Guide to Careers in Cyber Defense Vulnerability and Penetration Testing
Maintaining the security of cyber systems requires a broad understanding of the external threat environment and of internal weaknesses that expose those systems to exploitation and attack. One of the primary ways in which security gaps are identified and system weaknesses are discovered is through penetration testing, a cybersecurity specialization that is also commonly referred to as ethical hacking.
Cybersecurity professionals who specialize in penetration testing, or pen testing, use many of the same software tools, coding methods, and deceptive tactics as malicious hackers in order to probe computer networks for avenues of attack and locate deficiencies in cyber defenses. These operations are formally authorized by the owner/administrator of the targeted cyber systems and typically integrated into comprehensive, enterprise-wide efforts to mitigate risk, defend vital cyber infrastructures, and protect the integrity of cyber defenses. Indeed, most information security standards of practice recommend that businesses, government agencies, and other enterprises with significant cybersecurity concerns conduct penetration testing operations at least once per year, as well as when new computer systems are installed, and when changes are made in existing cyber infrastructures.
In addition, pen testing can also involve testing the physical security measures an organization or government agency has in place to prevent access to sensitive data and computer systems. For example, penetration testers may try to enter a building through an unlocked door to gain access to computer systems or use an employee’s badge to log into an organization’s network. In these situations, penetration testers often work closely with management and law enforcement, and have clear protocols on how to proceed if they are caught attempting to access a private or secure location.
Employment Opportunities in Penetration Testing
As noted above, public and private sector organizations and enterprises that are supported by and which rely on extensive computer and mobile networks commonly employ penetration testing professionals to help ensure that valuable data and critical digital systems are secure. This includes large companies in banking, finance, retail, manufacturing, and technology, as well as public and private utilities, military and defense contractors, and federal and state agencies. For example, the Payment Card Industry Security Standards Council (PCI SSC), an international organization of credit card companies and businesses, maintains a Data Security Standard that recommends that its members and businesses affiliated with the credit card industry subject vulnerable data systems and cyber networks to extensive penetration testing protocols at least once per year and any time that changes are made in existing systems and networks.
The healthcare/medical sector and the electrical power utility industry are two other areas in which penetration testing is commonly practiced as part of broader information and infrastructure security concerns. For example, while the Health Insurance Portability and Accountability Act (HIPPA) does not technically require healthcare organizations and medical providers to conduct penetration tests in order to ensure the integrity of their data systems, the National Institute of Standards and Technology (NIST) has recommended that penetration testing be incorporated into these efforts. Similarly, the North American Electric Reliability Corporation (NERC), which promotes the safety and reliability of electrical utilities providers in the U.S. and Canada, strongly encourages but does not currently require penetration testing as part of broader security operations.
Another way in which penetration testers are commonly employed is via cybersecurity consultancy firms. There are numerous cybersecurity companies and independent contractors who employ teams of penetration testers and other specialists in order to provide cybersecurity services to large and small companies, organizations, and even individuals who have computer systems and digital networks that need to be secured.
Finally, cyber intelligence operations that involve probing computer systems and networks for weaknesses and vulnerabilities commonly employ scenarios in which designated cyber attackers, known as the red team members, attempt various offensive actions while a team of defense specialists, known as blue team members, mount a response. Red team actions include penetration testing as well as other facets of a simulated cyberattack, such as using social engineering techniques that can identify vulnerabilities in an organization’s chain of command and system/network access and administration protocols. Cybersecurity professionals with training and experience in penetration testing are thus commonly employed in red team/blue team exercises.
Common job titles for those who work in cyber defense vulnerability and penetration testing include:
- Ethical Hacker
- Red Team Penetration Test specialist
- Penetration Testing Technician
- System Testing and Evaluation Engineer
Knowledge, Skills, and Abilities (KSAs) for Penetration Testing Professionals
Working as a penetration tester, ethical hacker, or red team member requires a general understanding of cybersecurity concepts, tools, and methodologies, as well as familiarity with the major components of computer systems and digital networks, including hardware, software, operating systems, databases, and mobile and remote systems. Penetration testers must also be familiar with cyberattack tools and strategies, encryption and decryption protocols, common scripting languages, and the three attack vectors: computer networks; wireless systems; and physical and human points of access.
In addition, there are a number of software packages and tools designed specifically for penetration testing, such as Netsparker, Wireshark, HackerOne, Metasploit, Aircrack-ng, John the Ripper, Ettercap, Kali Linux, and sqlmap. Familiarity with and proficiency in these or other similar tools is advantageous for those aiming to advance in the field of penetration testing/ethical hacking.
In addition to technical knowledge and skills, penetration testing requires an understanding of data security standards and the laws and regulations governing digital privacy and cybersecurity. There are also a number a personal traits and characteristics that employers commonly look for in penetration testers, including critical thinking skills, the ability to work independently and as part of a team, and written and oral communication and reporting skills. As the designation ethical hacker implies, it is helpful for penetration testers to be able think like a cyber attacker or malicious actor in order to provide a realistic assessment of potential vulnerabilities and weaknesses in cyber systems.
The NICE Workforce Framework for Cybersecurity, a comprehensive and detailed guide to the various areas of training and employment in cybersecurity created by the National Initiative for Cybersecurity Education (NICE), has an extensive list of KSAs for System Testing and Evaluation Specialist, the classification it uses for penetration testers and ethical hackers. The three sections below draw on the NICE Framework and on actual job listings for penetration testing professionals to provide a representative overview of some of the key proficiencies that are highly valued in the field.
General Technical Knowledge
- Common operating systems (Microsoft Windows, Android, Linux, iOS)
- Computer networking and security concepts, protocols, and components
- Enterprise information security architecture
- Network hardware devices and functions
- Network protocols (Domain Name System, Dynamic Host Configuration Protocol, Internet Protocol, Transmission Control Protocol, User Datagram Protocol)
- Systems administration concepts related to servers, databases, and user accounts
Penetration Testing Knowledge and Skills
- Antivirus software
- Common computer system and network vulnerabilities, including hardware, software, and human vulnerabilities
- Computer network and wireless security monitoring tools
- Encryption/Decryption tools
- Firewalls and their use
- Malware analysis
- Payment Card Industry (PCI) data security standards
- Personal Health Information (PHI) data security standards
- Security assessment and authorization processes
- The Information System Security Assessment Framework (ISSAF), developed by Open Information Security Systems Group (OISSG)
- The NIST Technical Guide to Information Security Testing and Assessment
- The Open Source Security Testing Methodology Manual (OSSTMM 3), developed by the Institute for Security and Open Methodologies (ISECOM)
- The Penetration Testing Execution Standard (PTES)
- The Web Security Testing Guide (WSTG) developed by Open Web Application Security Project (OWASP)
- Web vulnerability scanning tools
- Ability to translate data and test results into evaluative conclusions
- Ability to plan testing operations and communicate those plans to others within an organization
- Ability to coordinate complex tests on systems and networks
- Ability to accurately document, analyze, and report on various types of penetration tests
- Interpersonal communication skills
- Knowledge of relevant laws and regulations pertaining to digital privacy, information security, and hacking
- Understanding cybersecurity and privacy standards and ethics regarding confidentiality, integrity, availability, authentication, and non-repudiation
Training and Credentials in Cyber Defense Vulnerability and Penetration Testing
Working in the field of cybersecurity generally requires technical knowledge of computer and information technology systems, proficiency in computer coding/object-oriented programming languages, and an understanding of digital information and communication systems and their architecture. Professionals who work in penetration testing must add to that knowledge base in order to develop ethical hacking proficiencies and cultivate an understanding of encryption/decryption protocols, network vulnerability scanning, malware, data security measures, and common strategies for defeating cyber system defenses. While many of the skills and proficiencies associated with penetration testing and ethical hacking can be learned through work experience in the field of cybersecurity, formal training in computer science, information systems, and IT management is generally required for initial entry into the field.
Bachelor’s, Master’s, and Graduate Certificate Programs in Cybersecurity and Penetration Testing
Majoring in computer science or a related field as an undergraduate is one way to prepare for a career in cybersecurity/penetration testing, although many schools now offer bachelor’s degree programs in cybersecurity. Most bachelor’s in cybersecurity programs combine computer science and programming coursework with courses in information security, digital forensics, and other topics that can help students gain the skills necessary to enter the cybersecurity workforce. Some schools may offer elective courses that cover topics in ethical hacking and penetration testing, although such training is more common at the graduate level.
There are numerous schools that offer graduate training in cybersecurity, typically via master’s in cybersecurity, digital/computer forensics, and/or information security and governance programs. A limited number of these programs have a specialization in ethical hacking/penetration testing. Master’s in cybersecurity specializations typically consist of a cluster of three or four courses that provide training and instruction in a specific area such as penetration testing. Some schools may offer ethical hacking/penetration specialization coursework as part of a master’s program and/or as a stand-alone graduate certificate program.
To be eligible for admission to a master’s program in cybersecurity, applicants typically need to have a moderate to strong technical background, as shown in their academic and/or professional work. Some programs require students to hold a bachelor’s degree in computer science or a related field, or to have substantial undergraduate training in one or more object-oriented programming languages, such as C++, Python, and/or Java; Windows and Linux operating systems; and the applications of structured query language (SQL). However, there are also cybersecurity programs that accept students from less technical backgrounds, including students who do not have undergraduate training in computer science; these programs generally require students to complete a number of bridge courses in order to gain the necessary foundational knowledge and skills to succeed in a master’s program in cybersecurity.
Graduate certificate programs typically have similar admissions requirements to master’s programs, but are less likely to require standardized test scores such as the GRE. These programs are a good option for students interested in adding new skills and an academic credential without having to commit to a full master’s degree program. They are also a good option for students who already have a master’s degree and want to add to their academic credentials and skill set.
Professional Credentials and Certifications in Cybersecurity and Penetration Testing
For professionals who are already working in IT and/or cybersecurity, another route to becoming a penetration tester is through training programs, bootcamps, and industry certification programs offered by private for-profit and non-profit organizations. These programs and the credentials they confer are generally designed for individuals who already have a technical background and some work experience in a computer-oriented field, and they provide targeted vocational training that can be useful in advancing one’s career.
The Certified Ethical Hacker (CEH) credential that is offered by the International Council of Electronic Commerce Consultants (EC-Council) is one example of an industry certification program that has broad recognition in the field of penetration testing. There are a number of such credentials available, as detailed in the list below.
- Certified Ethical Hacker (CEH) and Licensed Penetration Tester (LPT), offered by the EC-Council
- Certified Penetration Tester (CPT), Certified Expert Penetration Tester (CEPT), and Certified Mobile and Web Application Penetration Tester (CMWAPT), offered by the Information Assurance Certification Review Board (IACRB)
- CompTIA PenTest+, offered by the Computing Technology Industry Association (CompTIA)
- GIAC Penetration Tester (GPEN), offered by the Sans Institute’s Global Information Assurance Certification (GIAC) program
- Offensive Security Certified Professional (OSCP) and Offensive Security Certified Expert (OSCE), offered by Offensive Security
Examples of Jobs in Penetration Testing and Ethical Hacking
The examples below draw on actual job listings for penetration testers and ethical hacking specialists. They are meant to provide a representative overview of the types of jobs available in this field and some of the eligibility requirements for penetration testers and ethical hackers.
Ethical Hacker/Pen Tester
- Primary Responsibilities: Design and conduct penetration tests on web-based applications, computer networks, and embedded systems; conduct security assessments of servers, computer systems, and networks; and work with client to determine testing objectives and requirements.
- Education: Bachelor’s degree in computer science or a related field.
- Credentials: Certified Ethical Hacker (CEH), GIAC Certified Penetration Tester (GPEN), or Offensive Security Certified Expert (OSCP) preferred.
- Experience: Two or more years in the design and conduct of penetration testing preferred.
- Technical Proficiencies: Knowledge of vulnerability management and scanning best practices; experience with Linux, Apache, and MySQL; an understanding of OWASP’s Top 10 vulnerabilities; and expertise in penetration testing methodology.
- Other Attributes: Written and verbal communication and presentation skills; and eligibility for Department of Defense security clearance.
Junior Penetration Tester
- Primary Responsibilities: Assist in planning, coordinating, and performing penetration tests and security assessments at application, system, and enterprise levels; and document targets, test plans, testing scenarios, and findings in penetration test reports.
- Education: Bachelor of Science (BS) in Cybersecurity, Computer Science, Computer Engineering, or a related field.
- Credentials: Certified Ethical Hacker (CEH), CompTIA PenTest+, Certified Penetration Tester (CPT), or GIAC Certified Penetration Tester (GPEN) required.
- Experience: A minimum of one year of prior experience in cybersecurity.
- Technical Proficiencies: Experience in penetration testing enterprise networks using industry standard penetration tools; knowledge of applications, databases, operating systems, and network devices; and an understanding of threat attacks, exploitation vectors, and data exfiltration tactics.
- Other Attributes: Strong written and verbal communication and skills; and eligibility for Top Secret/Sensitive Compartmented Information (TS/SCI) clearance.
Red Team Penetration Tester
- Primary Responsibilities: Perform network penetration, web and mobile application testing, source code reviews, threat analysis, wireless network assessments, and social-engineering assessments; and present reports and presentations to technical and executive audiences.
- Education: None specified.
- Credentials: None specified.
- Experience: A minimum of three years of experience working in penetration testing, developing applications, scripting in Python, reverse engineering malware, and/or reviewing source code for security flaws.
- Technical Proficiencies: Ability to script in Perl, Python, or Ruby; experience developing applications using C#, ASP, .NET, Objective-C, or Java; and mastery of Unix/Linux/Mac/Windows operating systems.
- Other Attributes: Ability to document and explain technical details in a concise, understandable manner, manage and balance time among multiple tasks, lead junior staff when required, and interface effectively with internal and external clients.