Penetration tests (or pen tests, for short) simulate authentic hacker attacks to detect security gaps at companies ahead of time and protect valuable data. In an interview, Georg Heise tells us how it works and lets us know what kind of qualifications penetration testers need.
Georg, you work as a Lead Penetration Tester and Consultant in IT Security at LHIND. Could you briefly describe what you do in your job?
The focus of my work is mainly on conducting penetration tests (or pen tests, for short). With the help of simulated hacker attacks on IT systems, individual applications or networks, we uncover potential weaknesses and security gaps at companies. As Lead Penetration Tester, I also coordinate our team and oversee the assignment of upcoming pen tests based on experience. In addition, I monitor the quality of our results to make sure that it remains consistently high. Advising companies and consulting with them are another part of my everyday work, especially in major projects or for clients that have never conducted a pen test before. Usually, the first thing to do here is to agree on the scope – the required extent of the testing – in order to determine realistic pricing and scheduling.
That sounds like a complex yet very exciting job. When do companies usually get in touch with you?
That depends. There are companies that already have a clear picture of what they want and book a fixed window of time in which certain penetration tests are to be conducted. Then there are other ones that may have just had a breach and need to get their services back up and running at a high cost. In that case, they want to hedge their bets for the future. After all, just because you’ve gotten your data back and your IT up and running again doesn’t mean that you’ve resolved the problem for good. When that happens, we work with companies to search for potential security gaps, find them and eliminate them. Ultimately, we help companies improve their IT security for the future.
Why are IT security penetration tests so valuable for companies?
Hacker attacks have increased dramatically in recent years. With people and businesses becoming more and more digital, and more and more vulnerable, the number of ways hackers can attack them is on the rise. At the same time, the number of successful hacker attacks has increased. Penetration testers try to look at a company through the eyes of a hacker. Only by doing so can they find security gaps under real-life conditions that automated tools or predefined processes might overlook or neglect.
The actual goal of a hacker is always to capture a company’s crown jewels as quickly as possible. To do so, they usually take an approach that bypasses a system’s intended use. Penetration testers attempt to use their experience and their knowledge of a system to trigger an error that allows a system to be compromised.
Couldn’t they just use tools to do that?
The current tools are not entirely up to the job. There are vulnerability scanners that employ highly standardized techniques to scan websites and investigate security gaps. But the tools often do not comprehend business logic, such as when there are multiple steps involved with creating an account. That requires the creativity of penetration testers, who then consider how certain steps will allow them to take other actions further downstream.
Penetration tests are simply the more authentic approach. What’s more, penetration testers combine different weaknesses. All an automated tool would do is determine that it has found ten weaknesses, for example, before rating them from low to high – without taking into account that while weaknesses one and three may be rated low on their own, they can be combined to pose a far higher risk. Penetration testers, however, can do that. Still, I think that tools will continue evolving in this direction as well in the future thanks to AI.
Whenever possible, we also try to avoid creating too much traffic while we work. Automated tools are often like a cluster bomb: You drop them and look to see what’s left in the end. Pen testers take a far more cautious approach and look at how they can derail a system without getting caught in the act. This also means that systems can continue operating and don’t have to be shut down because a scanner is causing too much of a load, for example.
“Penetration testers try to look at companies through the eyes of a hacker and expose security gaps before they become a risk.”Georg Heise
A common term for penetration testers is “ethical hackers.” Would you consider yourself an ethically “good” hacker?
You could indeed say that penetration testers are “good” hackers. Unlike black hat hackers, we don’t use hacking methods to damage companies or make money. On the contrary, our goal is to make the World Wide Web a little safer and prevent companies from being harmed.
How do you prepare an accepted hacker attack, and what are the greatest challenges?
That depends greatly on the project in question. Are we supposed to test just the Internet-facing parts, or should we also look into insider threats? Does the company develop software itself, or does it want to test the solutions it uses? What are typical vulnerabilities at the company, and what should we focus on?
There are also various different types of pen tests that we use depending on the scenario. We differentiate between black box, white box and gray box penetration tests. While black box pen tests involve taking a purely outside perspective without access to systems or any knowledge of them, gray box tests give you somewhat more insight. Here we sit down with the client to try and understand certain workflows behind the applications to be tested before working our way through the systems bit by bit. We receive assistance with certain processes as well, or ask the client to switch off defined firewall aspects so as not to waste any time.
The third option is a white box pen test. In this variant, the pen tester knows everything about the IT infrastructure. We even have access to the source code so that we can deploy and debug applications on our own.
Which tools and analysis methods do you use in your work?
We usually work according to a five-phase model. In the reconnaissance phase, you get to know the system and gain an overview of it. In the subsequent enumeration phase, we identify potential points of entry into the tested systems. Which ports are open? Which software is used? After that, we look at whether the system is known to have any weaknesses and whether we can use or combine them. In the fourth step, known as the exploitation phase, we try to actively breach the system and immerse ourselves deeper and deeper. In the final and most important phase, we draft a report in which we document all of the security gaps we have found, derive potential security risks and state how the vulnerabilities can be resolved for good.
For each phase, there are certain tools and methods that we regularly use. We combine commercial tools and open source software with tools and scripts that we write ourselves and that allow us to address client situations in a targeted manner.
Is the move toward shifting more and more confidential and critical data to the cloud changing the ways hackers are able to attack companies?
Cloud computing naturally plays an increasingly important role in the rising risk of a successful hacker attack. But what’s more important is how cloud computing is used within a company. Are we dealing with a lift-and-shift, where the old structure has been maintained and is modeled faithfully in the cloud, or are we dealing with containerization and micro services? At LHIND, we also have the major advantage that we can specifically direct companies to our colleagues from the Cloud Team if they have technical questions related to architecture or security. We have a lot of knowledge on such subjects in-house that we are constantly sharing and building on through conferences and projects.
How does a person become a penetration tester?
There are many different paths. Some colleagues have a background in system administration or web development. Often, they have already spent many years working as developers and managing systems. Manipulating systems can be enticing to a certain extent, and you get better and better at it over time. But it can also be just as enticing to prevent systems from being manipulated. Many colleagues also have a background as analysts and have worked in security information and event management (SIEM) or at security operations centers (SOCs).
Are their basic qualifications for the job?
Pen testing and hacking is something you grow into. However, you should have a fundamental background in IT and a passion for coding and the IT world. Otherwise, it’s going to be difficult to get your foot in the door.
You also need to be very willing to learn, since the technology is constantly evolving, plus you need a certain tenacity and the ability to adapt to new situations. In development, projects can be very long and can sometimes take several years. Our projects are usually very short (1 to 3 weeks) and change quickly, so you need to be mentally agile and capable of dealing with fast system deep dives. Getting started in pen testing can be tough, but those who stick to it and continue learning usually reap the benefits of a steep learning curve.
A good network within the hacking community is also tremendously important for exchanging experiences and solutions and for keeping up with the latest developments. What’s more, that gives you the opportunity to help develop open source solutions through GitHub, for example. There are also countless meet-ups and conferences where people get together globally in the real world as well.
What makes your business unit at LHIND special?
We work in a permanent team, are well connected to each other and support each other mutually. I’ve already gained many friendships through my work. We’re also a very young, diverse and dynamic team with a large percentage of women and many different nationalities.
Each member of the team also knows what projects the others are working on. That way, we can tackle problems together quickly and share existing knowledge much more effectively. And whenever we need an expert opinion on a different topic, obtaining that knowledge is fast and easy thanks to the internal focus groups Infosec Management and Technical Infosec.
About Georg Heise
Georg Heise has worked as an IT Security Consultant at Lufthansa Industry Solutions in Norderstedt since 2018, specializing in the field of penetration tests. He earned a bachelor’s degree in international business and a master’s degree in information technology from Bond and Monash Universities in Australia. Before joining Lufthansa Industry Solutions, Georg Heise worked internationally in IT security, helping small businesses, Fortune 500 corporations and government institutions in the APAC region achieve a better security environment through pen tests and red teaming.