Just a few months ago, my team found the back door of a network left open by a previous penetration tester for one of our clients. Unfortunately for this client, they thought they were taking the necessary steps to protect their data, but they learned a valuable lesson: not all penetration testers are created equal.
Widely available books and other training resources target the smallest set of prerequisites, in order to attract the largest audience. Many penetration testers adopt the techniques used in simplified examples to real world engagements, where the network environment can be much more dangerous. Malicious threat actors are incentivized to attack and compromise penetration testers, and given current practices, can do so easily and with dramatic impact.
In my most recent white paper and presentation at Black Hat and DEF CON this week entitled Secure Penetration Testing Operations: Demonstrated Weaknesses in Learning Material and Tools, I explore how widely available learning materials used to train penetration testers lead to inadequate protection of client data and penetration testing operations. You can download the full white paper by clicking here.
For a profession that specializes in reporting on vulnerabilities, it is important that a penetration testing firm should have its own house in order. In order to provide secure services for clients, efforts must be made to improve tools, techniques, and processes. In turn, improvements must be made in training and reference material that define standard procedures.
For weekly insights into cybersecurity, please sign up here: