Many organizations fail to find an ideal pentester and end up looking for the following options:
- Train a potential candidate, but he currently does not have the ability to get the job done.
- Hire a hacker who is engaged in illicit activities and promote him as a pentester. (bad idea)
- Give up the idea of offering pentesting and offer “all-in-one” solutions.
However, this strategy does not only outcome poor results, but also represent a real danger to the customer’s systems.
What are these risks?
The risks of a poor choice of candidates lead to:
- Reputational risks for both the audit firm and the end customer.
- Risk of compromising the security of the customer platform.
- Risk of compromising the stability of the customer platform.
- Risk of leaving out of service the customer platform, causing him losses.
- Risk that the work done does not generate a tangible benefit according to its cost.
We must remember that the audit company will live and get new customer jobs according to its reputation.
Why not to apply the conventional model of the expert who teaches junior?
Hiring a junior is a good idea if he knows the fundamental knowledge and you have a good senior auditor who teaches him, but unfortunately not anyone can be molded as a hacker.
First of all, we must understand that it can take several years until a junior is ready to approach only one client. The problem of leaving them alone is not only in responsibility, but also in analytical work and in potential risks.
Some of the work can be automated, but only after analyzing what is required.
To run a vulnscan tool, which can run for only several minutes, the pentester is required to perform some deep inspection to set up the proper vulnscan parameters. Such inspection requires experience on the part of the auditor.
If you run the tools without knowing what you are doing (ie trying to exploit a sql injection in a field for lfi or vice versa), you will waste all the time, you will not get any tangible results, and you will be charging the customer with overtime.
Intuition and experience:
If a newbie does an automated task, in which he executes all types of possible tests on all possible fields, he will achieve little or nothing and puts at risk the whole customer organization (eg DROP TABLES, Denial of Service, etc …).
An ethical hacker with experience and intuition will first explore the vectors where he knows that the programmer could have committed some mistakes achieving immediate results. And this can be done with relatively little previous information.
We understand that choosing an “ethical hacker” to do pentesting work is not a simple task. Among the factors for selecting a consultant must deprive the following:
- Reputation: If, for example, such person is known to be currently involved in illicit activities, it is not a good sign. A simple trap to discard candidates is to ask the candidate if he can hack a gmail account. If you say yes, discard it immediately.
- Experience: Experience is not having been in a chair occupying a position for 15 consecutive years. I recommend focusing the search for the following details:
- Result of their work (How far has he penetrated?)
- How many jobs he has done (diversity)
- Milestones and achievements (eg strategies that have resulted in success, 0-days, published source code, etc etc).
- Certifications and Academic Qualifications.
- Skills: Skills are not necessarily tied to experience. And here is the decisive factor to hire a junior. The details to focus on are:
- How good a hacker is: A hacker will try to understand how things work. If the person seeks to understand how things work, then it is a good candidate, even if he have not had any experience.
- Audit skills: Being an auditor is no easy task. The main thing in this field is that the auditor should preserve the independence of his work and avoid biases to “look good”.
- Innovative ability: It is important that the candidate knows how to think “outside the box” and achieve results outside the manual. This is very important because hackers attacking organizations do it that way.
- Prior knowledge: Knowing about different architectures, platforms, programming languages give a candidate a plus. (Eg know how to handle linux and windows as administrator, coding a security tool, …)
- Ethics and Honesty:
- Black hat hackers make millions of dollars and punishments do not outweigh the benefits. It is important that our candidate has high standards of ethics. And even if he has not had bad fame, it is good to ask malicious questions to check if this person is willing to cross the boundaries. In that case, discard him.
- Another important point of ethics is to capture the lies. A person who lies about their experience to increase it, should be discarded. It is important to check EVERYTHING it says (experience, skills, etc.), if he is lying, discard it.
- Reports: Even if he is a good hacker, he must be able to express what he has achieved in a way that is useful to the client. Many companies have reporting templates, but the auditor should be serious about showing and explaining their findings.
- Cost: The hourly cost of an auditor is directly tied to his availability and experience. That is why we must analyze the cost-benefit for each job and avoid to discard potential candidates. If the customer has at stake millions of dollars or serious reputational damages, It would be irresponsible to introduce cheap consultants to make feel the client secure. In any case, the audit firm should set a minimum standard of quality and offer several options.
- Availability: The ad-hoc auditor is a relatively busy person, may be performing professional improvement tasks, may be assigned to an activity, be in another location, or may even be competing on prices with different jobs at the same time. Availability is a factor with which we must live.
Each client and each case will have a set of very specific requirements. That is why my recommendation for consultants is to use a mixed strategy between advanced freelancers and mid-level fixed staff that allow the creation of appropriate working teams for each event.