Daily Archives: January 1, 2019

What Makes a Professional Penetration Tester?

Penetration testers, often called “ethical hackers,” are highly skilled professionals that test computer networks, systems, applications, etc. for vulnerabilities before malicious (or unethical) hackers do. Find out what it takes to be an invaluable pentester below.

The Role At A Glance

On a daily basis, penetration testers are in charge of protecting their organization’s networks, systems, and/or applications. To do that, they’ll perform “ethical hacks” or “penetration tests” of networks to identify potential vulnerabilities or report them to higher authorities with professional recommendations. Their responsibilities are continously expanding with the number of new threats each year.

There are 3 main career options for professional penetration testers, either in-house, as part of a consulting firm (or their own consulting business), or also as freelancers.

According to the Bureau of Labor Statistics (BLS), information security analysts, including penetration testers, make an annual median salary of $95,510. Additionally, their employment is expected to grow 28% by 2026, much faster than the average for all occupations.

Day-2-Day Responsibilities

On a daily basis, penetration testers are responsible for testing a company’s network, infrastructure, application, etc. for vulnerabilities, ensuring that all assets are secure. In greater details, pentesters will:

  • Conduct Tests on Networks and Applications: In an attempt to find potential vulnerabilities that companies may have on their systems, web, or mobile applications, penetration testers will test them for vulnerabilities.
  • Physical Security Assessments: Because vulnerabilities can be present on physical servers and networks, pentesters will test there too.
  • Conduct Security Audits: By conducting audits, penetration testers can establish the overall security risks of a company and recommend best practices to follow.
  • Analyze Security Policies: Companies often think they have strong security policies… until breached. Testing them with real-life scenarios will only confirm (or deny) such statements and policies.
  • Write Security Assessment Reports: Because no job is really done without a final report, penetration testers will regroup their findings and recommendations on a penetration test report destined to either their employer or client.’

Of course, responsibilities might vary depending on the seniority of professional pentesters, and the size and/or needs of the company they work for.

Necessary Skills

Professional penetration testers know that practical skills are crucial, but so are personal skills… Here are some of the most important skills to have to be a successful penetration tester:

  • System Security— The processes involved with keeping information confidential and assuring its integrity.
  • Network Security— The security testing methodology, techniques, and tools for networked PC and devices.
  • Web Applications— The testing methodology, techniques, and tools for web applications.
  • Mobile Applications— The testing methodology, techniques, and tools for mobile applications.
  • WiFi Security— All the attack techniques and tools used against Wi-Fi networks, and how to detect them.
  • Social Engineering— Deep knowledge of the most modern social engineering attacking techniques.
  • Advanced Reconnaissance & Enumeration— How to retrieve the most important pieces of information out of Active Directory, while remaining undetected.
  • Reverse Engineering— The techniques and tools to deconstruct software, malware, and all ranges of attacks.
  • Organizational Skills— An important part of any penetration test is the reporting phase. To do that, pentesters need to stay organized through the pentest, note down all kinds of important information that they will be required to include in their final report. Clients often judge the work of pentesters by the quality of their report — hence the importance of being organized.
  • Writing Skills— While being organized is a great skill to have, pentesters should also have good writing skills. Most of the people that will read the pentest report will be executives from the C-Suite level or non-security related fields. For them to understand your report and recommendations to fix the found vulnerabilities, you need to be able to write in a normal way, so stay clear of the infosec jargon.

Penetration testing can be a rewarding career. Indeed, professionals in this field not only like their job for obvious financial reasons, but also find this job to be highly satisfying in terms of accomplishments.

Interested in starting out a career in penetration testing? Check out our Penetration Testing Professional (PTP) training course for yourself, get your free trial below.

Sources: Job Hero, Dark Reading

Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

Level Up Your Cybersecurity: Insights from Our Gaming Survey

Online gaming has seen a rise in popularity over the years. Many people see it as a way to unwind from a stressful day or complete new challenges. However, just like any other internet-connected channel, online gaming can expose users to a variety of cybersecurity risks. So, to examine the relationship between cybersecurity and gaming, we decided to survey 1,000 U.S. residents ages 18 and over who are frequent gamers. *

Time to Upgrade Your Online Safety

Of those surveyed, 75% of PC gamers chose security as the element that most concerned them about the future of gaming. This makes sense since 64% of our respondents either have or know someone who has been directly affected by a cyberattack. And while 83% of the gamers do use an antivirus software to protect their PCs, we found that gamers still participate in risky online behavior.

Poor Habits Could Mean Game Over for Your Cybersecurity

So, what does this risky behavior look like, exactly? The following sums it up pretty well:

  • 55% of gamers reuse passwords for multiple online accounts, leading to greater risk if their password is cracked.
  • 36% of respondents rely on incognito mode or private browsing to keep their PC safe.
  • 41% read the privacy policies associated with games, though this technique won’t help to keep their device secure.

With these lax habits in place, it’s not hard to believe that 38% of our respondents experienced at least one malicious attack on their PC. And while 92% installed an antivirus software after experiencing a cyberattack, it’s important for gamers to take action against potential threats before they occur.

Level Up Your Gaming Security

Now the question is – what do these gamers need to do to stay safe while they play? Start by following these tips:

  • Do not reuse passwords. Reusing passwords makes it easier for hackers to access more than one of your accounts if they crack one of your logins. Prevent this by using unique login credentials for all of your accounts.
  • Click with caution. Avoid interacting with messages from players you don’t know and don’t click on suspicious links. Cybercriminals can use phishing emails to send gamers malicious files and links that can infect their device with malware.
  • Use a security solution. Using a security service to safeguard your devices can help protect you from a variety of threats that can disrupt your gaming experience. Look out for our newest product McAfee Gamer Security, which we launched just in time for CES 2019. Although this product is still in beta mode, it could be used to combat cyberthreats while optimizing your computing resources.

And, as always, stay on top of the latest consumer and mobile security threats by following @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

*Survey respondents played video games at least four times a month and spent at least $200 annually on gaming.

The post Level Up Your Cybersecurity: Insights from Our Gaming Survey appeared first on McAfee Blogs.

Hackers claim to have insurance data linked to 9/11 attacks

The hackers who stole Orange is the New Black are back, and they've hit a new low. The group known as TheDarkOverlord claims to have stolen 18,000 documents from Hiscox Syndicates, Lloyds of London and Silverstein Properties, and threatened to release files providing "answers" for 9/11 attack "conspiracies" unless it received a ransom. A Hiscox spokesperson confirmed the hack to Motherboard and indicated that this was likely insurance data tied to litigation involving the terrorist campaign.

Via: Motherboard

Source: TheDarkOverlord (Twitter, archived)

CVE-2018-20651 (binutils)

A NULL pointer dereference was discovered in elf_link_add_object_symbols in elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31.1. This occurs for a crafted ET_DYN with no program headers. A specially crafted ELF file allows remote attackers to cause a denial of service, as demonstrated by ld.