Get to know a Penetration Tester

1Dec

Get to know a Penetration Tester

At first glance, David Parker looks like your worst nightmare. He spends his days breaking into massive enterprise networks, probing for sensitive data. He has never been kept out of a single business he’s tried hacking. Often, he has admin access in minutes.

Good thing he’s on your side.

Parker is a penetration tester—a "white hat" hacker. He follows in-step with the latest malicious techniques and tools, then maps out the vulnerability of big business networks by breaking into them. He’s won awards for what he does. He’s come out on top in national competitions. So let’s meet the best hacker who will never burn down your network.

Q: Okay first of all—if you’re so good at getting in, why be the good guy?

DP: I guess the simple answer is that I like the idea of doing no harm—thinking bad but doing good. Plus, in all honesty, if you can execute a great pen test, it's the much longer career path.

Q: When did you get started hacking?

David ParkerDP: When I was 5 or 6, I was playing with programming on the family computer. I realized that the best way to learn how to make it do things was to figure out how different system components spoke to each other; and the best way to do that was to try to make it do things it wasn’t supposed to do.

You know how some kids might take apart their toys or their parents’ furniture? It was like that, but on a software level.

Q: What are the biggest misconceptions about what you do?

DP: First, that if you put a firewall between me and you, you’re protected. You can't have one answer for security and trust that it will keep everyone out anymore. A pen test helps you understand your greatest enemy: what you don't know.

Second, that "hacking" is mostly about cracking codes and decrypting data. Hacking, just like a pen test, is much more about poking around and finding holes than it is staring at a screen of symbols and trying to make sense of it. Remember, these are systems designed to let people in—some people, the right people—and in a pen test, it's my job to get it to let me in even though I’m the wrong person. A pen-test will discover these vulnerabilities.

Q: So is this kind of hacking "fun"?

DP: Oh totally. And that’s the hacker’s mindset too. They may be in it partially for financial gain or company secrets, but a lot of them don’t even have a particular target. Some are just chasing the thrill, working to prove they’re smart, or maybe just trying to grab some fame.

Q: Why should we care about penetration testing today?

DP: Attacks have changed. Attackers are getting more sophisticated and more ruthless. Because they've learned to go around the firewall rather than breaking through it, they often go unnoticed before they start burning the network to the ground. My job with a pen test is to map out all the most likely in-routes so the customer can learn to adaptively monitor them. Without that map, you're vulnerable in ways you won't even realize.

And there’s so much at stake. For me, it's exciting because it’s often like a race to find the switch that can control $30 billion in investments for a company. You know, before the other guy does.

The point, really, is that too many modern networks are set up too much like an egg: they have an wonderfully hard shell to protect them—but once someone gets through it, movement is easy and so is swinging a wrecking ball. What you need is nerves all throughout your network, so when someone gets in, you can respond before any major damage is done.


Take the quiz (10 questions):