Cyber security is an evolving discipline. It’s an ongoing endeavour to beat the hackers and cyber criminals at their own game and mitigate the risk they represent. As Scott Nicholson points out, though, for many organisations this is easier said than done. While the importance of cyber security is clear and it’s a topic for discussion at Board level, there are challenges around securing budget, retaining the right skills in house and understanding the threat itself.
Regardless of the challenges, organisations of all sizes and in every sector need to use all the tools and skills at their disposal to develop, implement and maintain a comprehensive cyber security strategy. Typically, this means working with different security vendors and employing whatever means necessary to secure their data, network and systems.
One of the areas that’s garnering more attention as the threat landscape develops is penetration testing (which is also known as ethical hacking or white hat hacking). For the sake of clarity, it’s worth stating that, in order for hacking to be classified as ethical, there needs to be an agreement between the ethical hacker and the organisation with written approval from the host organisation. Otherwise, according to the letter of the law – the Computer Misuse Act 1990, for example – it’s just hacking.
In addition to that, your chosen security company should have the right credentials and qualifications aligned with independent industry bodies such as CREST.
Part of this agreement is setting out the rules of engagement: what’s being tested and when. This scope also often includes the IP addresses of the ethical hackers. If a real attack happens during the testing window, it can then be distinguished from the simulated one. Of course, the scope can include other information, which all depends on the company being tested, the technology and the assurance goals of the business.
Ethical hacking can help identify gaps in your security with a view towards fixing them before malicious hackers find them and cause a data breach. It’s also a key element in testing your processes, procedures and technical controls to ensure they’re working as they should.
Assurance, accountability and commitment
While ethical hacking is already highly regarded within the cyber security sector, it’s gaining traction within organisations across different industries as a further way in which to improve their security posture and demonstrate accountability. In fact, it’s even mandated by some risk and compliance frameworks, such as PCI DSS and the UK Government’s IT Health Check that enables public sector organisations joining the Public Services Network.
Most recently, penetration testing has been highlighted as a key part of the General Data Protection Regulation (GDPR). Article 32 of the European Union’s GDPR emphasises the fact that there needs to be: “A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing”.
In terms of the GDPR, it’s easy to see why penetration testing is so highly regarded. We all know that the associated fines following a breach are significant (up to €20 million or 4% of global turnover). In the event of a breach, organisations need to demonstrate accountability and show that they’ve put the right practices and processes in place to mitigate risk. Penetration testing is one of the ways in which they can show this accountability.
Value of ethical hacking
However, the key question for many businesses is: ‘Do we really need penetration testing?’ In today’s environment, the answer will always be ‘Yes’. That said, some businesses don’t see the true value that it can deliver. For example, if a business deploys network monitoring software, isn’t that enough?
Looking at the people behind penetration testing, ie the ethical hackers themselves, you can better see where the value lies. Whereas software may scan the network and alert security teams to any issues, ethical hackers keep going. They take the results of their tests and use them to gain further access into your systems, much like a malicious hacker would do. The benefit is obvious: if there are gaps and vulnerabilities, they will be found, providing you with the opportunity to fix them before they’re exploited by real malicious hackers.
Of course, penetration testing can be viewed as a costly exercise. However, as with most things, you need to balance the cost with the risk of an attack. For some organisations the cost of an attack is more tangible (that is, if they are heavily reliant on an online application to process personal data and data that can be stolen, or if their network and infrastructure is business critical). This makes penetration testing an easier sell to the C-Suite or financial director. For others who don’t process sensitive data, the impact of an attack or breach could include reputational damage or irate customers as the result of downtime on a website.
Penetration testing can also be used by internal security and compliance teams to secure more budget. This can be a hard sell to the Board, but employing a team of penetration testers to provide an independent and objective view of what malicious hackers could do is a powerful proof point.
The exercise also forms a crucial part of your overall security programme and helps assure partners, customers, prospects and other stakeholders alike that your organisation is firmly committed to security and has the right processes, programmes and practices in place to mitigate risk effectively and efficiently.
As mentioned, there are rules of engagement when it comes to unleashing ethical hackers on your organisation. These depend largely on what you wish to be tested. Web application penetration testing involves attacking your website or web applications to probe for weaknesses in the coding, design or publishing. Many testers use the Open Web Application Security ProjectRed Top Ten vulnerabilities as the assessment barometer. For 2019, these include elements such as SQL injection, broken authentication, cross-site scripting and insecure de-serialisation.
Infrastructure penetration testing sees ethical hackers testing all elements of your infrastructure from servers and routers to switches, firewalls and endpoints such as PCs and laptops.
Similar to a web application penetration test, mobile device and mobile application penetration testing sees ethical hackers focusing on testing the devices themselves and the applications installed on those devices (especially if those devices hold or access sensitive information).
Red team engagement
Whereas ethical hacking focuses on testing one specific element of your infrastructure and has a particular goal — for example, gaining access rights to a system — ‘red teaming’ takes things further.
A red team engagement is a full attack simulation that focuses on all areas of your business, from breaching networks and systems through to using social engineering tactics and gaining physical access to premises and devices. It helps you identify critical issues that need remediation. The simulation also takes a lot longer than traditional penetration testing, with engagements lasting from a few weeks to a few months.
Typically, at the end of the exercise the findings are presented back to the organisation with steps and suggestions to remediate the gaps and vulnerabilities. If, however, a critical issue is identified early on, this is flagged immediately to the business such that it can be fixed.
In much the same way as an ethical hack can be used to secure more cyber security funding from the Board based on an objective view of security, a red team engagement can add similar value by proving the threat level and demonstrating what malicious hackers and cyber criminals are capable of in the virtual world.
Critical part of the cyber strategy
Penetration testing or ethical hacking is a critical part of your overall cyber security strategy. Yes, it requires placing your faith in a third party to attempt to hack your business, but working with the right security partner that harbours the appropriate experience and accreditations can bring significant value to your organisation.
Penetration testing — and its ‘red teaming’ cousin — helps you identify gaps and vulnerabilities in your network, devices and infrastructure and to mitigate the risk of an attack. These measures can also be used to secure more budget for cyber security programmes and demonstrate to customers, potential customers, partners and other stakeholders your commitment towards keeping your business secure.
As the cyber threat develops and attackers become ever-more sophisticated, going forward it’s very much the case that penetration testing will undoubtedly play a key role in helping you keep your business secure.
Scott Nicholson is Director of Bridewell Consulting