Dec 9, 2013

A New Generation Of Penetration Testers

It is no big news that we are facing an ever increasing threat landscape when it comes to IT-Security. The last few years proved that cyber attacks not only grew in numbers but also in intensity and complexity. Voices from within the IT-Security industry point in a similar direction, the supply of cyber security professionals does not seem to satisfy the demand of the market. These facts can be accredited to a lot of different factors, one of them being the progress of technology itself as well as the professionalization of various criminal hacker organizations for example. Since better technology also brings better tools, a lot of hacking tools became available to a broader public.



A new generation arises

Talking to a lot of fellow hackers and watching the security industry closely for the last few years, the rise of a new school of hackers I call New Wave Penetration Testers can be observed. Sometimes people also refer to this as "New School Hackers" or "Advanced Scriptkiddies". What I mean by this phrase is the generation of security enthusiasts and hackers that grew into security by learning... security. Many of this new generation hackers got interested into security because of the image and cool, lone-star-ish atmosphere that seems to surround hackers (The Matrix 1 & 2 may have done their fair share to create this "cool" image), the career opportunities that the security industry currently offers or other reasons directly related to hacking and penetration testing. These professionals use security as a dedicated step in their career path they chose. Take a look at the number of hacking-tutorials and videos that popped up during the last 3-4 years if you doubt the rise of newschool hackers. On the other side you have the "Old School Hackers" which kind of organically grew into hacking. Many of them started by being system admins, developers or system engineers and got into security as one of many steps in their career paths. This is no news in itself and there are endless flame wars going on about what is better or worse and I won't endorse any of this. What is more interesting are the factors that lead to the rise of the New Wave of Penetration Testers. Two major factors can be identified that enabled so many people to get into penetration testing and ethical hacking:

Virtualization

The first major factor is the increasing dissemination and maturing of virtualization technology. Hosting your own private virtual penetration testing lab can be achieved today without paying for any software just by investing some of your precious time and effort. Since Oracle's VitualBox gained more popularity as well as VMware's free version, the possibilities to set up realistic scenarios and train on them seem endlessly. Long gone are the times where you had to fight with VirtualBox' installation and configuration for hours just to encounter a cryptic error message when trying to fire up your Backtrack 3 ISO.

Mature tools and distros

Virtualization is only one side of the coin. The second major factor is the maturity level that penetration testing tools (Can you say "Metasploit"? Can you all give me a "Nessus"?) and distributions such as Backtrack / Kali or Pentoo have reached. A fitting example is wireless hacking. Some of you may remember how difficult it was under Backtrack 3 or 4 to get your wireless card to work and to make it injection-ready. Today this works fully out of the box when you start your VirtualBox and Kali for the first time. Another influence is the vast range of attackable target machines that is available online and for free today. The rise of these boxes led to another push for learning infrastructure penetration testing. Before all the vulnerable boxes arrived it was rather difficult to sharpen your infrastructure hacking skills until you were either walking at the border of legality or had a company that acutally let you test their infrastructure. Web application targets and wireless targets are much more easier to set up or to find than full-blow, segmented corporate networks.

TL;DR: Virtualization and knowledge sharing smoothened the way for a new generation of pentesters and hackers.


No comments:

Post a Comment