07 March 2019

Not all ethical hackers are equal

Not all ethical hackers are equal image

At a time when global organisations are trying to keep costs low to be competitive, there’s always a temptation to spend as little as possible to get a job done.

But apply that to security testing, and it’s not just money that’s on the line; it’s the protection of your data, financial loss and your reputation too. How do you know if something is truly secure if you haven’t tested it thoroughly by professionals who know what they are doing?

Testing to stay secure

Testing is an area of cyber-security investment where you can’t afford to cut corners. The less you spend, the more likely you are to get a service that doesn’t have the depth, skills or expertise to keep you secure. The problem is that anyone could set themselves up as a security tester, especially in a market where the right skills are a scarce resource. It’s easy to run an automated tool that scans your network or applications. And it’s easy to conclude there is no risk and therefore that the system is secure because no vulnerabilities have been identified.

But in reality, vulnerability scanning is just one facet of security testing. Whilst cost effective, it isn’t always appropriate or applicable. For example, on a banking website, it wouldn’t be able to look for vulnerabilities behind a secure token log-in page. There are also certain vulnerabilities that are specifically designed to avoid detection by automated tools, and these could pose a major threat to your security.

The next level up is to perform vulnerability or penetration testing – so-called ethical hacking - assessments. These combine off-the-shelf and in-house developed tools but also add a layer of manual testing by experienced testers. It takes someone with years of knowledge and experience to effectively interpret what they discover, and what it means for your security. In an evolving threat landscape, an experienced tester is also able to apply knowledge from similar organisations and systems to test for vulnerabilities, because they are performing tests daily and keep learning.

Who can you trust?

How do you find the right supplier of  penetration testing services – someone you can trust and who will do more than tick a box to say it’s been done.

There are some simple things to look for to make sure you are using certified people and accredited organisations.  

1. Check that the testing company’s personnel are thoroughly screened on an ongoing basis. It’s also important to make sure this process applies to anyone who manages central IT resources, which might be used to store your test results.  

2.Find out what the tester does with your data. Is it protected carefully? Have they taken the right precautions when storing and processing your sensitive data? Are processes and procedures in place to enable these precautions? Ask about data classification, data protection, data retention and disposal.

3. Make sure that the tester can prove that quality work is delivered. Anyone can perform testing and say ’it looks okay, we didn’t find any real issues’, but does that mean nothing was there to be found? No. Your potential partner needs to prove that they’ve been thorough.  

4. Make sure your potential partner can expertly explain how to mitigate or eliminate any vulnerabilities that were found. If your partner does find problems, you need to be able to act on those results.

5. Can the tester provide ongoing advice on how to stay secure, as part of a trusted partnership? Building a strong partnership with a provider makes life easier for your organisation down the line, so it’s important that you know that relationship will last.

6. And finally, you need to know that the provider can perform rigorous and effective penetration testing — using a proven testing methodology.

The easiest way to do this is to choose a CREST accredited organisation that employs individuals who have taken CREST exams and hold CREST certifications. CREST provides organisations wishing to buy penetration testing services with confidence that the work will be carried out by qualified individuals with up-to-date knowledge, skills and competence in the latest vulnerabilities and techniques used by real attackers.

Security testing is an ongoing activity which never stops, just like attacks launched by malicious people never stop. Are you doing enough to secure your business?

Bas de Graaf is head of ethical hacking services

For your free daily news bulletin
Highways jobs

Qualified Social Workers - Adult Services

Essex County Council
£30906 - £42254 per annum
Essex County Council ( ECC) can offer a wide range of opportunities within Social Care for Qualified Social Workers across a variety of teams and the England, Essex, Harlow
Recuriter: Essex County Council

Occupational Therapists - Adult Services in South Essex

Essex County Council
£30906 - £42254 per annum
Primary Location
Recuriter: Essex County Council

Qualified Social Workers - Adult Services Teams

Essex County Council
£30906 - £42254 per annum
Primary Location
Recuriter: Essex County Council

Social Worker - Under 10s Connecting and Uniting Team

Essex County Council
£30900 - £42250 per annum + Plus Excellent Benefits Package
This position will focus primarily upon working with children between the ages of 0-10 who have been looked after by the local authority for a significant period (20 weeks or longer), and where following careful assessment by the allocated social worker, England, Essex, Chelmsford
Recuriter: Essex County Council

Senior Support Worker - DBIT Edge of Care Core Service

Essex County Council
£20600 - £26800 per annum + Plus Excellent Benefits Package
NVQ Level 3 - Caring for Children and Young People or equivalent qualification or work-based experience. * Experience/Knowledge/Interest in the Solution Focused approach. England, Essex, Chelmsford
Recuriter: Essex County Council

Public Property

Latest issue - Public Property News

This issue of Public Property examines how how flexible workspaces can lead the way in regeneration for local authorities, Why local authority intervention is key to successful urban regeneration schemes and if the Government’s challenge of embracing beauty is an opportunity for communities.

The March issue also takes a closer look at Blackburn with Darwen Council's first digital health hub to help people gain control over health and care services.

Register for your free digital issue