Q&A with senior penetration tester Leon Teale
Have you ever thought about getting paid to break into organisations’ networks?
That’s precisely what ethical hackers (also known as ‘penetration testers’ or ‘pen testers’) do. But what exactly does this career involve? Why would you pursue it? And what knowledge and skills do you need to kick-start your career?
We put these questions to our senior penetration tester Leon Teale, who’s been a qualified ethical hacker since 2012.
In this interview
- Why pursue ethical hacking as a career
- Skills and knowledge ethical hackers need
- A day in life as an ethical hacker
- Innovation and specialisation as an ethical hacker
- Become a certified ethical hacker
Why pursue ethical hacking as a career
What made you choose penetration testing as a career, and what do you enjoy about it?
Become I became a professional penetration tester, I was a systems administrator for both Linux and Windows.
To do my job well – to defend our servers and assets, as well as defend customers’ servers – I realised I had to learn:
- How attackers could get in;
- What methods they’d use; and
- What they could do if they got in.
That way, I could try to fix those issues to stop attackers gaining entry. So, in a way, I was penetration testing even before formally training as an ethical hacker.
Anyway, I soon found that I much preferred [legally] breaking into systems over fixing them. Via a friend, I heard of an opening for a pen testing role, applied, and was offered the job.
And now, over a decade into my pen testing career, I still absolutely love what I do. Had I told my teenage self that I’d grow up to become a legal hacker, and get paid a lot of money to fly around the world, attempting to break into buildings and hack confidential data, I’d have probably thought I was a spy.
Naturally, I now know it’s just a profession, which anyone with the right skills can get into, but it’d have blown my mind back then.
Skills and knowledge ethical hackers need
What skills, knowledge and traits does a good penetration tester need?
You’re well on your way if you can come into penetration testing with:
- Good knowledge of networks;
- An understanding of Windows domains;
- Good knowledge of both Windows and Linux operating systems; and
- An understanding of how web servers and DNS [Domain Name System] work.
Most hacking is done from a Linux machine, so you need to know how to use Linux.
But this is something you can learn in time. In fact, I always say that anyone can learn how to use a hacking tool – which is why universities now have ethical hacking courses.
The hard part, which can take years to learn, is knowing why something is vulnerable, and what you can do to remediate a vulnerability. Given my background in systems administration and networking, I already had a lot of that down. The rest was learning how to use the right tools – and learning when not to use tools, too.
As to traits, I’d say you need a passion for computers, and must love to challenge yourself and constantly learn new things.
Are there any common misconceptions about necessary skills as an ethical hacker?
A common misconception is that you need to know different programming languages. You actually don’t.
However, if you do know any, such as Python, Ruby or Go [programming language], that’s an absolute bonus. Speaking for myself, I’ve learned to program over the years, and am building more and more of my own tools.
But you don’t need to know how to program when starting out.
Finding this interview useful? To get notified of future
Q&As and other free resources like this, subscribe to
our free weekly newsletter: the Security Spotlight.
A day in life as an ethical hacker
Can you take me through your day-to-day work?
My typical day varies. It’s usually one of:
- ‘Actual’ hacking for a client, either on-site or remotely. This is what I think of as the ‘fun part’. Using a combination of automated tools and manual assessments, and after some reconnaissance, I’ll try to gain access to whatever it is I’m testing for the client. [Scopes are defined in advance.]
- The less exciting but still essential parts of the job: a day consisting of client calls and report writing. [Explained in more detail in this interview.]
Innovation and specialisation as an ethical hacker
Do you get much opportunity for innovation?
Yes. I created a few of the services that IT Governance offers now, but didn’t when I started.
Basically, I recognised these as areas we could help clients with, so learned them, built a development environment, worked on a beta version, tried it, refined it, tried it again, refined it some more, then we started offering it as a service: simulated phishing.
Ten years on, and many improvements later, this has become a major offering in our portfolio. I also helped launch our mobile application testing service, and my colleague Ross Higgins [another senior penetration tester] helped develop our Cloud tests.
It goes to show that people will listen to your suggestions and that, yes, there’s opportunity for innovation as a penetration tester. In terms of both building tools and developing services.
To what extent do penetration testers specialise?
Penetration testers can specialise in specific areas if they want, though this may also depend on their employer.
Some companies have testers who only do web application testing, for example. Others prefer testers to be ‘all-rounders’ so that they’re more versatile. Plus, having knowledge in different areas can improve efficiency in other areas.
For example, if I’m testing a web application and gain access to the underlying operating system, as someone who can also test infrastructure, I understand more of the system’s responses and can dig deeper as part of that web application test.
You might also be an all-rounder who prefers certain areas over others, so tries to get those types of test into the diary more than others. Personally, I also recommend testers learn different types of pen test to prevent pigeonholing and avoid stagnating in their career. Plus, I love the variety! But that’s just my opinion.
In short, pen testers can definitely specialise, but to what degree depends on the company, and doing so has both pros and cons.
Do you have any final words of advice?
I love the challenge and variation you get as a penetration tester, and how you’re constantly learning about different tools and technologies. There’s always something new to learn.
I’d encourage anyone to get into ethical hacking and cyber security as a whole. It’s an area in high demand, which I can’t see slowing down any time soon.
Become a certified ethical hacker
Train with our highly acclaimed instructors in our five-day ‘bootcamp-style’ Certified Ethical Hacker (CEH) v13 Training Course.
This intensive course combines theory with hands-on exercises, including online iLabs, where you’ll compete in a live cyber range challenge to hone your practical skills.
You’ll come away from this course with 35 CPD points and everything you need to pass the theory and practical exams, which are included with the v13 Elite package.
You’ll be on your way to becoming a CEH or CEH Master, and we offer an exam pass guarantee to be sure you reach your goals.
Don’t take our word for it
Here’s what our customer Daniel said:
Attended the online course in October 2023, found it so interesting.
Having someone who has real-world experience in the industry teaching the course was fantastic and he added a lot of surrounding information and details to what could have otherwise been a very plain topic.
With all the preparation in place, it’s now down to my own learning to build up to the exam.
About Leon Teale
Leon is one of our senior penetration testers. He has more than ten years’ experience performing penetration tests for clients in various industries all over the world.
In addition, Leon has won hackathon events in the UK and internationally, and is accredited for multiple bug bounties. He’s also been featured in various articles in the press relating to cyber security.
We’ve previously talked to him about the penetration test process and types, secure remote working, the CVSS (Common Vulnerability Scoring System), and mega breaches MOAB (mother of all breaches) and RockYou2024.
We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.
If you’d like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter.
Alternatively, explore our full index of interviews here.
We first published a version of this blog in September 2018.
The post The Benefits of Becoming an Ethical Hacker appeared first on IT Governance UK Blog.
