The pen test is a vital protective measure, but there are some important caveats to consider when commissioning a white-hat hacker to probe around your systems
In the 2003 version of The Italian Job, Charlize Theron plays an ethical safe-cracker who pits her wits against the latest models to tell the manufacturers whether their products are any good. Naturally, she can crack the lot. And pretty soon she’s lured into an ingenious gold heist involving Mini Coopers, but, alas, no Sir Michael Caine.
A more imaginative remake might have cast Theron as a penetration tester. These skilled professionals hack into IT systems to pinpoint their weaknesses for their owners. A company needs to know whether its valuable data is secure. But, as per the film, it also needs to know that its pen testers are elite white-hat hackers who aren’t going to cause mayhem in the course of their work.
So how do you go about finding a reliable pen tester?
Will North is a good person to ask. He used to run a consultancy running pen tests for clients but now sits on the other side of the fence, hiring them to hack the products of MHR International, a developer of HR and payroll software where he’s chief security officer. In the past few years he’s commissioned almost 30 tests.
Hiring is no easy task, according to North. “The repercussions of employing an under-skilled tester can be severe. You’ll get a false sense of security that your systems are protected,” he says. “Unfortunately, it can be very difficult to evaluate the competence of an ethical hacker.”
He recommends two places to go to find candidates: large consultancies and specialist boutiques. The consultancies come with a caveat. “The downside is that these organisations are often expensive. They can charge nearly £2,000 a day,” North says. “Their operating model also means that they often use relatively inexperienced staff to do most of the work.”
He believes that boutiques are likely to offer a more cost-effective service. The downside is variability – the chances of hiring a dud are greater. The solution? “You need to rely more on word of mouth.”
As for testers’ qualifications, the ones to look out for are Crest, GIAC or Check certification. But beware: even the most impressive-looking CV may not be a reliable indicator. So says Hugo van den Toorn, manager of offensive security at Outpost24, a boutique specialist in risk assessment.
“Don’t treat certifications as a gold standard,” he warns. “The reason is simple: anyone can learn, but this is about understanding and bringing knowledge into practice. Unfortunately, not everyone can pay to take these qualifications or sacrifice sufficient personal time to obtain them. Cheating is a prevalent issue as well.”
Look for a “core hacker mindset”, van den Toorn advises. For instance, does the candidate blog about cybersecurity matters? Do they have a career showcasing their expertise? How do they perform on external validation platforms such as Hack the Box? Strong candidates may write their own applications to enhance the off-the-shelf products that pen testers commonly use.
Once you’ve chosen your preferred candidate, it’s vital to know how to brief them. What exactly do you want them to prove? And, equally important, what are the parameters of the test?
“There should always be a limit of exploitation set, which describes how far into production systems that ethical hackers can go,” explains James Griffiths, a former GCHQ cyber expert and co-founder of Cyber Security Associates. “If the client has a huge ecommerce site, for instance, you wouldn’t want an ethical hacker changing live data, which could bring down the whole thing. But there may be cases where you’d want to prove that it could be done. Normally, this can be replicated in a development environment to ensure that availability is not affected.”
Griffiths says that a pen test can last from two days to three weeks, with a week being the norm. A key decision is whether to include social engineering hacks. These may involve the pen tester visiting the client’s premises incognito to gain physical access to systems or drop infected USB flash drives to see if anyone picks them up and uses them out of curiosity. Other acts of skulduggery could include swiping the pass of an employee or even stealing a laptop.
He says that an under-used tactic is to commission a so-called purple team operation. In a normal test assault, attackers (known as the red team) take on defenders (the blue team). In a purple team, both sides work together under the guidance of an expert coordinator to share their knowledge. Reds attack, blues defend and then both parties disclose their thoughts to iterate the security improvements. Griffiths believes that it’s a richer process than the standard exercise.
And then there’s the question of what to do with the results. Bizarrely, many companies fail to act even when they’ve been alerted to serious chinks in their armour.
“It’s a big frustration to testers when they see the same vulnerabilities cropping up time and time again,” reports Gyles Saunders, ethical hacker at NormCyber.
He adds that a common problem is that clients leave an easy route open, making the pen tester’s job simple. “When we see such vulnerabilities, we must exploit them, because a cybercriminal would do the same. While that’s a valuable exercise, if the client doesn’t then act on our recommendations, we’re back to square one come the next test.”
Pen testing is a vital element of ensuring cybersecurity, yet companies too often fail to instruct their white-hat hackers adequately. At worst, a poorly briefed hacker could bring down vital infrastructure. And the last thing you’d want is to see the smoking ruins of your IT system, recalling Caine’s immortal line in the original Italian Job: “You’re only supposed to blow the bloody doors off!”