Penetration testers must have a detailed knowledge of technology, and that comes with experience, not just fancy tools. "Penetration testing is understanding and interacting with technology — knowing the way that technology is supposed to work. It's a methodology and maybe aligning a tool toward it, but it's not simply about scripts or tools."
Once de Metz is inside a system, he looks for three things: where can he log in, what software versions are in use and whether systems are configured correctly. "Can we guess a password? Can we find some other way to access a login? Maybe the software is out of date and there's an exploit, so we try and exploit some ransomware code against it to try and gain access to the system," he says. "Some things can be found in an audit, but we're also finding things [the organization] hasn't thought of."
Penetrating goes deeper than a network audit, and that's an important distinction. An audit asks, is the security program being followed? Penetration testing asks, is the program working?
Penetration testers look at it from a birds-eye view of security strategy. The problem may not be as simple as out-of-date software, but an entire security strategy that needs improving. That's what de Metz finds out.
Many small and medium-sized businesses struggle to fund well-founded security infrastructures. Still, white-hat hacking is becoming more popular with organizations responsible for personal data, like Facebook, which is known for incentivizing white-hat hackers via their Bug Bounty Program, to find vulnerabilities in their system.
De Metz has also spoken on podcasts with some of his most dramatic stories of penetration testing. His goal is twofold: to entertain listeners with wild stories, but more importantly, to highlight the value of penetration testing — and what's at stake if companies don't. You may never see them, never know they are there, but penetration testers help keep businesses secure, and customers, like you, safer too.