Many organizations fail to hire an ideal pentester, maybe because there are not enough candidates, maybe because they are too expensive, and they end up looking for the following alternatives:
- To train a potential candidate, but he currently does not have the ability to get the job done.
- To hire a hacker who is engaged in illicit activities and promote him as a pentester. (bad idea)
- To give up the idea of offering pentesting and begin to offer “all-in-one” solutions.
However, those strategies does not only outcome poor results for the organization, but also represent a real danger to the customer’s systems.
What are these risks?
The risks of a poor choice of candidates lead to:
- Reputational risks for both the audit firm and the end customer.
- Risk of compromising the security of the customer platform.
- Risk of compromising the stability of the customer platform.
- Risk of leaving out of service the customer platform, causing him losses.
- Risk that the work done does not generate a tangible benefit according to its cost.
We must remember that the security provider will live and get new customer jobs according to its reputation.
So, lets begin the analysis, the first question is: Why not to apply the conventional model of the expert who teaches junior?
Hiring a junior is a good idea if he knows the fundamental knowledge and you have a good senior auditor who teaches him, but unfortunately not anyone can be molded as a hacker. Not everyone have the skills to understand things beyond the technical thing (which itself is challenging).
First of all, we must understand that it can take several years until a junior is ready to handle the first client. The problem of leaving them alone is not only in responsibility, but also in analytical work and in potential risks.
Some of the work can be automated, but only after analyzing what is required.
For example:
To run a vulnscan tool, which can run for only several minutes, the pentester is required to perform some deep inspection of the technologies and the company itself to set up the proper vulnscan parameters. Such inspection requires some experience on the part of the auditor.
If you run the tools without knowing what you are doing (E.G. trying to exploit an SQL injection in a field for LFI or vice versa), you will not only waste the time, you will not get any tangible results, and you will be charging the customer with some overtime, delivering a false sense of security.
Intuition and experience:
But the things can go worse, if a newbie performs an automated task, in which he executes all types of possible tests on all possible fields, he will not only achieve little or nothing and puts at risk the whole customer organization (E.G. DROP TABLES, Denial of Service, etc …).
An ethical hacker with experience and intuition will first explore the vectors where he knows that the programmer could have committed some mistakes achieving immediate or near-immediate results. And this can be done with relatively little previous information.
So, what are the Decision Parameters?:
We understand that choosing an “ethical hacker” to do pentesting work is not a simple task. Among the factors for selecting a consultant must deprive the following:
- Reputation: If, for example, such person is known to be currently involved in illicit activities, it is not a good sign. A simple trap to discard candidates is to ask the candidate if he can hack a gmail account. If the candidate said yes, discard him immediately.
- Experience: Experience is not having been in a chair occupying a position for 15 consecutive years. I recommend focusing the search for the following details:
- Result of their work (How far has he penetrated?)
- How many jobs he has done (diversity)
- Milestones and achievements (E.G. strategies that have resulted in success, 0-days, published source code, etc etc).
- Certifications and Academic Qualifications.
- Skills: Skills are not necessarily tied to experience. And here is the decisive factor to hire a junior. The details to focus on are:
- How good a hacker is: A hacker will try to understand how things work. If the person seeks to understand how things work, then it is a good candidate, even if he have not had any experience.
- Audit skills: Being an auditor is no easy task. The main thing in this field is that the auditor should preserve the independence, so he will be willing to say things that may make the directors of a company uncomfortable (E.G. your “10-million dollar deployment” is flawed with this remote code execution vulnerability, and the risk of releasing this tomorrow is greater than the potential benefits).
- Innovative ability: It is important that the candidate knows how to think “outside the box” and achieve results outside the manual. This is very important because hackers attacking organizations do it that way.
- Ability to Improve and have ways to give hope: When you found a critical vulnerability, the client is not expecting you to laugh and be happy for the achievement (well sometimes yes…), but, most of the time, they expect that you can provide a tangible recommendation that will minimize both the impact of the vulnerability and the impact of implementing the required fix.
- Prior knowledge: Knowing about different architectures, platforms, programming languages give a candidate a plus. (E.G. know how to handle linux and windows as administrator, coding a security tool, …)
- Ethics and Honesty:
- Black hat hackers make millions of dollars and punishments will never outweigh the benefits. It is important that our candidate has high standards of ethics. And even if he has not had bad fame, it is good to ask malicious questions to check if this person is willing to cross the line. In that case, discard him.
- Another important point of ethics is to capture the lies. A person who lies about their experience to increase it, should be discarded. It is important to check EVERYTHING it says (experience, skills, etc.), if he is lying, discard it.
- Reports: Even if he is a good hacker, he must be able to express what he has achieved in a way that is useful to the client. Many companies have reporting templates, but the auditor should be serious about showing and explaining their findings.
- Cost: The hourly cost of an auditor is directly tied to his availability and experience. That is why we must analyze the cost-benefit for each job and avoid to discard potential candidates. If the customer has at stake several millions of dollars or risk serious reputation damage, It would be irresponsible to introduce cheap consultants to make feel the client secure. In any case, the audit firm should set a minimum standard of quality and offer several options.
- Availability: The ad-hoc auditor is a relatively busy person, may be performing professional improvement tasks, may be assigned to an activity, be in another location, or may even be competing on prices with different jobs at the same time. Availability is a factor with which we must live. And Remote work is not uncommon here.
Each client and each case will have a set of very specific requirements. That is why my recommendation for consultants is to use a mixed strategy between advanced freelancers and mid-level fixed staff that allow the creation of appropriate working teams for each event.