A Security Tester (a.k.a. Ethical Hacker) probes for and exploits security vulnerabilities in mobile based and web-based applications, networks and systems.
Testers use a series of penetration tools – some predetermined, some that custom designed – to simulate real-life cyber attacks. Aim is to help an organization improve its security.
Testers are expected to document and explain testing methods and findings.
Overall, a terser is likely to be required to:
Perform formal penetration tests on mobile and web-based applications, networks and computer systems
Conduct physical security assessments of servers, systems and network devices
Design and create new penetration tools and tests
Probe for vulnerabilities in mobile application, web applications and any standard applications
Pinpoint methods that attackers could use to exploit weaknesses and logic flaws
Employ social engineering to uncover security holes (e.g. poor user security practices or password policies)
Incorporate business considerations (e.g. loss of earnings due to downtime, cost of engagement, etc.) into security strategies
Research, document and discuss security findings with management and IT teams
Review and define requirements for information security solutions
Work on improvements for security services, including the continuous enhancement of existing methodology material and supporting assets
Provide feedback and verification as an organization fixes security issues
During the penetration test, a tester is typically focus on exploiting vulnerabilities (e.g. making it a goal to break part of a system).
A penetration testing team may be able to simply take pictures standing next to the open safe, or to show they have full access to a database, etc., without actually taking the complete set of actions that a criminal could.
Penetration Tester Vs. Vulnerability Assessor
“Penetration Tests are designed to achieve a specific, attacker-simulated goal and should be requested by customers who are already at their desired security posture. A typical goal could be to access the contents of the prized customer database on the internal network, or to modify a record in an HR system.”
“Vulnerability Assessments are designed to yield a prioritized list of vulnerabilities and are generally for clients who already understand they are not where they want to be in terms of security. The customer already knows they have issues and simply need help identifying and prioritizing them.”
In simple terms, Vulnerability Assessors are list-orientated and Pen Testers are goal-orientated.