Hackers shot the sheriff, but not the deputy
If you spoke to a person about hacking five years ago, they would be calling 10 111 while your back was turned. In the past, this was a major, MAJOR crime.
Fortunately, we have come to our senses and we have progressed. Hacking has become the tattoos of 2019, it is now socially acceptable. In fact it can add major value to your business.
An article on itpro.co.uk suggests that while the words “ethical” and “hacker” aren’t natural bedfellows, the two can make an excellent combination for testing security.
“We think like hackers do,” Tim Holman, CEO of 2|SEC told itpro, “Criminals don’t just stop at the first exploit they find. They will chain exploits and pivot off exposed systems to gain further leverage.”
The itpro.co.uk article points out that 2|SEC is a London-based cybersecurity service provider that provides penetration testing services – among others – for a wide variety of clients. Otherwise known as ethical hackers or pen testers, such specialists are contracted by organizations that want to know if they need to up their security game.
“The obvious benefit is that your systems will be protected against the latest criminal exploits and techniques that are being used against you,” Holman explained. “Unless you have [a] full time, dedicated resource that can stay on top of the latest threats and vulnerabilities, your company will find it very difficult to match the experience and expertise that a professional penetration tester will bring.”
No shade bro
The article points out that there’s nothing shady about contracting with an ethical hacker. The companies we approached for this feature were happy to talk about what they do and how they do it, pointing out that they remain within the law by only accessing the systems they’ve been authorized to target, and only doing so within a defined time frame.
“Our approach is always to use the very latest research, exploits, and techniques to see if we can gain a foothold in your company; and to do that, we have to be very careful not to bring systems crashing down or inadvertently expose sensitive data.”
The itpro.co.uk article points out that as organizations handle and process larger amounts of data, the need for pen testing is increasing. Not long ago, they were routinely advised to run tests every couple of years, but that no longer satisfies many of their clients.
“Some of the compliance requirements are mandating that organizations who accept payment card data should be doing this at least annually and moving towards a model where they do it every six months,” said Oliver Pinson-Roxburgh, MD of Bulletproof. “If your application undergoes a significant change since your last pen test, advice would be to retest then, too.”
The article adds that, in part, this is being driven by the strictures of the General Data Protection Regulation (GDPR). “We have more customers asking about what they should be doing,” Pinson-Roxburgh said. “Often, they don’t have an incident response plan and want to know that if they get caught out, they can at least do something.”
Having such a plan in place, and being able to prove you’ve been diligent with your testing, helps to demonstrate you’re taking some responsibility. “It shows that you’ve taken reasonable efforts to do all that you can,” Mark Nicholls, director of cybersecurity at Redscan told itpro.co.uk.
“We have often helped companies assess their readiness for a breach and, defensively, asked what a security and network team have done in response when an attack has taken place. Have they been able to acquire the necessary information within the first 72 hours following an attack to report to authorities?”
The article adds that making such reasonable efforts will often be enough to avoid the breach in the first place, as it will help identify where patches and fixes either haven’t been applied or are only partially effective.
“My experience has been that those organizations that were fined under the Data Protection Act could largely have solved their problems by doing a pen test or implementing some form of initial security scanning or testing,” said Pinson-Roxburgh. “Where the ICO has published rulings, they [often] show that if the organization had done the right things about security it would have identified the problems.
Often, it’s a well-known, three-month-old vulnerability that they should have known about and fixed.”
Your first approach
The article points out that ethical hackers are used to hand-holding new customers – particularly any that aren’t sure what they need or what’s on offer.
As Nicholls explains, outlining what the client does as a business, the systems it’s running and what the ethical hacker can do is usually the start for any conversation. “We’ll then assign a number of days [for the test during which] they can stand up appropriate resources, whether it be project managers or developers, to make sure we don’t take anything down – or so they can address critical issues as we find them.”
The article adds that pen testing often goes further than sitting at a keyboard and mouse and searching for vulnerabilities.
“We have red team exercises where the customer gives us an objective that we have to achieve by any means,” said Pinson-Roxburgh. “That could be physically going to the building and finding our way in, or social engineering our way in. We’ve done a few big data center tests, supposedly the most secure data centers in the world, and found our way in through a combination of social/physical access to the buildings, and hacking portals. For some customers, we’ve even done bribes to see how their staff react to security [threats].”
The article points out that Pinson-Roxburgh’s preference would be to work with live systems wherever possible because, “if they’re going to give us a system that’s half finished because it’s in pre-production, they’re not going to get a real test. [That’s not good when] most of the organizations are saying they want you to simulate things from the hacker’s perspective.”
The article adds that Nicholls also sees value in working with parallel infrastructure and data sets. With live systems, he says, “there’s always an inherent risk when you’re testing an application or server where issues may arise from being scanned.
Although rare with applications nowadays being more resilient, it can lead to downtime. So, we advise testing against a representative system that closely mirrors what’s live. It gives you a good idea of what vulnerabilities there are, and we don’t need to hold back. We can assess every parameter.”
Confidentiality and confidence
The article points out that should a tester gain access to your system, they could have access to confidential data. It’s essential to ensure your pen tester signs and complies with a non-disclosure agreement, and that its staff has the necessary security accreditation.
Ultimately, you need to feel comfortable working with them, but that doesn’t necessarily mean avoiding someone with a shady background – so long as they’ve since gone good.
“Many of the most celebrated security people started on the wrong side,” Nicholls said. “Curiosity, early on, can be an issue but if that has changed and they’re now progressing in a security career where they’re offering their capabilities, there’s no reason why a person such as that wouldn’t meet the various standards and certifications.”
The article adds that responding to an unsolicited approach, though, is a different matter entirely, and Pinson- Roxburgh advises caution.
“What I’ve seen more recently is organizations being solicited directly by people looking for bug bounties. I’d recommend an organization be very cautious in such a situation because we’ve seen scenarios where the person making the approach is demanding certain amounts of money, only for the organization to discover that the thing that’s been found doesn’t warrant the amount of money they’ve paid…
“When you’re approached by someone asking about bug bounties, mention the Computer Misuse Act and the fact that nobody should be testing your systems without your authorization.”
At the end of the day, there is an increasing need for penetration testing and ethical hacking. Companies can find value in it provided that they pick the right company to partner with.
The article asks how do you know that you can trust a penetration test provider to do a great job and conduct the assessment to the highest technical and ethical standards?
One of the important places to start is ensuring that they are fully qualified and trained in the services that they provide Look for businesses that offer CREST-certified penetration testing, as well as have a supporting range of recognized cybersecurity qualifications and credentials.
The article adds that qualified providers will be able to demonstrate their knowledge of the latest hacking techniques and procedures and offer assurance that they conduct assessments as safely as possible, as to avoid any possible damage or disruption.
The article points out that companies must not forget that one of the most important ways of verifying the quality of a provider is their reputation. The provider should be able to share excellent client references from businesses similar to yours.
Don’t settle for businesses offering a cheap service with no proof that they can carry out the work properly. This could lead to a situation where you have had penetration testing carried out, but you haven’t received the level of support needed.
Experience Performing a Range of Testing
The article adds that there are many different forms of pen testing to choose from. You might require a very specific web application test or a broader assessment such as a network penetration test. In many cases you will require a range of testing capabilities, so make sure that your provider is experienced in providing them all.
A provider who lacks the necessary skills may not possess a thorough understanding of the security risks most common to the type of test requested.
Wide Industry Knowledge
The article points out that as well as having experience carrying out multiple different forms of the test, it is also worth establishing whether the provider has direct expertise in your particular industry. While they may be used to carrying out pen testing if they have never worked in your industry before they may not be aware of specific challenges faced.
It could even be the case that they are not familiar with the sorts of software and applications that are used in your industry. This makes a big difference in their ability to deliver an effective assessment.
Thorough Reporting and Feedback
The article adds that in order to get the most value for your penetration test, it is important to determine the right type of tests for your needs. If you have only budgeted for a two-day assessment, it is essential to make the most of that time. That is why it is a good idea to work with cybersecurity specialists who are willing to go the extra mile to understand your requirements and help scope a test that will offer the best return for your budget.
It’s also worth asking providers about the level of support they will provide post-assessment. Good penetration testing providers won’t just be good at discovering vulnerabilities – they’ll also provide the advice you need to help address short- and long-term risks.
Upon completion of the test, check that the provider will supply a full written report that details and prioritizes any weaknesses identified, then recommend remedial actions.
The article points out that a good pentest provider needs to be flexible. Check whether a provider will perform testing outside of office hours, as well as whether they can offer on-site as well as remote testing. The needs and requirements of your business need to come first and shouldn’t be determined by whether or not it is convenient for the other party.
Choose specialists who are willing to work with you to customize the scope and timing of testing and can be trusted to act as your long-term cybersecurity partner.
“We cannot perform the same actions and expect a different outcome. That’s the definition of insanity. In 10 years time, a Chief Hacking Officer will perform an important role in a company,” says Bradley Geldenhuys, Co-Founder and CEO of GT Consult.