, and computer hardware and software will then allow individuals to specialize in their skill set, such as in pen testing.
- Hone your analytical skills – Breaking into systems and applications requires analytical skills and creativity. Pen testers are not tasked with finding the obvious weaknesses, but rather the vulnerabilities that are harder to find and even more lethal.
- Accumulate experience – While applicants can take and pass many certifications in just one day, they need the experience to become professional pen testers. Junior pen testers usually have between 1 – 4 years of experience with security or network administration and then go on to pursue pen testing certifications.
- Obtain official certifications – Once an individual has obtained training, passing official pen testing exams proves competency, although the learning never stops. When seeking a job as a pen tester, certifications are standard requirements.
Pen Testing Certification
Rather than hiring a third party to conduct pen testing, companies can pursue many options and levels of certification for internal teams. Remember, however, that one certification does not equate to proficiency. It is important to keep in mind that hacking is very dynamic and the techniques used will evolve as threats evolve. Thus, certification usually involves several types over a span of months or years. As outlined below, many options exist, from less intensive overviews for beginners to intensive practical certifications for advanced individuals.
Beginner Pen Test Certifications
Certified Ethical Hacker Certification (CEH) – This exam consists of 125 questions given over roughly four hours and is certified by the EC-Council. To show a real grasp of tactics, individuals can opt to take another six-hour practical test. To pass, an individual must know the hacking and malware tactics.
Global Information Assurance Certification (GPEN) – This three hour, the multiple-choice test requires a proctor and goes beyond just pen testing tactics. It also dives into the legal ramifications of pen testing.
Certified Penetration Tester (CPT) – This certification is composed of two parts, a 50-question, multiple-choice exam, and a practical exam. Unlike the CEH, the practical section of the exam is not optional, but an individual has 30 days to complete it. The Information Assurance Certification Review Board (IACRB) offers the exam in numerous locations around the world or will provide a proctor for groups of 10 or more, which would be ideal for companies seeking to train an internal team. However, this certification is only valid for four years, due to the dynamic nature of technology.
Intermediate Pen Test Certifications
PenTest+ – The non-profit Computing Technology Industry Association (CompTIA) offers the PenTest+ certification for those seeking to demonstrate a greater proficiency of pen testing. The test occurs at Pearson VUE testing centers, which are controlled computing centers that cater to academic and industry technical testing. The 2.75-hour test includes 85 practical and multiple-choice questions and requires individuals to not only find system weakness but also suggest security enhancement options.
EC Council Certified Security Analyst (ECSA) – The well-respected EC Security Council offers several tests for different experience levels. The more intensive ECSA certification entails a four hour, multiple-choice exam, and a 12-hour practical exam. The multiple-choice section includes 150 questions. The unique part of this exam is the 12-hour practical section in which an individual is given an actual company’s network to test. During the practical section, individuals must demonstrate pen testing proficiency, such as system scanning and vulnerability analysis.
Certified Expert Penetration Tester (CEPT) – This exam, offered by the IACRB, consists of a two hour, 50-question, multiple-choice exam and a practical section. CEPT focuses heavily on an individual’s ability to manipulate shellcode, exploit code, and reverse engineer attacks.
Licensed Penetration Tester (LPT) – Offered by the EC Security Council, the LPT is an 18-hour practical exam. Once achieved, an LPT certificate signifies that an individual achieved the status of a true expert in pen testing.
Offensive Security Certified Professional (OSCP) – This 24-hour exam provides test takers with a real-world scenario. In order to pass, candidates must collect network information and compose a thorough report on vulnerability findings, along with screenshot proof. The more intricate vulnerabilities a candidate finds and the level of access achieved, the greater the points received.
Offensive Security Certified Expert (OSCE) – Offensive Security’s intensive 48-hour exam is designed to prove a candidate’s capability of dealing with real-world scenarios. The test encourages creativity to evade antivirus software and identify lesser-known vulnerabilities.
The Cost of Pen Test Certification
Prior to attempting any of the above certifications, individuals or teams will have to take training courses. These can last anywhere from a week to months, depending on the desired difficulty level. While some courses are free, others providing more hands-on assistance may be offered by third-parties. More expensive courses will likely be in-person/in-office training, while less expensive online courses provide a more affordable option. For example, SANS Institute offers many online pen testing courses covering methodologies, tactical tools, and techniques, with each course specifying the certification it corresponds to.
According to Security Metrics, an externally conducted pen test costs between $15,000 – $30,000. The cost varies based on the complexity, methodology, experience, location (onsite or offsite), and remediation involved. Because of the high costs, investing in an internal pen test team may be fiscally savvy for large companies.
What’s the Value of Certification?
Trustworthiness – Becoming pen testing certified solidifies an individual’s credibility. Many industry standards require technical evaluations, often on a yearly basis. However, some companies that claim to offer pen testing are really offering a vulnerability scan. Unlike pen testing, vulnerability scans typically involve automated systems. Automated pen testing does exist, but it is usually coupled with human pen testing performed by a certified individual. This type of testing is much more dynamic and relies on situational details.
Consolidation – If companies choose, they can develop an in-house pen testing team, although there are both pros and cons to this approach. While the upfront costs, in terms of both time and money, are significant, the long-term benefits are compelling. Having an in-house pen testing team enables easier integration, quicker test request response times, and reduced test costs. However, certifications are rarely a one-time affair; rather they require recertification, costing time, and sometimes money.
Experience – Even if companies aren’t developing in-house teams, having their employees take certification courses at any level promotes a better understanding of systems and networks. It also helps individuals realize the challenges that SMEs and CISOs face. That way, when testing is in progress, employees may have more patience if problems arise.
Types of Pen Testing
All certification tests cover a range of pen testing types. Pen testing can be conducted on servers, networks, security devices, mobile networks, or software applications. Moreover, testing can either be manual or automated. Pen testing can be broken down into three general types: black-box testing, white box testing, and gray box testing.
Black box testing requires more work on the part of the pen tester. Rather than receiving previous information on the systems and security capabilities in place, the tester must launch a brute force attack and search for the best vulnerabilities to exploit. To uncover vulnerabilities, pen testers may first utilize automated tools, and once a vulnerability is identified, use manual methods to see how far they can penetrate. Due to testers’ lack of previous knowledge, this type of attack is called a “trial and error” approach and takes significantly more time to conduct.
White box testing requires that pen testers have access to the source code and software architecture of the client’s applications. Because pen testers do not begin blindly, they will be able to conduct more thorough testing in a much shorter time frame. However, narrowing the scope of testing may prove difficult, so having an open channel of communication with the client or CISO will be beneficial.
Gray box testing falls in the middle, giving pen testers a limited amount of information on source code and system architecture. Gray box testing relies on both automated and manual testing, allowing pen testers to conduct more targeted campaigns. As a result, vulnerabilities and security holes that may have been overlooked with white or black box testing are more likely to be found.
Automated Pen Testing Tools
Certification tests deal largely with the manual aspect of pen testing, but understanding the automated options available is also important for those interested in maintaining pen testing expertise.
- Port Scanners – Ports are communication endpoints that deal with data transmission. Subsequently, port scanners collect information on remote environments such as the network services available or the operating systems in use. These scanners can be thought of as a probe searching for vulnerabilities with endpoint connections. Port scanners will look at both Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports.
- Vulnerability Scanners – In contrast to manual testing, which is based on situational decisions, these scanners search for known vulnerabilities. Vulnerability scanners are either network or host-based. Network-based scanners search the network infrastructure and the targeted operating system for vulnerabilities, whereas host-based scanners search through the hosts’ source code, such as for the operating systems and software configuration, to find back doors.
- Application Scanners – These scanners scrutinize web-based applications for memory buffer overruns, cookie manipulations, malicious SQL injections, or cross-site scripting (also known as XSS).
- Web Application Assessment Proxy – Pen testers insert these proxies between a web browser and a web server, which then allows them to collect and analyze the information passing between the two.
How to Choose a Tool
When determining which types of tools to purchase, companies should rate visibility, customizability, and license flexibility.
- Visibility – The results of pen testing tools must be understandable, and also transparent to both the pen test team and the client. Collected information is not helpful unless it can be translated into an understandable format, whether by a team or by the program itself.
- Customizability – Every company has different needs, so choosing a tool that suits a company’s size and capabilities is essential.
- Configurability – If a company does not currently employ an experienced pen tester but still wants to implement a pen testing automated tool, identifying a tool that is easy to use and configure will simplify the process.
- License flexibility – Depending on the tool, some pen testing may limit the IP addresses that can be scanned. This is not ideal when searching for all potential vulnerabilities.
Hiring a third party for pen testing serves as a viable option, especially for small and medium businesses. However, it’s still important to understand how penetration testing works. Another option is to train an internal team to conduct pen testing, which allows for greater dexterity when preparing for potential cybersecurity threats. If you need assistance determining what level of pen testing to complete, contact RSI Security today.