So, you want to be a pen-tester, a.k.a. white-hat hacker. Penetration testers protect an IT infrastructure from malicious hackers by simulating real-world attacks to identify possible entry points for beaches, weaknesses in systems and organizational structures, deficiencies in policies and training. They aim to ensure an organization takes preventive, corrective, and protective measures to safeguard at-risk systems even before a malicious attacker attempts to breach them.
Penetration testing is a rapidly growing field with lucrative job opportunities, ideal for those with the right aptitude and passion for increasing the safety and security of network connected systems (computers and devices) to prevent others from attacking it. Employing penetration testing with the clients’ permission to understand any weaknesses and vulnerabilities of a system is far from the glamorous activity often portrayed in many movies, but it still is an interesting and challenging profession that requires a solid theoretical foundation and hands-on experience, as well as creativity, resourcefulness, and flexibility.
A Career in Penetration Testing
So, what does it take to be a pen-tester? First and foremost, a professional ethical hacker needs crucial soft-skills. They need to be good problem solvers, for example; this is important to find the appropriate solutions for any possible security issue identified. However, they also need vision and imagination, to find all possible ways an attacker might try to compromise systems. Excellent communication skills are also important to deliver findings and solutions to a client who might not have technical expertise. So, how can this be achieved? Through continuous education which is also essential. As the threats scenario is in continuing evolution so must be the skills and knowledge of those that work hard to oppose the systems’ intruders.
A solid theoretical foundation is however also needed. However, to make penetration testing a career it might not be essential to be a college graduate in IT subjects, as pentesters come from very different walks of like and, although they all share technical abilities and passion for InfoSec, the way they acquired their knowledge might be very different: from formal college education to self-study or Internet participation in hacking groups for self-interest.
A career in penetration testing, as seen, however, requires much training, so it is fundamental for ethical hackers to find options to keep updated in the field. Courses, workshops, and conferences (essential for information sharing with other EH enthusiasts) are great ways, but professional qualifications are essential to prove their knowledge, essential skills, and the drive to succeed when they meet potential employers. It is obviously important to choose the right industry-recognized practiced certification, like PenTest+, a brand-new CompTIA option for professionals tasked with penetration testing and vulnerability management.
The CompTIA PenTest+ Exam
As Steven Ostrowski, CompTIA Director, Corporate Communications, mentioned about the beta exam version of CompTIA PenTest+ (in a press release): “Individuals are tested in five technical areas related to penetration testing: planning and scoping; information gathering and vulnerability identification; attacks and exploits; penetration testing tools; and reporting and communication.”
Geared towards professionals with intermediate skills, the exam will be performance-based and include a practical aspect thanks to hands-on simulations that will test professionals on penetration testing tasks and vulnerability assessment techniques. It will however also include multiple-choice questions to test the all-important theoretical knowledge as well as communication and management skills. In fact, as stated on the CompTIA website: “CompTIA PenTest+ is the only penetration testing exam taken at a Pearson VUE testing center with both hands-on, performance-based questions and multiple-choice, to ensure each candidate possesses the skills, knowledge, and ability to perform tasks on systems.”
The CompTIA PenTest+ Certification Exam Objectives will certify the successful candidate has the knowledge and skills required to:
- Plan and scope an assessment
- Understand legal and compliance requirements
- Perform vulnerability scanning and penetration testing using appropriate tools and techniques related to a penetration test
- Analyze the results then report writing and handling best practices
The exam domains will be as follows:
-
Planning and Scoping (15%)
- Explain the importance of planning for an engagement
- Explain key legal concepts
- Explain the importance of scoping an engagement properly
- Explain the key aspects of compliance-based assessments
-
Information Gathering and Vulnerability Identification (22%)
- Given a scenario, conduct information gathering using appropriate techniques
- Given a scenario, perform a vulnerability scan
- Given a scenario, analyze vulnerability scan results
- Explain the process of leveraging information to prepare for exploitation
- Explain weaknesses related to specialized systems
-
Attacks and Exploits (30%)
- Compare and contrast social engineering attacks
- Given a scenario, exploit network-based vulnerabilities
- Given a scenario, exploit wireless and RF-based vulnerabilities
- Given a scenario, exploit application-based vulnerabilities
- Given a scenario, exploit local host vulnerabilities
- Summarize physical security attacks related to facilities
- Given a scenario, perform post-exploitation techniques
-
Penetration Testing Tools (17%)
- Given a scenario, use Nmap to conduct information gathering exercises
- Compare and contrast various use cases of tools
- Given a scenario, analyze tool output or data related to a penetration test
- Given a scenario, analyze a basic script (limited to Bash, Python, Ruby, and PowerShell)
-
Reporting and Communication (16%)
- Given a scenario, use report writing and handling best practices
- Explain post-report delivery activities
- Given a scenario, recommend mitigation strategies for discovered vulnerabilities
- Explain the importance of communication during the penetration testing process
Candidates will be asked to answer a maximum of 80 multiple choice and performance-based questions in 165 minutes. Passing score is 750 and the price of the test $346.
Who Should Earn the CompTIA PenTest+ Certification?
PenTest+ is unique because the certification requires a candidate to demonstrate their ability and knowledge “to test devices in new environments such as the cloud and mobile, in addition to traditional desktops and servers,” as CompTIA, Inc. describes. The exam is geared towards testing the knowledge of professionals in a Penetration Tester or Vulnerability Tester role but is definitely a good option for a variety of other figures, from IT Security Engineers to Network Security Operations staff to Security Analysts. As the recommended experience for the test includes 3-4 years of penetration testing, vulnerability assessment, and management, often professionals challenge this certification after having already obtained the Network+ and/or Security+ credentials.
This test, in fact, is also a great option for professionals in the other sectors of the IT realm that want to develop additional expertise or that want to change their career and enter the ‘White Hacking’ or ‘Ethical Hacking’ world.
How Can I Prepare to Get PenTest+ Certified?
CompTIA Training Solutions are obviously available for candidates to any of their certifications. Although there is no specific PenTest+ book or courseware found on the official website, students have the option of purchasing the CompTIA PenTest+ Certification All-in-One Exam Guide (Exam PT0-001) 1st Edition, a self-study guide that can prepare candidates for the challenging CompTIA PenTest+ exam and offers complete coverage of all exam subjects.
More options, however, are easily available on the internet. InfoSec Institute that won the Outstanding Partnership Award by CompTIA for 2016 has an expert team of information security instructors and therefore is best positioned to offer world-class training, to include the most recent edition of CompTIA’s suite of cybersecurity certifications: PenTest+.
Also, considering the Penetration Testing Online Training or engaging in practice skillsets (Penetration Testing and/or Ethical Hacking Basics) can help beginners understand if this field is for them. Also students can take a look at the Hacker Tract that is geared towards those interested in Hacking and Pen Testing topics, as is InfoSec Institute’s Ethical Hacking Boot Camp – CEH v10 Training, for example, that offers hacking training that goes in-depth into the techniques used by malicious, black hat hackers with lectures and hands-on lab exercises. This course, even though mostly suitable for those that want to become Certified Ethical Hackers (CEH) or Certified Penetration Testers (CPT) through CEH and CPT courses, does, however, help master any role where hacking skills are necessary. Another option is the participation to a full-fledged course; candidates, in fact, can also consider InfoSec Institute’s Penetration Testing Training which is delivered in the form of a 10-Day Boot Camp style course. Another option might be to check out Intense School’s Penetration Testing Online for their training.
Of course, pentesters can also gain knowledge from a good book for beginners and aspiring ethical hackers or by following pentesting blogs and online ‘hacking’ communities. In fact, many of the hacker-mindset communities are a great source of updated information on techniques, trends, and current threats; members often share their own scripts for various pen-test commands and exploits.
Another way to gain expertise or maintain the certification is by attending hacking conferences which can help build on existing skills and help professionals exchange ideas and knowledge with other like-minded security practitioners. Conferences are valuable and engaging experiences to receive training and education by industry pros and to keep fully up-to-date in an ever-changing and fast-paced field.
Conclusion
American security technologist Bruce Schneier once said that “defending [computer systems] often requires people who can think like attackers. [The point of penetration testing is] protection, detection and response–and you need all three to have good security.” Today, many more companies have come to employ highly skilled ‘ethical hackers’ and pentesters to help test and secure systems. Hiring someone that is CompTIA PenTest+ certified, through the latest addition to CompTIA’s suite of cybersecurity certifications, ensures employers that the professional has both offensive and defensive skills and has the practical know-how to assess a company’s overall security posture before attackers do; therefore, pentesters have become part of an organization’s first step towards the creation of an effective security program that aims at the prevention of breaches and the protection of data and assets.
In addition, IT practitioners who want to make penetration testing a career need to develop knowledge and skills to assess and measure threats to information assets quantitatively, and a certification like the CompTIA PenTest+ can help meet the learner’s needs and requirements as well as help guide them towards the mastering of all necessary expertise to excel in the field. The certification can also help in earning a higher salary and increase job prospects. The median salary of a certified tester is $71,660 and up to $108,600 for professional with ten years of experience. IT job candidates who add pentesting skills to network security experience also are preferred when running for IT security jobs.
CompTIA PenTest+ is coming in Q3 (July 31) 2018, almost immediately after the CompTIA PenTest+ Beta Exam (PT1-001) that was available to a limited testing group of Subject Matter Experts which ended on April 25th. Test takers can purchase a certification exam voucher by visiting the CompTIA Store.
Another option is to pay for their exam when scheduling it on the website of Pearson VUE, the global provider of computer-based testing solutions that is contracted to deliver also PenTest+.
References
Brecht, D. (2016, August 31). . Retrieved from
http://resources.infosecinstitute.com/penetration-testing-career-path-salary-info/
CompTIA, Inc. (2018, January 31). CompTIA Launches Beta Test for New CompTIA PenTest+ Certification. Retrieved from
https://www.comptia.org/about-us/newsroom/press-releases/2018/01/31/comptia-launches-beta-test-for-new-comptia-pentest-certification
CompTIA, Inc. (n.d.). CompTIA PenTest+. Retrieved from https://certification.comptia.org/certifications/pentest
CompTIA, Inc. (n.d.). CompTIA PenTest+ Certification Exam Objectives EXAM NUMBER: PT0-001M.
Retrieved from https://certification.comptia.org/docs/default-source/exam-objectives/comptia-pentest-exam-objectives-(2-0).pdf
Concise-courses.com. (n.d.). How Do I Become A Penetration Tester/ Ethical Hacker? We Ask The Experts! Retrieved from
https://www.concise-courses.com/how-to-become-a-penetration-tester/
Dodt, C. (2018, March 6). Top 5 Penetration Testing Certifications for Security Professionals.
Retrieved from
http://resources.infosecinstitute.com/top-5-penetration-testing-certifications-security-professionals/#gref
InfoSec Institute. (n.d.). How to become a Ethical Hacker. Retrieved from
https://resources.infosecinstitute.com/job-titles/ethical-hacker/
InfoSec Institute. (n.d.). How to become a Penetration Tester. Retrieved from
https://resources.infosecinstitute.com/job-titles/penetration-tester/
InfoSec Resources. (2016, June 17). Is Penetration Testing a Degree? Retrieved from
https://resources.infosecinstitute.com/is-penetration-testing-a-degree/
Intrinium. (2016, August 19). Should You Hire a Hacker? Penetration Testing is an Effective Way to Assess Your Business’s IT Security Risk. Retrieved from https://intrinium.com/should-you-hire-a-hacker-penetration-testing-is-an-effective-way-to-assess-your-businesss-it-security-risk/