Global Information Risk
Management Recruitment
Telephone: +44(0)20 7987 3838 Email:

What is penetration testing?

Filed under: Features — Mark on July 2, 2013

To the uninitiated the phrase “penetration testing” might sound a little mysterious, even downright odd. In fact, it’s no more than a summary of a vital phase in building an organisation’s information security defences. Companies need to be sure that they have an adequate IT security infrastructure in place. Any vulnerabilities or fault lines have to be identified, proven to be a risk and dealt with.

While auditing and reporting always help, the acid test lies in finding out what would happen in the event of a genuine attack. Penetration testing addresses this need by providing a structured simulation, under controlled conditions, of an assault on an organisation’s IT defences.

Penetration testing goes back at least three decades. Its origins can be traced, in part, in the time-honoured ritual of “black hat” hackers turning “white hat”. The antics of a mischievous hacker catch the eyes of company executives and that person then goes on to be hired with the purpose of exposing the weaknesses in a corporate IT setup; it’s the classic poacher-turned-gamekeeper scenario.

Whilst such hiring routines have been less common in recent times, they do still happen, as reported last year in Engineering and Technology Magazine:

“Twenty-three-year-old George ‘GeoHot’ Hotz gained notoriety in 2007 when he became the first person to ‘jailbreak’ Apple’s iPhone by creating a program that enabled iPhone users to modify their devices to run on other carrier networks, despite AT&T having an exclusive deal with Apple. Two years later Hotz cracked Sony’s PlayStation 3 games console, giving him access to the machines processor which helped gamers to amend their game consoles.

“However, despite his reputation, social networking giant Facebook hired him, and is reported to be engaged on building an anti-hacker defence programme.”

While such cases can grab the tech headlines, they can give a rather distorted picture of the penetration testing (or “Pen testing”) role. The reality is, reassuringly perhaps, less mercurial. For pen testing is now very much an established information security profession with its own standards, certifications and methodologies.

While there is no one route in to pen testing, a typical “ethical” career path might be as follows.

Following some higher education – most likely in a technology related subject – an individual gets a job on an IT helpdesk. They get promoted to a System Administrator role where they consolidate their knowledge and experience of networking, TCP/IP, routers, switches and, crucially, firewalls. During this period, they decide to specialise in information security, with an interest in pen testing. They realise that they can be more credible with some professional qualifications under their belt, such as the CREST (Council of Registered Ethical Security Testers) Registered Tester certificate. The IT Health Check (CHECK) Team Leader qualification is also much sought after. They are then in a position to apply for their first pen testing roles.

All in all, penetration testing has now entered the mainstream as an essential component in the IT security armoury. Companies that attempt to skip, or just skimp on, the pen testing phase do so at their peril.

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment


Please register and browse our jobs so we can help you start a new career!




Acumin © 2006-12