Network penetration testers hack into an organization’s systems to uncover security vulnerabilities. Not surprisingly, they need a strong sense of curiosity, says Charles Tendell, founder and CEO of Denver-based Azorian Cyber Security, a professional penetration testing company.
In the wake of high profile breaches at the likes of Target and IBM, demand for penetration testers is up, Tendell says. Large companies are adding resources in-house, even as smaller specialty firms crop up. If you’re looking to interview with one, expect a ton of scenario-based questions.
Though you might think penetration testing involves only sitting at a computer, communication skills are necessary. “You can be technically excellent, but if you can’t translate that into understanding the business risks and how to remediate them, then there’s a problem,” explains Ed Skoudis, founder of CounterHack in Wall Township, N.J., and a SANS Institute penetration test curriculum lead and course author. Successful penetration testers can earn anywhere from $75,000 to $110,000, with senior professionals making $125,000 or more.
Here are some of the basic questions you may be asked during an interview.
What’s the main goal of a penetration test?
- What Most People Say: “My role is to find ways to successfully exploit flaws in computer systems, networks and software.”
- What You Should Say: “Penetration testing is all about a better understanding of risk and helping to improve the security stance of the organization. We find flaws and safely demonstrate their potential impact. Some organizations scope a project to measure whether penetration testers can achieve a level of access that shows an important business risk, a task referred to as ‘goal-oriented penetration testing.’ Then, a penetration tester explains the business risk, devises technical, procedural and policy mitigations, and helps the organization understand how to apply them to operations. Finding and exploiting flaws is just one step of how penetration testers provide real business value.”
- Why You Should Say It: While it’s smart to show your tech chops, employers want to know that you understand business risk. Make it clear you have a deep understanding of information security testing tools, but also be sure to map technical risk to business risk when you talk.
Describe for me an SQL injection attack and the risk that it poses to a website.
- What Most People Say: “SQL injection involves inserting SQL database statements along with user input to a target Web server. Due to a flaw in the Web application, the system pushes the SQL to the database, where it runs. Attackers can use this to extract data from the database—a high risk.”
- What You Should Say: “An SQL injection is a significant attack vector on the Internet, with numerous websites remaining vulnerable despite well-known defenses. The attacker includes SQL database statements in various types of user input and other variables that come from the browser such as form fields, cookies and URL variables. Because the Web application doesn’t properly filter out this extraneous input, it gets passed to the database server, where it runs.
When the injected SQL runs, it can have a variety of impacts on the database. It could be used to grab data, although pulling large amounts of sensitive data in a penetration test, such as Personally Identifiable Information, should be avoided. The pen tester wouldn’t want to have such data in his or her possession, so pulling only a small number of sample records and merely counting the total number of records is wiser.
Beyond pulling data, SQL injection can be used to alter the data or insert records into the database. There’s risk for a penetration tester to alter the database, too, so it must be done carefully so as not to taint the data, and only when allowed by the rules of engagement.
Finally, an SQL injection flaw can often be used to get remote shell access of the database. Such access not only allows for control of the database, but lets that system be used as a pivot point for penetration deeper into the environment.”
- Why You Should Say It: Craft your response to technical questions by explaining different attack methods and their results, always with a focus on the risks you identify. Just throwing out technical descriptions, without a proper description of their risk, might indicate that you don’t understand the business context of the attack vector and are just familiar with the technical issue. You should be familiar with the different major attack vectors used in penetration testing today, and how each can be applied in different ways to demonstrate business risk to the organization.
Walk me through the enumeration of a Web server and a few typical applications. Say the server is Apache running a CMS such as WordPress or Joomla. How would you find the admin account and their contact information?
- What Most People Say: “I’d review the website for technical contact information. Perhaps pull the registration information.”
- What You Should Say: “I would review the site for any email addresses, use Google to search the site and any cached or archived versions that might have an email address. I would then pull the Whois history as far back as I can to see if there were any addresses there. Then I would run a foot-printing tool against the website to see if I can get it to dump the admin username.”
- Why You Should Say It: It shows you’re thinking about modern attack types and aren’t stuck on old tactics. It also shows that your train of thought isn’t limited to one single option.
Give me three ways you’d find the hosting company for a website using a DDoS mitigation service like CloudFlare?
- What Most People Say: “There are CloudFlare resolvers online that I can use for that.”
- What You Should Say: “There are tools online that you can use to resolve CloudFlare IP addresses. But if you can use the site itself to send you an email, it will typically provide you with the server’s SMTP address on the email header, which typically is the same address. You can also use IP and hosting history tools to see how many times it’s moved or been changed.”
- Why You Should Say It: Again, it shows your ability to think on your feet and adapt to challenges.