I studied for a BSc (Hons) in Computer Science at the University of Strathclyde in Glasgow. Following successful completion of this I studied for an MSc in Forensic Informatics at the same university. In the final semester of this a work placement was to be successfully completed and, after careful consideration of the options, I carried this out with the digital forensics department within QinetiQ, the global defence and security technology company.
This was a valuable experience and it was through this that I was introduced to the pentesting team, which sits in a business division of some 200 information security professionals.
In a nutshell, pentesters are invited by a customer to try to hack into their computer networks in order to identify any vulnerability, thereby allowing the customer to address these weaknesses After a successful interview with the pentesting team, who were flexible enough to allow a three-month gap for travelling before starting life as a member of the team, I started as a pentester in January 2006.
For the first six months of employment I was sent on-site as a trainee to learn on the job and observe experienced pentesters whilst being mentored by an experienced tester who had been on the team for many years.
Day to day
My intention here was to describe a typical day or even a typical job for a pentester. However, the real beauty of this job is that there isn’t such a thing as a typical day or a typical job. No two jobs are ever the same, I have been working with this team for over two years and I have never seen the same network set-up, system build or application functionality twice – that’s what makes this job so fast-paced and interesting.
There are two main types of testing that we carry out – application testing and infrastructure testing. These can be carried out both in our offices at Malvern or on-site at the customer’s location, which means that a lot of travelling can be involved. Some team members have been as far afield as America, Europe and South Africa. Due to the nature of the job, seeking to gain administrative access of networks, computers, applications etc, there are some actions that must be carried out for every job.
Legal consent must be achieved from the customer, to ensure we don’t clash with the Computer Misuse Act.
A start-up meeting is conducted before every job – to agree the scope with the customer, know what areas they want us to attempt to penetrate and if there’s anything they wish us to avoid, eg. a DOS (Denial-Of-Service) of a web application during their busiest business period, etc. Once the scope has been agreed and consent given, the job is carried out – whether it involves network probing, application testing, vulnerability scanning or any of the services that are required by the customer.
Finally, when the work is complete a washup meeting is conducted, followed by the writing of a technical report, to inform the customer of any weak areas in their IT security.