"We think like hackers do," explained Tim Holman, CEO of 2|SEC. "Criminals don't just stop at the first exploit they find. They will chain exploits and pivot off exposed systems to gain further leverage."
2|SEC is a London-based cyber security service provider that provides penetration testing services - among others - for a wide variety of clients. Otherwise known as "ethical hackers" or "pen testers", such specialists are contracted by organisations that want to know if they need to up their security game.
And, if they do, where.
"The obvious benefit is that your systems will be protected against the latest criminal exploits and techniques that are being used against you," Holman explained. "Unless you have [a] full time, dedicated resource that can stay on top of the latest threats and vulnerabilities, your company will find it very difficult to match the experience and expertise that a professional penetration tester will bring."
There's nothing shady about contracting with an ethical hacker. The companies we approached for this feature were happy to talk about what they do and how they do it, pointing out that they remain within the law by only accessing the systems they've been authorised to target, and only doing so within a defined time frame.
"Our approach is always to use the very latest research, exploits and techniques to see if we can gain a foothold in your company; and to do that, we have to be very careful not to bring systems crashing down or inadvertently expose sensitive data."
Growing importance
As organisations handle and process larger amounts of data, the need for pen testing is increasing. Not long ago, they were routinely advised to run tests every couple of years, but that no longer satisfies many of their clients.
"Some of the compliance requirements are mandating that organisations who accept payment card data should be doing this at least annually and moving towards a model where they do it every six months," said Oliver Pinson-Roxburgh, MD of Bulletproof. "If your application undergoes a significant change since your last pen test, advice would be to retest then, too."
In part, this is being driven by the strictures of GDPR. "We have more customers asking about what they should be doing," Pinson-Roxburgh said. "Often, they don't have an incident response plan and want to know that if they get caught out, they can at least do something."
Having such a plan in place, and being able to prove you've been diligent with your testing, helps to demonstrate you're taking some responsibility. "It shows that you've taken reasonable efforts to do all that you can," said Mark Nicholls, director of cyber security at Redscan.
"We have often helped companies assess their readiness for a breach and, defensively, asked what a security and network team have done in response when an attack has taken place. Have they been able to acquire the necessary information within the first 72 hours following an attack to report to authorities?"
Making such reasonable efforts will often be enough to avoid the breach in the first place, as it will help identify where patches and fixes either haven't been applied, or are only partially effective.
"My experience has been that those organisations that were fined under the Data Protection Act could largely have solved their problems by doing a pen test or implementing some form of initial security scanning or testing," said Pinson-Roxburgh. "Where the ICO has published rulings, they [often] show that if the organisation had done the right things about security it would have identified the problems.
Often, it's a well-known, three-month-old vulnerability that they should have known about and fixed."
Your first approach
Ethical hackers are used to hand-holding new customers - particularly any that aren't sure what they need or what's on offer.
As Nicholls explains, outlining what the client does as a business, the systems it's running and what the ethical hacker can do is usually the start for any conversation. "We'll then assign a number of days [for the test during which] they can stand up appropriate resources, whether it be project managers or developers, to make sure we don't take anything down - or so they can address critical issues as we find them."
Pen testers are often told to social engineer their way into systems - even offering fake bribes to staff
But pen testing often goes further than sitting at a keyboard and mouse and searching for vulnerabilities.
"We have red team exercises where the customer gives us an objective that we have to achieve by any means," said Pinson-Roxburgh. "That could be physically going to the building and finding our way in, or social engineering our way in. We've done a few big data centre tests, supposedly the most secure data centres in the world, and found our way in through a combination of social/physical access to the buildings, and hacking portals. For some customers we've even done bribes to see how their staff react to security [threats]."
Pinson-Roxburgh's preference would be to work with live systems wherever possible because, "if they're going to give us a system that's half finished because it's in pre-production, they're not going to get a realistic test. [That's not good when] most of the organisations are saying they want you to simulate things from the hacker's perspective."
But Nicholls also sees value in working with parallel infrastructure and data sets. With live systems, he says, "there's always an inherent risk when you're testing an application or server where issues may arise from being scanned.
Although rare with applications nowadays being more resilient, it can lead to downtime. So, we advise testing against a representative system that closely mirrors what's live. It gives you a good idea of what vulnerabilities there are, and we don't need to hold back. We can assess every parameter."
Confidentiality and confidence
Should a tester gain access to your system, they could have access to confidential data. It's essential to ensure your pen tester signs and complies with a non-disclosure agreement, and that its staff have the necessary security accreditation.
Ultimately, you need to feel comfortable working with them, but that doesn't necessarily mean avoiding someone with a shady background - so long as they've since gone good.
"Many of the most celebrated security people started on the wrong side," Nicholls said. "Curiosity, early on, can be an issue but if that has changed and they're now progressing in a security career where they're offering their capabilities, there's no reason why a person such as that wouldn't meet the various standards and certifications."
Responding to an unsolicited approach, though, is a different matter entirely, and Pinson- Roxburgh advises caution.
"What I've seen more recently is organisations being solicited directly by people looking for bug bounties. I'd recommend an organisation be very cautious in such a situation because we've seen scenarios where the person making the approach is demanding certain amounts of money, only for the organisation to discover that the thing that's been found doesn't warrant the amount of money they've paid...
"When you're approached by someone asking about bug bounties, mention the Computer Misuse Act and the fact that nobody should be testing your systems without your authorisation."
