Cyber Security
Who is the most offensive tester in the room? Talking of Offensive Individuals - Penetration Testers
M By James Wooton
y love of hacking systems came from way back, before penetration testing was ever coined as a profession or term. With a timeline that looked something like: zx80, Vic20, BBC Micro and then onto early IBMs (XT, AT, PS/2) and SPARC system, I’ve hacked them all. It was around 1996 that I officially became a penetration tester, a job title that for many years has left people looking at me blankly, until you say ‘hacker.’ Then they get excited for a few seconds, before glazing over again. To be fair, jokes in binary are very dry (00100001.) To put things into perspective, this was a time of the Phrack, with hacker antics punctuated by articles such as ‘Smashing the stack for fun and profit’, written by aleph1. It was also the era of the hand-rolled Linux 1.X kernel, with flaky support, in a time when it seemed PCMCIA support would forever require source code modifications and compilation, especially if you wanted a wireless network card to work. Jumping forward twenty years, I think I’ve now established my credentials and that I’ve worked with penetration testers just about all my working life, and yes, while I’m older and greyer (acknowledge what’s left of my hair, that is), one thing has always irked me about our craft is why so few testers can write a decent report, discussing all the fun they’ve had. Just the other day, whilst reading through a less-than-
42 | Australian Cyber Security Magazine
average report, fortunately not produced by one of my team, I mused, “What combination of skills and quirks make for an exceptional penetration tester?” And when you find someone with all the skills, how do you manage them, given they are often complicated individuals with very specific needs? Looking at skills first, this is not an easy question to answer and until an autonomous ice-cream tub takes over the reins and competently tests your networks and applications, it’s a question that most of information, risk and compliance managers, or indeed hiring managers, should be considering, because not all pen testers are born or created equal. Let’s list the attributes we’re looking for in such an individual: • Anally retentive; • Won’t take no for an answer; • Thinks in binary; • Has no social life outside of testing, research and tinkering; • Dismantled all their presents before lunchtime on Christmas day; • Works 25 hours per day, not including Red Bull or caffeine breaks – or if you’re in the U.S. then Adderall; • Rarely comes up with the answer you’d expect, to pretty much any question;