07 March 2019

Not all ethical hackers are equal

At a time when global organisations are trying to keep costs low to be competitive, there’s always a temptation to spend as little as possible to get a job done.

But apply that to security testing, and it’s not just money that’s on the line; it’s the protection of your data, financial loss and your reputation too. How do you know if something is truly secure if you haven’t tested it thoroughly by professionals who know what they are doing?

Testing to stay secure

Testing is an area of cyber-security investment where you can’t afford to cut corners. The less you spend, the more likely you are to get a service that doesn’t have the depth, skills or expertise to keep you secure. The problem is that anyone could set themselves up as a security tester, especially in a market where the right skills are a scarce resource. It’s easy to run an automated tool that scans your network or applications. And it’s easy to conclude there is no risk and therefore that the system is secure because no vulnerabilities have been identified.

But in reality, vulnerability scanning is just one facet of security testing. Whilst cost effective, it isn’t always appropriate or applicable. For example, on a banking website, it wouldn’t be able to look for vulnerabilities behind a secure token log-in page. There are also certain vulnerabilities that are specifically designed to avoid detection by automated tools, and these could pose a major threat to your security.

The next level up is to perform vulnerability or penetration testing – so-called ethical hacking - assessments. These combine off-the-shelf and in-house developed tools but also add a layer of manual testing by experienced testers. It takes someone with years of knowledge and experience to effectively interpret what they discover, and what it means for your security. In an evolving threat landscape, an experienced tester is also able to apply knowledge from similar organisations and systems to test for vulnerabilities, because they are performing tests daily and keep learning.

Who can you trust?

How do you find the right supplier of  penetration testing services – someone you can trust and who will do more than tick a box to say it’s been done.

There are some simple things to look for to make sure you are using certified people and accredited organisations.  

1. Check that the testing company’s personnel are thoroughly screened on an ongoing basis. It’s also important to make sure this process applies to anyone who manages central IT resources, which might be used to store your test results.  

2.Find out what the tester does with your data. Is it protected carefully? Have they taken the right precautions when storing and processing your sensitive data? Are processes and procedures in place to enable these precautions? Ask about data classification, data protection, data retention and disposal.

3. Make sure that the tester can prove that quality work is delivered. Anyone can perform testing and say ’it looks okay, we didn’t find any real issues’, but does that mean nothing was there to be found? No. Your potential partner needs to prove that they’ve been thorough.  

4. Make sure your potential partner can expertly explain how to mitigate or eliminate any vulnerabilities that were found. If your partner does find problems, you need to be able to act on those results.

5. Can the tester provide ongoing advice on how to stay secure, as part of a trusted partnership? Building a strong partnership with a provider makes life easier for your organisation down the line, so it’s important that you know that relationship will last.

6. And finally, you need to know that the provider can perform rigorous and effective penetration testing — using a proven testing methodology.

The easiest way to do this is to choose a CREST accredited organisation that employs individuals who have taken CREST exams and hold CREST certifications. CREST provides organisations wishing to buy penetration testing services with confidence that the work will be carried out by qualified individuals with up-to-date knowledge, skills and competence in the latest vulnerabilities and techniques used by real attackers.

Security testing is an ongoing activity which never stops, just like attacks launched by malicious people never stop. Are you doing enough to secure your business?

Bas de Graaf is head of ethical hacking services

Addressing regional inequalities  image

Addressing regional inequalities

Andrew Borland, Chief Innovation Officer at the Virtual Engineering Centre (VEC), University of Liverpool discusses the importance of levelling up for growth.
SIGN UP
For your free daily news bulletin
Highways jobs

Recovery Worker Substance Misuse

Essex County Council
£30931 - £35362 per annum + + 26 Days Leave & Defined Benefit Pension
Recovery Worker Substance MisusePermanent, Full Time£30,931 to £35,362 per annumLocation
Recuriter: Essex County Council

Principal Transport Officer

Old Oak and Park Royal Development Corporation
£63,112 per annum
leading the capital’s largest new regeneration project. Brent Civic Centre (32 Engineers Way, Wembley, HA9 0FJ).
Recuriter: Old Oak and Park Royal Development Corporation

Senior Occupational Therapist

Essex County Council
£43477 - £52302 per annum + Flexible Working, Hybrid, CPD, Gov Pension
The role will be responsible for supporting adults to develop their abilities to enable them to live as independently as possible. This may include England, Essex, Harlow
Recuriter: Essex County Council

Director of Commissioning and Performance

Northumberland County Council
£100,157 - £109,081
We are looking for an individual to help us achieve excellence in adult social care in Northumberland. Northumberland County Council, Morpeth, United Kingdom
Recuriter: Northumberland County Council

Payroll Manager

London Borough of Richmond upon Thames and London Borough of Wandsworth
£46,014 to £55,758 per annum
About the role You will have a set of on-going responsibilities which will vary depending on the needs of the team. The responsibilities include (but not limited to) to
Recuriter: London Borough of Richmond upon Thames and London Borough of Wandsworth
Linkedin Banner

Partner Content

Circular highways is a necessity not an aspiration – and it’s within our grasp

Shell is helping power the journey towards a circular paving industry with Shell Bitumen LT R, a new product for roads that uses plastics destined for landfill as part of the additives to make the bitumen.

Support from Effective Energy Group for Local Authorities to Deliver £430m Sustainable Warmth Funded Energy Efficiency Projects

Effective Energy Group is now offering its support to the 40 Local Authorities who have received a share of the £430m to deliver their projects on the ground by surveying properties and installing measures.

Pay.UK – the next step in Bacs’ evolution

Dougie Belmore explains how one of the main interfaces between you and Bacs is about to change.