Penetration testers and ethical hackers are responsible for identifying and testing vulnerabilities within an organization. These people can be internal employees, external contractors or freelancers.
With increasing security attacks, pentesters are in demand in all industries and fields. The average salary for a penetration tester in the US is around $12,000 according to Indeed, but penetration testers with extensive experience can expect to make more.
Pentesters require a mix of technical skills, such as B. Experience with programming languages, computer networking, reverse engineering, cryptography, critical thinking and problem solving skills. safety certificationslike CompTIA PenTest+, Certified ethical hacker and Global Information Assurance Certification Penetration Tester, are also useful.
But before you get a pen testing job, you have to face a pen testing interview. Prepare yourself by reading this excerpt from Chapter 3 of Hack Cybersecurity Interview by Ken Underhill, Christophe Foulon, and Tia Hopkins, published by Packt, and learn how to answer 10 common pentest interview questions.
Common interview questions for a penster career
The following questions are primarily knowledge-based questions. During a junior pentester interview, you are likely to ask many knowledge-based questions, with some practical test assessments possible. For senior and principal pentester job interviews, after the first phone screen, you will often receive a hands-on test of your pentesting skills from the recruiter or Human Resources (HR). You will likely come across similar questions:
- Where do you research the latest vulnerabilities and why?
Your answer might include following certain security researchers on Twitter, following blogs like Krebs and Threatpost, following podcasts you listen to, and more. There’s usually no wrong answer here, but the interviewer wants to see how you stay up to date on current vulnerabilities and the latest cybersecurity news.
- Do you have a favorite hacker in history and why are they your favorites?
This question is asked to see how passionate you are about the history of hacking. This is another no-wrong-answer question, and you may not have a favorite, which is okay. An example of a famous hacker in history is Kevin Mitnick.
- In which areas do you plan to improve?
This question is asked to see if you are a continuous learner and to see how you identify areas of self improvement. Even as a junior pentester you should expect to be constantly learning something new and you need to be able to assess your skills and know the areas where you need to improve. For example, I’m good at social engineering but not so good at programming. As a pentester, I focused less on social engineering as it came naturally and instead focused on getting better at coding so I could write my own tools.
- I need you to do an internal pentest and I have a ROE document. What are you doing next?
With this question, the interviewer identifies your methodology for approaching a pentest. When applying for your first pentesting job, you should always make sure to review and verify the ROE (scoping) document to know what is taboo and what you can attack. Clients sometimes list incorrect IP addresses, so you also need to verify that everything listed as available for attack is actually owned by the client. Otherwise, you could land yourself in legal trouble.
- What types of cross-site scripting (XSS) are there and which is the most dangerous?
There are three types of XSS, reflected, memorized, and stored Document Object Model (DOM)-based. The specific danger depends on the specific situation. Stored XSS is typically more dangerous because it is stored on the server side and the payload only needs to be stored once to continue infecting anyone who connects to the server.
- Can you explain XSS like you’re talking to a 10-year-old kid?
This question is designed to test your ability to break down complex cybersecurity issues for stakeholders. Here in the US, stats vary, but most people get it by 8th grade or below, which means in many situations you have to convey information to stakeholders as if they were 10-year-old kids. I would explain this with something like this statement:
XSS allows you to log into any account with a username and password. This is important to fix as an attacker can use attacks like XSS to perform illicit transactions which can result in the company losing money.
When presenting to company representatives, you can also mention how XSS can lead to cookie theft and can be used for privilege escalation and phishing attacks.
- How can you run XSS if if
If tags are blocked, you could use things like image payloads or video payloads. Instead of using alarm tags, you could use tags like prompt and confirm.
- What options are there to mitigate XSS attacks?
You can use encoding, properly validate user input, clean up and use output Web application firewalls (WAFs).
- What was the last screenplay you wrote and what was its purpose?
I would like to stress here that being a junior pentester does not require you to have any programming knowledge, but if you want to be successful in the long term, it is important that you learn at least one language to be able to write new tools on the fly during an engagement. This question is used to assess your scripting skills and you could write something simple like a keylogger to show during the interview.
- What types of threat actors are there?
This question typically asks for your broader knowledge of threat actors, so mentioning of nation-state groups, state-sponsored groups, hacktivists, organized crime gangs, script kiddies, and insider threats is good for this question. It's also a good idea to keep up to date on cybersecurity breaches and the threat actors behind them, or at least know some of the well-known threat actor groups (ie APT29) from searching on a site like that MITER Opponent tactics, techniques and general knowledge (ATTACK & CK) website.
About the authors
Ken Unterhill is CEO, executive producer and host of the syndicated cyber life television show. Underhill educates around 2.6 million people each year through its online cybersecurity courses and sits on the advisory boards of Breaking Barriers Women in CyberSecurity and the Whole Cyber Human Initiative, as well as serving on the boards of a number of cybersecurity startup companies.
Christopher Foulon, Senior Manager and Cybersecurity Advisor at F10 FinTech, brings over 15 years of experience as a CISO, Information Security Manager, Associate Professor, Author and Cybersecurity Strategist. He has also spent more than 10 years leading, coaching and mentoring people.
Tia Hopkins is Field CTO and Chief Cyber Risk Strategist at eSentire and Associate Professor of Cybersecurity at Yeshiva University. Hopkins was recognized by SC Media as an outstanding educator in 2019 and as one of the Top 25 Women Leaders in Cybersecurity and Top 100 Women in Cybersecurity in 2020. In 2021 she was recognized as a Top Influencer in the Security Executives category by IFSEC Global. Hopkins is also the founder of Empow(H)er Cybersecurity, a nonprofit organization that aims to inspire and empower women of color to pursue careers in cybersecurity.