What Makes A Good Penetration Tester?

IT security is something that organisations can’t afford to ignore. With Australia set to introduce mandatory data breach notification laws, the need for local organisations to up their security game is only going to increase. Penetration testers (pen testers) are IT professionals that assume the role of an external or even internal threat to help organisations identify security weaknesses. It’s a profession that is in high demand, by employers and job seekers. But what makes a good pen tester? We asked Nuix chief information security officer Chris Pogue.

Pen testers are often hired by companies to find security vulnerabilities within an organisation and exploit them to get access to computer systems and sensitive data; much like a malicious hacker. Those findings are then reported back to the companies along with recommendations on how to fix security holes.

The methods pen testers use to get the job done can range from social engineering (e.g. pretending to be a staff member) to running email phishing campaigns to steal credentials. It’s a pretty cool job; you get paid to legally hack organisations.

Nuix has been ramping up its security capabilities and has been hiring pen testers to work for customers. Pogue, who has been in the industry for 15 years and has experience as a cybercrimes investigator, ethical hacker and military officer, oversees the hiring process for pen testers. He recently spoke to Lifehacker Australia about what he looks for in a candidate.

While he notes that qualifications and certificates may not be indicative of a pen tester’s capabilities, it is an important starting point for Nuix to cut down on the number of candidates that apply.

“I had to give the HR team a set of criteria; I want to see at least one certification, I want to see at least two years of [experience], a bachelor degree – We have to give the HR team something otherwise everyone will apply,” Pogue.

Nuix recently had 40 applicants for two pen tester job openings. That number was cut down to 20 after the initial culling.

In the interview process, Pogue looks for one of the most important qualities he wants in a pen tester: creativity.

“You wouldn’t think something technical is creative but for a good pen tester, the technology is arbitrary; they know how to use the technology to do whatever they want,” he said. “It’s about thinking through problems; how are they creatively circumventing security controls?”

So how does Pogue evaluate creativity?

“We have guys on the team ask them specific questions: ‘How would you approach this problem? Now, tell me a different way you would do the exact same thing. Now, tell me a third way,” he said. “… We’re looking for specific ways that they can creatively deal with the problem at hand.”

The next stage is to go through a physical exam where Nuix sets up a virtual machine as a target that candidates have to break into.

“We tell them there are five ways to hack this target and they have to find one of those five ways,” Pogue said. “The good ones come back with five ways (the really good ones will come back with six). The bad ones – we had one guy who just dropped out in the middle of the test.”

Out of the 40 people who applied, Nuix is only making an offer to one of them.

“A lot of people want to say they are pen testers, they play buzzword bingo on their resumes and so those past the HR sniff test,” Pogue said. “But as soon as we start asking questions and they fall apart, the interview is over.”