With a full-service 24/7 Security Operations Centre (SOC), we’re fortunate to attract some of the UK’s brightest Cyber Security talent.
So today, we’re taking a closer look at a day in the life of one of CyberOne's penetration testers, to get an insight into an elite pen tester’s training regime - and how they continue to learn the best ethical hacking techniques.
Just like training for a marathon, a lot of behind-the-scenes work goes into training and maintaining the most up-to-date cyber security skills that experienced penetration testers require.
Penetration Testing is a brilliant way to identify your biggest security threats quickly. However, in addition to detailed reports of exploitable security threats uncovered in a penetration test, you should also talk face-to-face with the pen tester and senior security team members.
So it is always important to recognise that you’re also paying for the pen tester's many years of security expertise and experience in addition to the actual penetration test and report.
So what goes into building the necessary skills - and staying up-to-date?
Well, we spoke to Joseph (not his real name), one of CyberOne's highest-rated Pen Testers with many years of experience.
Despite sitting behind a computer, Joseph treats his day like an elite athlete. Fuelled by a strong coffee, he starts his day by reviewing the overnight news, typically reviewing 50-100 articles.
Joseph starts...
“There could be information about security breaches that have happened, or it could be information about newly discovered vulnerabilities and exploits. Recently, there was a major new Oracle exploit and a new Microsoft one yesterday, too.”
“There could be information about security breaches that have happened, or it could be information about newly discovered vulnerabilities and exploits.”
If he’s not on engagement, he also spends time on Capture the Flag (CTF) missions. No, it's ot the game you played in the woods as kids, but specially configured servers with baked-in hidden vulnerabilities.
Teams then compete in a race to identify and exploit security vulnerabilities, pitted against teams from around the world. It's good fun, but it's also a fantastic way to learn from others.
“There are four of us in my team, and they’re a lot more fun when more people are involved. With multiple people, you can bounce ideas off each other, and people have different knowledge.”
“There are four of us in my team, and they’re a lot more fun when more people are involved. With multiple people, you can bounce ideas off each other, and people have different knowledge.”
“The other day, I was working with a hacker friend - on a VPN with my spare laptop - and asked him to take me around.”
“Within half an hour, he’d found something I’d initially overlooked, which led us to a whole bunch of user passwords, which is the initial foothold you need to start creating problems inside a network - if you had malicious intentions, at least.”
“Then, once you’ve got user privileges, you can start to escalate those privileges and look for admin rights, which will let you perform much more damaging acts in a network.”
“The speed at which you can do this varies massively, and in the real world is a very good indicator of the strength of an organisation’s defences.”
After lunch, Joseph needs to start on several administrative tasks in the afternoon.
“I’m really bad with scheduling. It’s easy to overlook the admin time it takes to get scoping calls done with a new client, NDAs signed, or a Statement of Works agreed and signed off.”
“It’s easy to overlook the admin time it takes to get scoping calls done with a new client... NDAs signed, or a Statement of Works agreed and signed off.”
After that, it’s important to stay up to date with new infrastructure, too, so Joseph always spends an hour or so understanding infrastructure configurations or looking at newly released CPD materials from Cyber Essentials, CREST and other accredited providers.
As Joseph spends most of his time on-site with clients, it is naturally important to make the most of his “free” time, always aware that continual development and learning are essential to the job. And that’s his training done for the day. Phew!
Like our personal careers, success is achieved through hard work and continual development, just like a professional athlete. What happens on race day is down to the many hours of focused training each athlete endures - aeration testing is no different.
Training, practice and hours of reading all corm a crucial part of the pen tester’s skillset - which is what you’re paying for (as a client) - to ensure your network defences are rigorously tested.