2How Hackers Hack

The most enjoyable career activity I do is penetration testing (also known as pen testing). Pen testing is hacking in its truest sense. It’s a human against a machine in a battle of wits. The human “attacker” can use their own ingenuity and new or existing tools as they probe for weaknesses, whether they be machine‐ or human‐based. In all my years of pen testing, even though I am usually given weeks to conduct a test, I have successfully hacked my target the majority of the time in around one hour. The longest it has ever taken me is three hours. That includes every bank, government site, hospital, and corporate site that has ever hired me to do so.

I’m not even all that good as a pen tester. On a scale 1 to 10, with 10 being the best, I’m about a 6 or a 7. On the defender side, I feel like I’m the best person in the world. But as an attacker, I’m very average. I’ve been surrounded by awesome pen testers—men and women who think nothing of writing their own testing tools or who don’t consider their testing a success unless they did not generate a single event in a log file that could have caused an alert. But even the people I consider to be 10s usually think of themselves as average and admire other pen testers that they think are tens. How good must those hackers be?

But you don’t have to be extremely good to be a very successful hacker. You don’t even have to actually break in for the customer that hired you (I’m assuming you’re being paid for a lawful assignment ...

Get Hacking the Hacker now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.