Hacking? Not quite. More like, ethical hacking. Yes, there is a profession out there for you where you can legally hack. . . and get paid handsomely for it!
In the cyber security profession, penetration testing, or pen testing, is just one specialty. Using the education and tools you gain in a cyber security major, you can work for the government or a corporation in looking for, finding, and sealing system vulnerabilities. And you’ll do all of this before the black-hat hackers find those same weaknesses.
What Does a Penetration Tester Do?
As with most jobs, some days your work will be dull, with nothing much happening and you just focusing on the next task or pouring through code. On other days, you’ll be confronted with an attack to the security of your system: someone on the outside (or inside) attempting to break into the computer network that you protect.
The plan is that you will have already tested all possible methods of entry, and warned security analysts, incident responders, or others about the possibility of intrusion. It won’t be as exciting as the movies, but you’ll still be probing and poking around within your employer’s computer systems, preparing the system to weather just such an attack.
As an ethical, “white hat” penetration tester, you’ll spend your days inside your employers systems. You may write up reports to explain what you find, or you may sit down in your supervisor’s office to verbally explain your findings. If you think of the work as having a defined beginning, middle, and end; you’ll be measuring and assessing the system, then trying to break into the network, and finally creating a report to warn the company of issues and help system engineers better protect those areas that are weak.
What are Their Responsibilities, Common Duties, and Tasks?
As a certified ethical hacker, you can expect to be a member of a team that carries out penetration tests of your employer’s computer network or system. You’ll likely be teamed up with people who have different levels of skill and you probably won’t be the only person to carry out all penetration tests.
When you and your team find system vulnerabilities, you’ll express these flaws to the Chief Information Security Officer (CISO), Chief Security Officer (CSO), or whichever manager is directly above you; who will then explain them to their own supervisors and begin preparations to secure the system.
Some large teams of penetration testers are known as the Red Team. You could be employed by a nuclear facility, utility system, or a city power grid to look for and prevent exploitation of vulnerabilities.
How to Become a Penetration Tester
At any employment level, a cyber security penetration tester is required to have a degree. This may be an associate, bachelor’s, or master’s degree.
By the time they reach the master’s level, students interested in working as penetration testers should pass cyber security courses in Cloud Computing, Secure Communication Protocols, The Internet of Things, Principles of Cryptography, Advanced Software Engineering and Programming Languages, Web-Based Applications, Security Frameworks, and Specific software tools such as AppScan and Fortify. If this is the level you are striving for, you should also be familiar with Unix, Linux, and Windows. The networking tools Nmap and Nessus should be something you can easily work with. Good penetration testers use several forensics tools as well.
Look for cyber security degree programs that offer certifications such as HackerU Certified Penetration Tester or EC-Council Certified Ethical Hacker. If you are looking to get into your first position as a penetration tester, you should know that employers are looking for programming or IT experience and background.
Typical Requirements for Employee Hiring
Your future employers will likely have varying specific requirements for potential employees such as you. Most employers require at least a bachelor’s degree for an applicant to be considered for this position. You’ll also need to show proof of cyber security experience. You may be able to list any internships that have allowed you to gain valuable experience before you graduate or, if you worked in cyber security before moving into a penetration testing position, your prior work experience will be a definite positive for you.
Be ready to show that you have the technical and soft skills needed to work as a penetration tester. The technical skills include working with your employer’s computer network and probing for dangerous vulnerabilities, then developing a solution to correct it. You’ll use both technical and soft skills when you look for, correct, and instruct colleagues on good security practices such as strong password usage. Relevant certifications will, of course, add significant weight to your resume.
You’ll be busy every day of the week in your job. You’ll need to be able to prioritize tasks and multitask. For instance, you may need to look for passive threats on the same day that you realize a hacker is trying to get into the computer system. Knowing which to do first will ensure you do your best to protect your employer’s computer network. You’ll also have to communicate well with colleagues, team members, and management as you explain weaknesses and how to correct them without judgement.
During your interviews, potential employers will be asking you about your skills, looking for examples and demonstrations of how you would be able to help them protect their networks.
- Good to excellent communications skills - You need to be able to write well so that the documentation you provide gives your employers a concise overview of how to strengthen their network; verbally, you need to be able to express yourself well
- A strong feeling for technology, security, and IT - You must be willing to stay current on the most recent developments
- Aptitude for performing the technical tasks you’ll do daily - Know how to write and read code
- Know how to exploit software for different types of applications
- Know how to ethically hack wireless networks, get around detection systems, and evade firewalls
- Carry out DoS (Denial of Service) attacks
Penetration testers are well-paid for their efforts; because they focus on the ethical side of hacking, they can find network weaknesses that other employees or managers don’t have the skills to find. If you are planning to work as a penetration tester, your skills also factor into what you can expect as your annual salary. An entry-level penetration tester may earn an annual salary of $68,000. After a penetration tester has been on the job for a few years, they may see their average annual salary increase to $102,000 and in the later stages of their career, their annual salary may jump up to $116,400. The top 10% of penetration testers in the late stage of their careers can make up to $155,000.
Outlook & Jobs
While the Bureau of Labor Statistics (BLS) does not publish statistics on penetration testers specifically, they do say that information security analysts can anticipate a favorable job outlook from 2018 through 2028. They project an increase in these types of positions of 32%, which is significantly higher than all other occupations combined. Other occupations are tallied to grow by 5% over those 10 years and other computer occupations are projected to grow by 12% over the same time period. For Information Security Analyst positions, this means an increase of 35,500 new job created by 2028.
Another report from a Research and Markets forecast, says that the employment of penetration testers will be worth $1.7 billion by 2021. Due to the increase in cyberattacks, penetration testers will be in very high demand. Their skills are necessary to help develop new methods to keep hackers from breaking into networks or stealing personal information and track vulnerabilities in existing systems.
Financial institutions, banks, healthcare industry providers and retail outlets have all been attacked in recent years. This proves how vital it is for each of these industries to strengthen their computer networks; penetration testers and other information security analysts are vital for this. Focusing on the healthcare industry, which is growing its use of electronic medical records, a strong and well-protected network is mandatory, as HIPAA dictates that information privacy is a right afforded to every patient.
In 2016 alone, over one million cyber security positions were available around the world. This shows a high need and demand for cyber security personnel. Due to their specialized hacking and penetration skills, penetration testers are especially valuable.