07 March 2019

Not all ethical hackers are equal

Not all ethical hackers are equal image

At a time when global organisations are trying to keep costs low to be competitive, there’s always a temptation to spend as little as possible to get a job done.

But apply that to security testing, and it’s not just money that’s on the line; it’s the protection of your data, financial loss and your reputation too. How do you know if something is truly secure if you haven’t tested it thoroughly by professionals who know what they are doing?

Testing to stay secure

Testing is an area of cyber-security investment where you can’t afford to cut corners. The less you spend, the more likely you are to get a service that doesn’t have the depth, skills or expertise to keep you secure. The problem is that anyone could set themselves up as a security tester, especially in a market where the right skills are a scarce resource. It’s easy to run an automated tool that scans your network or applications. And it’s easy to conclude there is no risk and therefore that the system is secure because no vulnerabilities have been identified.

But in reality, vulnerability scanning is just one facet of security testing. Whilst cost effective, it isn’t always appropriate or applicable. For example, on a banking website, it wouldn’t be able to look for vulnerabilities behind a secure token log-in page. There are also certain vulnerabilities that are specifically designed to avoid detection by automated tools, and these could pose a major threat to your security.

The next level up is to perform vulnerability or penetration testing – so-called ethical hacking - assessments. These combine off-the-shelf and in-house developed tools but also add a layer of manual testing by experienced testers. It takes someone with years of knowledge and experience to effectively interpret what they discover, and what it means for your security. In an evolving threat landscape, an experienced tester is also able to apply knowledge from similar organisations and systems to test for vulnerabilities, because they are performing tests daily and keep learning.

Who can you trust?

How do you find the right supplier of  penetration testing services – someone you can trust and who will do more than tick a box to say it’s been done.

There are some simple things to look for to make sure you are using certified people and accredited organisations.  

1. Check that the testing company’s personnel are thoroughly screened on an ongoing basis. It’s also important to make sure this process applies to anyone who manages central IT resources, which might be used to store your test results.  

2.Find out what the tester does with your data. Is it protected carefully? Have they taken the right precautions when storing and processing your sensitive data? Are processes and procedures in place to enable these precautions? Ask about data classification, data protection, data retention and disposal.

3. Make sure that the tester can prove that quality work is delivered. Anyone can perform testing and say ’it looks okay, we didn’t find any real issues’, but does that mean nothing was there to be found? No. Your potential partner needs to prove that they’ve been thorough.  

4. Make sure your potential partner can expertly explain how to mitigate or eliminate any vulnerabilities that were found. If your partner does find problems, you need to be able to act on those results.

5. Can the tester provide ongoing advice on how to stay secure, as part of a trusted partnership? Building a strong partnership with a provider makes life easier for your organisation down the line, so it’s important that you know that relationship will last.

6. And finally, you need to know that the provider can perform rigorous and effective penetration testing — using a proven testing methodology.

The easiest way to do this is to choose a CREST accredited organisation that employs individuals who have taken CREST exams and hold CREST certifications. CREST provides organisations wishing to buy penetration testing services with confidence that the work will be carried out by qualified individuals with up-to-date knowledge, skills and competence in the latest vulnerabilities and techniques used by real attackers.

Security testing is an ongoing activity which never stops, just like attacks launched by malicious people never stop. Are you doing enough to secure your business?

Bas de Graaf is head of ethical hacking services

Mission possible image

Mission possible

Jonathan Sharp explores how digital transformation is changing the face of local government.
Highways jobs

Head of New Build Property Management

Hackney London Borough Council
Salary, £61,515 - £63,630 (PO12)
You will lead a team, created to ensure the effective handover of newly built properties from our Regeneration team into our Housing Services team. Hackney, London (Greater)
Recuriter: Hackney London Borough Council

Housing Manager

Breckland District Council
£44,697-£50,879 per annum
An exciting opportunity has arisen in our Housing team Dereham, Norfolk
Recuriter: Breckland District Council

Inspector / Senior Inspector

City of Bradford MDC
£21,166 - £31,371 pa
This is an opportunity to join the Highway Maintenance team who have responsibility for maintenance of around 2,000km of adopted road network. Bradford, West Yorkshire
Recuriter: City of Bradford MDC

Traffic Management Operative/Foreman

Balfour Beatty
Are you a Traffic Management Operative/Foreman with Highspeed (12AB) Qualifications, looking for a new and exciting opportunity? If so read on..... Leatherhead, Surrey
Recuriter: Balfour Beatty

Cleaning Assistant

Chelmsford City Council
Grade 2 - £17,367, pro rata for part time positions
It's exciting times at Riverside Leisure Centre with a brand-new centre opening in June 2019 and we need you to get on board and help us make this ... Chelmsford, Essex
Recuriter: Chelmsford City Council

Local Government News

Latest issue - Local Goverrnemnt News

The March issue of Local Government News explores alternative funding channels that are available to councils beyond the Public Works Loan Board, what hurdles merging councils face in coming together, and how local government is handling GDPR.

This issue also has a special highways and street lighting section exploring how councils can use lighting to embark on their smart city journey and using IoT technology to weather the storm.

Register for your free magazine