Cyber Security - In-demand Skills

How to Become a Penetration Tester: 2024 Guide (stationx.net)

What Penetration Testers Do - High LevelJob Role Information - Penetration TesterCyber SecurityPersonal LearningCertifications

When looking at job ads, the most requested hard skills by employers are:

• Networking
• Information Security
• Penetration Testing
• Linux
• Active Directory
• Python
• Java
• Vulnerability Assessment
• Information Systems
• Software Development
• Project Management

---

Some of these required skills are very broad and general. “Networking,” for example, can mean many things. To illustrate this, Cisco has five levels of certification (Entry, Associate, Professional, Expert, and Architect) and nine different learning paths. All of those are “Networking,” but they are not equal. 

There is a huge difference between a Cisco Certified Network Associate (CCNA) and a Cisco Certified Internetwork Expert (CCIE). Salary alone differs by roughly $50,000 per year between the two. 

So, let’s break down these skills and define them into more concrete and actionable topics.

Networking

In this context, we define networking as understanding how devices communicate.

This can be done physically through network devices, such as switches and routers. It can also be done virtually through cloud and virtualization technology (of course, physical devices are still required to access the network).

Understanding the how and why of networking is crucial to knowing how to manipulate and abuse it. Arp spoofing, VLAN hopping, setting up a rouge DHCP, and DNS hijacking are all attacks an ethical hacker can perform if they understand how networks function.

You don’t need to be a networking engineer, but you should understand the fundamentals of enterprise networking. A CompTIA Network+, Cisco CCNA, or Juniper JNCIA equivalent knowledge base is sufficient. Read our Network+ vs CCNA article to help determine which is best suited for you.

Cyber Security / Information Security

Another necessary fundamental. Understanding of encryption, authentication, OS and application security, threats and vulnerabilities. Knowledge equivalent to CompTIA’s Security+ or (ISC)2’s SSCP (Systems Security Certified Practitioner) is a solid foundation to build your skills upon.

Penetration Testing

We will discuss training in detail below.

Linux

96.3% of the world’s top 1 million servers run on Linux. 90% of all cloud infrastructure operates on Linux. In most cases, you will use a Linux operating system (such as Kali, Parrot, or Black Arch) to perform your testing. Get used to Linux!

Active Directory

90% of the Global Fortune 1000 companies use Active Directory, which means you will most likely be attacking it. Learn how it works.

Python

The majority of modern exploits are written in Python. It is a simple yet versatile scripting language, capable of being run natively on Linux and macOS, and can be set up on Windows machines. While you don’t need a programmer’s skill level, you should be able to look at Python script and understand it well enough to do simple modifications.

Java

Java is mainly used in web applications. More and more software has become web-based, and web-app pentesting has become a vast and lucrative field, making a background in Java valuable.

Vulnerability Assessment

Vulnerability assessment is determining if a vulnerability is a real threat and, if so,  how to mitigate it. Vulnerability scanning tools like Nessus and Qualys can speed up the discovery of vulnerabilities and provide a risk score so you can more easily prioritize which to fix first and which you may consider acceptable risk. 

Information Systems

“Information Systems” can mean different things in different contexts. In this context, we’re talking about any device that can access and interface with a network.

From a penetration testing perspective, understanding what registry entries in Windows systems are for, how operating systems store user accounts and passwords, typical default credentials used by different manufacturers, and how to tell what version of Linux a host is running are all information a hacker can use in their attacks.

Software Development

There are different skill levels in software development.
• You won’t need to know too much coding as a junior pen tester.
• An exploit developer requires a significant understanding of programming and how operating systems work “under the hood.”
• Web app pentesters will want to understand PHP, Java, and SQL. They may be given the application’s source code to review and fix the flaws they’ve found.
• Even at a basic level, most modern public exploits are written in C or Python, but Perl and Ruby are not uncommon. Many penetration testing tools for Windows systems are written in Powershell. Many will require some changes before they will work.
You don’t need to be an expert in everything, but at a minimum, you should be able to look at code and follow what it’s doing.

Project Management

While you wouldn’t need to pursue PRINCE2 or Project Management Professional certifications, the ability to look at a project, break it down into reasonable milestones, and see it through is important. Many steps, from initial contact with the client to the final debrief, need to be taken. Even the testing itself comes in stages. 

Some of the top skills that are growing in demand are

Container Security

Comprehensive Software Security

Threat Hunting

SaaS (Software as a Service) Application Security

Anomaly Detection

---

Soft Skills Needed for Ethical Hacking

While job postings are usually low on soft skill requirements, they can be as, if not more, important than hard skills. These skills allow you to sell yourself to the client, organize a readable report worth paying for, and push yourself forward when you hit a wall.

These skills include

• Interpersonal and communication skills: The most important skill on this list. You are working with clients. They trust you with their network. They are looking to you and your expertise to protect themselves. In some cases, you are pitching the service. Learn this skill!
• Critical/analytical thinking: There is no straightforward path to take when trying to hack into a system. Sure, there are methodologies to follow, but situations are unique. You need to be able to look at the bigger picture, find what doesn’t belong, what’s misconfigured, and what can be abused or changed. It’s a puzzle that may or may not have an answer.
• Persuasion: This is more useful for higher-up roles, such as consulting and management. It also comes into play if you are doing social engineering.
• Adaptability: The famous motivational phrase and popular meme from Bear Grylls, “improvise, adapt, and overcome,” certainly applies to pentesting. As we said earlier, you will hit walls. You will encounter technology you’ve never seen before. You will be running short on time. Time to adapt.
• Collaboration/teamwork: Sometimes, you will be working on your own. Other times you may be part of a team on the same project. You will often have a technical contact, such as a network administrator, at the client in case of an issue. You need to be able to work smoothly with others.
• Attention to detail: You will be preparing reports that state what the vulnerabilities are, what tools were used, pictures as proof, and recommendations for remediation. These need to be high-level for the executives and very detailed for their IT admins. You also need to be sure not to do anything that will cause them downtime or damage their systems.
• Passion: This is not a job where you do the minimum while watching the clock. You need to love this. Hacking needs to excite you. If it doesn’t, look at another field within cyber security. 
• Problem-solving: That’s what hacking is - problem-solving. The system is designed to keep you out. You want in. Solve the problem.
• Honesty and ethics: You’re being asked to play the criminal. Clients are putting a great amount of trust in you not to abuse your access by stealing information, extorting them, or lying to cover up a mistake.

Do I Need to Know Programming to Become a Penetration Tester?

The answer is somewhere in the middle. A junior penetration tester can get by without being able to code. Although, understanding the basics enough to look through and modify code slightly is necessary for pentesters of any level. As you move forward in your career, coding becomes much more important. 

You will often use publicly available code referred to as “exploits”. These public exploits are often written in either Python or C (primarily Python). Without knowing what the exploit is actually doing, firing it on a client system is a huge risk.

• Is the exploit making permanent changes you will need to restore? 
• Is it adding default credentials to a client system that attackers might be aware of? 
• Is it malicious and calling back to another hacker? 

If you aren’t confident enough in your ability to read the code, you can’t use it safely.

At higher levels, it becomes more important for a few reasons. 

Web application penetration testing, as mentioned earlier, makes up a large percentage of the penetration testing landscape. Java and PHP are common in this discipline. Knowing these languages makes you a better pentester and allows you to tell a client what specifically needs to be fixed to secure their code.

Bash and PowerShell are scripting languages used by Linux and Windows systems respectively. Python, as we already mentioned, is a scripting language commonly used in pentesting and is used by network admins to roll out mass changes to a system, especially in cloud environments. You will be using these daily as a pentester.

Lastly, any public code that can be used by hackers has likely been cataloged by at least some of the major antivirus and security companies. Making changes to avoid detection, or at much more advanced levels, actually coding your own tools, will make you a much stronger ethical hacker.

We would also say that learning Python is one of the best ways to grow your skills and advance your career.

Getting the Necessary Qualifications to Become a Pen Tester

There are countless cyber security certifications available, and for many students, it becomes overwhelming to try and decide which have value and which don’t. This can be frustrating when you consider the amount of study required and the cost involved in writing the exams.

Let’s examine some of the most frequently asked-for certifications:

General cyber security certifications

• CompTIA Security+
• Certified Information Systems Auditor (CISA)
• Certified Information Systems Security Professional (CISSP)
• Various SANS/GIAC certifications

While these are some of the most common certifications seen in job postings, we want to be clear that our recommendations only partially align with this list.

Security+ is an excellent certification to get if you’re a beginner because it covers the fundamentals of information security. Having this certification tells employers you understand the terminology and are knowledgeable in a wide variety of security practices. Our Security+ Exam Cheat Sheet and 10 Tips to Pass the CompTIA Security+ Exam article can help you with this goal.

CISA and CISSP, by contrast, are NOT entry-level certifications. These are for individuals looking to move from an intermediate to an advanced career level.

You should pursue CISSP as a certification in your career. CISSP is the closest there is to an industry-wide standard certification and should be the goal of anyone wanting a career in information security. That said, it is not for those just starting in cyber security.

It is also worth noting that SANS certifications are very expensive, and it is common for those in the industry to request employers pay for the training and certification rather than the individual get it themselves.