Cyber Security: Pen Testing

Stuart Gentry, Alumnus


I have come across people in cyber security and information technology that have different career goals. Some want to be software engineers, others want to be in network support and still others want to be penetration or “pen” testers. While pen testing is related to ethical hacking, pen testers do more than what the technical side of ethical hacking entails.

Pen testers are typically on a team tasked to break into an organization. The rules in terms of what can and cannot be done as part of the break-in are agreed upon with the organization prior to conducting any work. The rules around what CANNOT be done are particularly important since a cyber-attack could mean loss of revenue for the organization.

In pen testing, the team may be allowed to social engineer employees. This can include, but is not limited to the following:

  1. Obtaining access inside the building without a badge (or with a fake badge).
  2. Calling the help desk to see if they can obtain passwords to accounts or other information about the organization.
  3. Sending phishing emails (or spear phishing) to see what employees will “bite” on.
  4. Hanging around a frequented restaurant to listen in on employee conversation for information about the organization.

The team can look at an organization’s website and find valuable information as well.

  1. Email addresses to help with phishing emails.
  2. Phone numbers to the help desk and other employees that can be used to obtain passwords and other information.
  3. Names of servers with vital information on them.

The team can also look at Wi-Fi connections (unencrypted in particular) to attempt to gain access into a vital system. They can observe the network traffic to identify unencrypted information being leaked or unknown connections capturing network traffic.

On the technical side, vulnerability scans are typically run to determine and expose any weakness in the server security. Scanners such as Nexpose (free of charge and automated) or Nmap (also free of charge, but more manual) can do complete vulnerability scans. If the team is allowed to exploit, Metasploit offers many exploits and payloads to see if the team can gain root access on a system, or two, or three.

If you are curious and want additional information, the SANS Institute has some papers and posters that depict what goes into pen testing. The posts include many of the items I have mentioned above and more. Here is one poster I have in my office.

Regis University’s Information Assurance programs also offer students the opportunity to participate in cyber defense competitions. Participating in the events will allow you learn the technical aspects of pen testing and offer an excellent opportunity to network and meet professional pen testers. Keep in mind; you usually have the choice to be on the blue team (defenders) or red team (attackers). Depending on which side you are on, you will learn how to put up your defenses (i.e. patches, firewalls, etc.) or how to scan and exploit or attack the defender’s network (what about that default password on the router they forgot to change). I have been to a couple of them. You not only learn, but they are fun!

To find out more about a master's degree in Information Assurance call an admissions counselor at 877-820-0581.

Visit our Resource Center for more details on the information assurance industry.

Access Information Assurance Resources