A day in the life of our penetration testers
A Q&A session with our pen testers
Our team of penetration testers arguably have the most interesting and exciting roles within the business, or perhaps, in the world. From robbing banks to breaking and entering, pen testing isn’t your typical desk job. So we’ve asked them to share some of their most interesting stories to really give you career envy!
Let’s see what we can find out about a day in the life of a pen tester:
What are some of the more interesting projects you have worked on?
Penetration testing is about thinking on your feet. When I arrived at a site test that wasn’t intended to be a red team exercise, but I was presented with an easy in, I took the opportunity to highlight this weakness! Before you know it, I was standing in the office of my contact and connected to their internet. It was fun to see their confused and disappointed look as I greeted them into their own office.
It’s quite a thrill to find a really critical weakness. I once performed an external infrastructure assessment and found a login screen to a service I had not seen before. I was able to extract the password and log in to find the main administration panel - which controlled the physical machinery for all of the client’s factories. It even had a big red off switch!
I love chaining simple vulnerabilities together to achieve a significant impact. I was once on a job for a bank in Europe where we managed to chain a number of simple problems together to transfer funds out of a targeted account. We were literally able to rob a bank! Things like that really make you love your job.
I’ve worked on a ‘vishing’ job where we called and convinced the head of HR to open a malicious CV as part of a job application. We researched what vacancies they had and tailored our script accordingly to convince her to open the bogus CV attachment. Easy win for us!
What’s your best/worst security story?
After discovering outrageous issues during a penetration test, the company had to make drastic changes to avoid potential dissolvement. This included letting someone go who could have caused severe financial, legal and reputational consequences for the business. Security really is that critical to the success of a business, so ensure you and your staff understand the risks before it’s too late.
My favourite story is when I found a very critical system that the IT department didn’t even know existed. I walked across the whole site to find it, and it turned out to be a very outdated server plugged in the corner of an old printer room. It was a system that could have easily taken down the whole network.
During an internal infrastructure test we found evidence that the customer had actually already been compromised. Although alarmed at first, the customer went on to invest far more heavily in their internal security and monitoring moving forward, so it worked out for the better!
If you could fix a security bug over night across the world what would it be?
It would be user awareness. We are moving at a very quick pace towards more secure systems, and while there will always be new bugs and exploits, the easiest way into a company is through its employees.
It’s a tough one but one that takes minimum effort yet delivers maximum effect would be to stop people using default credentials. It is so easy to bypass default credentials you may as well not even be using a password.
To continue what Jordan has said, I would say the enforcement of complex passwords. Businesses often employ security best practices but don’t enforce users to secure their accounts properly. Vast security efforts can be completely sidestepped by an attacker if they compromise an account with a weak password.
What’s your favourite pen test type and why?
I like to work on a blend of everything really as it gives me the opportunity to constantly learn new technologies and exploitation tactics.
I find web apps the most enjoyable. Firstly, because web apps are so ubiquitous now that they are found in all sorts of applications. Secondly, because this is my largest skillset so I get to try many more avenues of investigation during testing.
Web apps are also my favourite. I enjoy identifying attack vectors and they give a better opportunity to chain insignificant vulnerabilities together to achieve one bigger impact!
I personally enjoy infrastructure type testing. It’s far more tangible than web app testing, and untangling permissions can be like working on a puzzle.
What’s the most rewarding/challenging part of your job?
It really makes my job rewarding when a customer takes a retest and there is evidence that they have taken on board the remediation advice offered from the original test, and their environment is noticeably more secure. It means it was a job well done.
One of the most challenging aspects is the amount of new and complex technologies we are exposed to, which we must research in depth in order to understand the mechanics of how it works and how it could be exploited by malicious actors. Learning new things is rewarding though and keeps everyday in my job exciting.
The most rewarding aspect of the role is working with customers who are pro-active about their security. It’s great when a customer ‘gets it’ and they’re excited about interesting vulnerabilities that we’ve discovered.
Can you describe being a pen tester at Bulletproof in 3 words?
Great team effort.
Super talented team.
Everyday is different.
The team rocks.
How can you become a penetration tester?
If you have an interest in technologies and want to bring positive changes to businesses and their security, then penetration testing could be the career for you. A Bachelor’s degree in Computer Science or similar is a typical entry point, and there are even Ethical Hacking courses you can now undertake. You can also help to elevate yourself with diplomas and certifications such as CREST or Tigerscheme, as well as hands-on experience working with apps and networks.
Penetration testing is a fun and rewarding job. Our team is made up of people from all levels and skillsets. From graduates, to senior pen testers and team leaders. Each of them brings their own flare to the team and enables us to deliver varied and thorough tests for our customers. In a role that can be both challenging and rewarding, the team are driven by their mission to help businesses stay secure. With new technologies and attack methods arising, penetration testing provides a constant learning opportunity but the team are always ready to deliver.
Our experts are the ones to trust when it comes to your cyber security
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.