Don’t think that pentest will show all the problems and the result will be an objective assessment of your information security in the company or product.
The pentest only shows what result a team of specific specialists in given conditions (time, place, model of an attacker, competencies, permitted actions, legislative restrictions, priorities, moon phase) can achieve by imitating the work of an attacker.
Remember: pentesters are not real hackers who can combine theft, hacking, blackmail, bribery of employees, documents forgery, own influence and other human factors. Everything is coordinated 100 times, the load is controlled and everybody knows what’s going on.
Pentest is also a luck. Today you managed to get the administrator password from the RAM and went up to the domain administrator for the entire corporate network, but tomorrow it is not there already and to the report will go only simple access on some old server.
Differences between similar jobs
In addition to the “pentester”, there are also “redtimers”, “bug-hunters”, “researchers”, “auditors”, just information security experts – all of this can be one person or different people, but with matching competences. Let’s try to understand these terms a little:
Auditor
This specialist is provided with all documents, network diagrams, device configurations, on the basis of which, he makes conclusions and recommendations for the organization. Due to the openness of information, it provides the greatest coverage for all IS processes and a full view of the entire infrastructure.
The auditor rarely checks by himself each setting in the organization, usually the information is provided to him by the customer, but sometimes such data is simply expired or incorrect.
It is necessary to combine the efforts of auditors and pentesters to check both: pieces of paper with business processes description and their implementation in practice.
Researcher
Pentester in its purest form is not a researcher, he simply doesn’t have time for this. Under word “researcher”, we mean a specialist who can deploy certain software and examine only it for several weeks or even months.
Now imagine, you are hiring a specialist to test your corporate infrastructure, and he sat there all the time and studied the “sending Valentine’s” software installed on the computer of one of the employees. Even if they will be successful, you are not very interested in his work results.
Red Teamer
Red team is a completely different testing philosophy. It is suitable for companies with mature IS, which already had audits and pentests, plus all the problems there have been solved.
Differences from pentest:
- Only a few people know about the work of red teamer, the rest will face the attacks in real time.
- Such work is hidden – you can attack from cloud hosts at night.
- There is no need to do test coverage – you can just find the password on github.com.
- Wider influence range – you can apply 0day, be fixed in the system.
- The work is provided for a long period of time (several months, a year) and do not require a haste – during that you can afford to study the customer’s infrastructure on the raised stands to minimize the activation of a protective equipment.
Bughunter
It is incorrect to compare the bughunter with the pentester – it is like warm with soft, one doesn’t interfere the work of other. But we can say that pentester is more a position, his work involves some amount of formal tasks under an agreement with the customer according to the fixed methodology and with formal recommendations.
It is enough for a bughunter to find a hole in any site (usually from a list of the websites) and send proof of an error (preconditions, steps).
Once again, no preliminary agreements, no approvals – you just found the vulnerability and sent it to the customer through the site (www.hackerone.com for example). But the competition here is high so it is better to consider it as a form of additional income for the Pentester.