Blog · 19 Dec 2018

Not all ethical hackers are equal

Bas de Graaf provides advice on choosing the right partner to help you stay secure.

At a time when global organisations are trying to keep costs low to be competitive, there’s always a temptation to spend as little as possible to get a job done.

But apply that to security testing, and it’s not just money that’s on the line; it’s the protection of your data, financial loss and your reputation too. How do you know if something is truly secure if you haven’t tested it thoroughly by professionals who know what they are doing?

Testing to stay secure

Testing is an area of cyber-security investment where you can’t afford to cut corners. The less you spend, the more likely you are to get a service that doesn’t have the depth, skills or expertise to keep you secure.

The problem is that anyone could set themselves up as a security tester, especially in a market where the right skills are a scarce resource. It’s easy to run an automated tool that scans your network or applications. And it’s easy to conclude there is no risk and therefore that the system is secure because no vulnerabilities have been identified.

But in reality, vulnerability scanning is just one facet of security testing. Whilst cost effective, it isn’t always appropriate or applicable. For example, on a banking website, it wouldn’t be able to look for vulnerabilities behind a secure token log-in page. There are also certain vulnerabilities that are specifically designed to avoid detection by automated tools, and these could pose a major threat to your security.

The next level up is to perform vulnerability or penetration testing – so-called ethical hacking - assessments. These combine off-the-shelf and in-house developed tools but also add a layer of manual testing by experienced testers. It takes someone with years of knowledge and experience to effectively interpret what they discover, and what it means for your security. In an evolving threat landscape, an experienced tester is also able to apply knowledge from similar organisations and systems to test for vulnerabilities, because they are performing tests daily and keep learning.

Who can you trust?

How do you find the right supplier of  penetration testing services – someone you can trust and who will do more than tick a box to say it’s been done.

There are some simple things to look for to make sure you are using certified people and accredited organisations.

  1.  Check that the testing company’s personnel are thoroughly screened on an ongoing basis. It’s also important to make sure this process applies to anyone who manages central IT resources, which might be used to store your test results.
  2.  Find out what the tester does with your data. Is it protected carefully? Have they taken the right precautions when storing and processing your sensitive data? Are processes and procedures in place to enable these precautions? Ask about data classification, data protection, data retention and disposal.
  3. Make sure that the tester can prove that quality work is delivered. Anyone can perform testing and say ’it looks okay, we didn’t find any real issues’, but does that mean nothing was there to be found? No. Your potential partner needs to prove that they’ve been thorough.
  4.  Make sure your potential partner can expertly explain how to mitigate or eliminate any vulnerabilities that were found. If your partner does find problems, you need to be able to act on those results.
  5. Can the tester provide ongoing advice on how to stay secure, as part of a trusted partnership? Building a strong partnership with a provider makes life easier for your organisation down the line, so it’s important that you know that relationship will last.
  6. And finally, you need to know that the provider can perform rigorous and effective penetration testing — using a proven testing methodology.

The easiest way to do this is to choose a CREST accredited organisation that employs individuals who have taken CREST exams and hold CREST certifications. CREST provides organisations wishing to buy penetration testing services with confidence that the work will be carried out by qualified individuals with up-to-date knowledge, skills and competence in the latest vulnerabilities and techniques used by real attackers.

Security testing is an ongoing activity which never stops, just like attacks launched by malicious people never stop. Are you doing enough to secure your business?