07 March 2019

Not all ethical hackers are equal

At a time when global organisations are trying to keep costs low to be competitive, there’s always a temptation to spend as little as possible to get a job done.

But apply that to security testing, and it’s not just money that’s on the line; it’s the protection of your data, financial loss and your reputation too. How do you know if something is truly secure if you haven’t tested it thoroughly by professionals who know what they are doing?

Testing to stay secure

Testing is an area of cyber-security investment where you can’t afford to cut corners. The less you spend, the more likely you are to get a service that doesn’t have the depth, skills or expertise to keep you secure. The problem is that anyone could set themselves up as a security tester, especially in a market where the right skills are a scarce resource. It’s easy to run an automated tool that scans your network or applications. And it’s easy to conclude there is no risk and therefore that the system is secure because no vulnerabilities have been identified.

But in reality, vulnerability scanning is just one facet of security testing. Whilst cost effective, it isn’t always appropriate or applicable. For example, on a banking website, it wouldn’t be able to look for vulnerabilities behind a secure token log-in page. There are also certain vulnerabilities that are specifically designed to avoid detection by automated tools, and these could pose a major threat to your security.

The next level up is to perform vulnerability or penetration testing – so-called ethical hacking - assessments. These combine off-the-shelf and in-house developed tools but also add a layer of manual testing by experienced testers. It takes someone with years of knowledge and experience to effectively interpret what they discover, and what it means for your security. In an evolving threat landscape, an experienced tester is also able to apply knowledge from similar organisations and systems to test for vulnerabilities, because they are performing tests daily and keep learning.

Who can you trust?

How do you find the right supplier of  penetration testing services – someone you can trust and who will do more than tick a box to say it’s been done.

There are some simple things to look for to make sure you are using certified people and accredited organisations.  

1. Check that the testing company’s personnel are thoroughly screened on an ongoing basis. It’s also important to make sure this process applies to anyone who manages central IT resources, which might be used to store your test results.  

2.Find out what the tester does with your data. Is it protected carefully? Have they taken the right precautions when storing and processing your sensitive data? Are processes and procedures in place to enable these precautions? Ask about data classification, data protection, data retention and disposal.

3. Make sure that the tester can prove that quality work is delivered. Anyone can perform testing and say ’it looks okay, we didn’t find any real issues’, but does that mean nothing was there to be found? No. Your potential partner needs to prove that they’ve been thorough.  

4. Make sure your potential partner can expertly explain how to mitigate or eliminate any vulnerabilities that were found. If your partner does find problems, you need to be able to act on those results.

5. Can the tester provide ongoing advice on how to stay secure, as part of a trusted partnership? Building a strong partnership with a provider makes life easier for your organisation down the line, so it’s important that you know that relationship will last.

6. And finally, you need to know that the provider can perform rigorous and effective penetration testing — using a proven testing methodology.

The easiest way to do this is to choose a CREST accredited organisation that employs individuals who have taken CREST exams and hold CREST certifications. CREST provides organisations wishing to buy penetration testing services with confidence that the work will be carried out by qualified individuals with up-to-date knowledge, skills and competence in the latest vulnerabilities and techniques used by real attackers.

Security testing is an ongoing activity which never stops, just like attacks launched by malicious people never stop. Are you doing enough to secure your business?

Bas de Graaf is head of ethical hacking services

SIGN UP
For your free daily news bulletin
Highways jobs

Handy Person

Sandwell Metropolitan Borough Council
Band C SCP 5-8 (£24,790 - £25,992) Pro Rata
Do you have a passion for working with people in an Adult Social Care or Health setting? Sandwell, West Midlands
Recuriter: Sandwell Metropolitan Borough Council

Production Co-ordinator - Woolwich Works

Royal Borough of Greenwich
£18,000
Woolwich Works is a multi-million-pound cultural hub in the old military buildings of the Royal Arsenal that opened in September 2021. Greenwich, London (Greater)
Recuriter: Royal Borough of Greenwich

Criminal Justice Senior Practitioner

Royal Borough of Greenwich
£33,575 - £34,052 per annum, including London Weighting where appropriate
Are you passionate about supporting people in the criminal justice system and driving positive change in community treatment pathways? Greenwich, London (Greater)
Recuriter: Royal Borough of Greenwich

Street Lighting Project Engineer

Royal Borough of Greenwich
PO2 - £41,442 to £44,331
Help us keep our streets safe, efficient and ready for the future Greenwich, London (Greater)
Recuriter: Royal Borough of Greenwich

Administrator

Wakefield Council
£25,583.00 to £25,989.00, Grade 4
An exciting opportunity has arisen for a G4 Administrator to join the Safeguarding and Reviewing Unit Administration Team Wakefield, West Yorkshire
Recuriter: Wakefield Council
Linkedin Banner