Tips for an Information Security Analyst/Pentester career - Ep. 76- Experience-based tips 101 (no. 2)

As my career as a penetration tester progresses, I'm dealing with more and more complex projects and have to face increasingly challenging scenarios, so I'm learning new lessons every day.

I'm learning as I go, so I'm adding these new tips to my ideal notebook, and so should you.

As a security professional, you need a second to step back and take the time to learn from your mistakes and mishaps.

These are two lessons I recently learned  I want to share with my readers, hoping they're gonna help who's approaching this industry for the first time to have the right attitude.

a) Stick to the testing window defined by the ROE (rules of engagement). 

If you test when you're not supposed to and things go south, you're up a creek without a paddle. However, if that happens over the timeframe you were given for testing, you can't be held liable for it, and your actions are justified. One of my recent projects involved overnight and weekend testing, so I had to perform my activities strictly within the timeframe I was given. Something went wild with my scans one day and the client's SOC thought they were under attack. Instead, it turns out my scans had somehow triggered some false positives. However, I was authorized to perform my attacks and my scans over those hours, so at the end of the day I was justified and didn't cause embarrassment to my company or dissatisfaction to the client.  Had that happened outside the hours I was given, that could've caused serious issues, including potential lawsuits and even termination. NEVER DO THAT.

b) When performing internal engagements, export all the scans and files you created to your machine asap. If something happens and you wait too long, or access to the remote machine is shut down due to the end of the engagement or other reasons, you're not gonna be able to recover the files you need for the report. In most cases, you'll need Nmap and Nessus scans to be saved to your machine, at a minimum. I also normally create some output files when I manually validate vulnerabilities, in order to have evidence of the issues I detected and also to remember what I specifically did. I normally need those files for reporting purposes. Should I ever lose access to them before my reporting, I'd be in trouble. The fact is, especially for large engagements, you keep moving forward, trying to get all the work done asap, when you should also worry about exporting all the files you create, even because the machine you used will be wiped and probably reused for another engagement.

Wrap-up

As a penetration tester, I often worry about being as most effective as possible with what I do and to stick with the number of hours and the deadlines I was given for each specific projects.

I think all this is paramount to quickly progress in this industry.

The most important thing to keep in mind when performing a penetration test is that it's supposed to be a tool to aid the client's business, so it's useful and relevant only if it meets the client's needs.

So, for your work safety and your professional reputation, don't screw up with the testing window.

If the client gave you a specific time window for the pentest, there's always some good reasons for it that you might not necessarily know, but you have nonetheless to respect.

Remember the customer's always right and pays for your services, so you're not in charge.

You need to do as you're required, and you better do so, if you don't want to have a hard and unpleasant time with some of the client's C-suites and your own boss.

I think you got the picture, right?