The Role of Security Penetration Testers
A hacker accesses a computer or network without the authorization of the
system's owner. By doing so, a hacker is breaking the law and can go to prison.
Those who break into systems to steal or destroy data are often referred to as
crackers; hackers might simply want to prove how vulnerable a system is by
accessing the computer or network without destroying any data. For the purpose
of this book, no distinction is made between the terms "hackers" and "crackers."
The U.S. Department of justice labels all illegal access to computer or network
systems as "hacking," and that usage is followed in this book.
An ethical hacker is a person who performs most of the same activities a hacker does
but with the owner or company's permission. This distinction is important and can
mean the difference between being charged with a crime or not being charged. Ethical
hackers are usually contracted to perform penetration tests or security tests.
Companies realize that intruders might attempt to access their network resources and are
willing to pay for someone to discover these vulnerabilities first. Companies would
rather pay a "good hacker" to discover problems in their current network configuration
than have a "bad hacker" discover these vulnerabilities. bad hackers spend many
hours scanning systems over the Internet, looking for openings or vulnerable systems.
Some hackers are skillful computer experts, but others are younger, inexperienced
people who experienced hackers refer to as script kiddies or packet monkeys. These
derogatory terms refer to people who copy code from knowledgeable programmers
instead of creating the code themselves. Many experienced penetration testers can
write computer programs or scripts in Perl (Practical Extraction and Report Language,
although it's always referred to as "Perl") or the C language to carry out network
attacks. (A script is a set of instructions that run in sequence to perform tasks
on a computer system.)
An Internet search on IT job recruiter sites for "penetration tester" produces hundreds
of job announcements, many from Fortune 500 companies looking for experienced
applicants. A typical ad might include the following requirements:
 Perform vulnerability, attack, and penetration assessments in Internet, intranet, and wireless environments.
 Perform discovery and scanning for open ports and services.
 Apply appropriate exploits to gain access and expand access as necessary.
 Participate in activities involving application penetration testing and application source code review.
 Interact with the client as required throughout the engagement.
 Produce reports documenting discoveries during the engagement.
 Debrief with the client at the conclusion of each engagement.
 participate in research and provide recommendations for continuous improvement.
 participate in Knowledge sharing.
Penetration testers and security testers usually have a laptop computer configured
with multiple OSs and hacking tools. The online resources accompanying this book
contains the Linux OS and many tools needed to conduct actual network attacks.
This collection of tools for conducting vulnerability assessments and attacks is
sometimes referred to as a "tiger box." You can order tiger boxes on the Internet, but if
you want to gain more experience, you can install multiple OSs and security tools on
your own system. Learning how to install an OS isn't covered in this book, but you
can find books on this topic easily. The procedure for installing security tools varies,
depending on the OS.