Penetration Tester - How to Define

Penetration Tester

How to Define

Stefan Friedli
by Stefan Friedli
time to read: 12 minutes

The older readers among our audience might remember them: The painfully long discussions on online forums and usenet groups regarding the definition of a hacker. The difference to the so-called cracker was just as important as the debate, if self-proclaimed hackers have forfeited the right to the label by assigning it to themselves and are to be considered lamers. Generally, there is a lot of lingo in the hacker and infosec realm that leaves room for interpretation: The terms whitehat, blackhat and greyhat were often used to identify the ethical alignment of a person. But especially with the third term, the definition was often lost in more than fifty shades of grey of moral ambiguity.

Definitions Today

Even though these discussions have become a bit less frequent these days, the bickering about words has not fully subsided: The term cyber has been thrown around in marketing pitches so relentlessly, many infosec professionals have almost developed an allergy towards it – even though the general public, including the board of directors and other high-level executives could relate way better to the term cybersecurity than to the more obscure information security or its abbreviation, infosec.

The discussion regarding standardized labels goes further than one might think: Generic job titles like Security Analyst are common, but say little about the specific abilities and skills possessed by the individual bearing the title. The field of information security is so broad, that even experienced professionals with a broad base of knowledge have specific strengths and weaknesses. Especially with regards to job postings, it is often not completely clear what is expected from an analyst. A vulnerability assessment requires a very different skill set than a forensic data examination – but both these activities are often performed by Security Analysts.

This problem has also been encountered in the less formal times of the security- and hacker community. A real solution was never to be found, even though Geek Code, for example, a code format by Robert A. Hayden published in 1993 tried to formalize the expression of ones own strengths and weaknesses in a Public Key-style code block.

-----BEGIN GEEK CODE BLOCK-----
GED/J d-- s:++>: a--
C++(++++) ULU++ P+ L++
E---- W+(-) N+++ o+ K+++ w--- O-
M+ V--
PS++>$ PE++>$
Y++ PGP++ t-
5+++ X++ R+++>$
TV+ b+ DI+++ D+++ G+++++ e++  h r--
y++**
------END GEEK CODE BLOCK------

Given those ambiguities, nobody should be surprised that the definition of job titles has become somewhat odd. One example: Thought Leader. Let’s not waste any time talking about that one in more detail.

A certain clarity in the era of cybersecurity would actually be very important. Ambiguous or lacking internal communication is one of the core reasons for bad strategic decisions regarding infosec investments within Swiss corporations. Help has, maybe, arrived with a new document authored by the National Institute of Standards and Technology (NIST), the National Initiative for Cybersecurity Education Cybersecurity Workforce Framework (NICE).

The 135-page document makes a structured attempt, for the terminology of job titles, skills, abilities and tasks to be unified and labelled using standardized language. This standardization is important to assure that communication can be unobstructed and clear beyond company- and country borders. It could also be highly beneficial with regards to training, qualification letters and CVs. Standardization does not necessary mean a reduction of complexity though. Much more, it means the reduction of ambiguity that might lead to errors and misinterpretation.

A standardization of labels means that one might also need to re-visit some commonly used labels in the own vocabulary. Hence, the author of the article you are reading at this point was also surprised to see that performing security assessments might fit both the role of Secure Software Assessor (SP-DEV-002) as well as the Exploitation Analyst (AN-EXP-001), but that the paper was not defining a role called Penetration Tester or similar. Upon closer inspection, the specific definition of both these roles are very interesting. So, let us look at the Exploitation Analyst, a label that probably matches the classic penetration tester, the way we see it at scip AG, the best. The NIST paper does not list every role in full, but only provides lookup tables. To give a sense of understanding, we compiled a full list of the tasks, abilities, skills and knowledge items linked to the role:

Example Exploitation Analyst

Description

Collaborates to identify access and collection gaps that can be satisfied through cyber collection and/or preparation activities. Leverages all authorized resources and analytic techniques to penetrate targeted networks.

Tasks

Knowledge

Skills

Abilities

Despite the list being somewhat long, it manages to describe the core abilities of a good penetration tester – or exploitation analyst, if you will – surprisingly well. One might complain about the varying levels of granularity in the single items, but generally NIST SP 800-181 provides a very useful resource to more accurately represent job functions within the field.

Conclusion

Time will tell if the NICE framework and the role descriptions in the form they currently exist will fully penetrate the field and become standard terminology. A lot of organizations still lack the maturity to be able to fully harness the granular descriptions and compartmentalizations.

Nevertheless: The paper is a step towards a better situation, even if it is just to provide a more comprehensive overview over the field of information security and the multitude of roles it contains.

About the Author

Stefan Friedli

Stefan Friedli is a well-known face among the Infosec Community. As a speaker at international conferences, co-founder of the Penetration Testing Execution Standard (PTES) as well as a board member of the Swiss DEFCON groups chapters, he still contributes to push the community and the industry forward.

Links

You want to test the security of your firewall?

Our experts will get in contact with you!

×
I want a "Red Teaming"

I want a "Red Teaming"

Michael Schneider

Human and AI

Human and AI

Marisa Tschopp

Vehicle forensics

Vehicle forensics

Michèle Trebo

Isn’t business continuity part of security?

Isn’t business continuity part of security?

Andrea Covello

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here