Penetration Testing & Ethical Hackers

Uploaded on 2021-12-15 in TECHNOLOGY--Resilience, Directors Reports

Directors Report:  This Premium article is no longer free to view. For unrestricted website access please Subscribe: £5 monthly / £50 annual.

With the shift to remote working and companies left more vulnerable than ever, cyber attackers have used this opportunity to take advantage of thousands of enterprises and people all across the world. 

Penetration testing, or pen testing, is a security exercise where a cyber security expert attempts to find and exploit vulnerabilities in a computer system. The purpose of this simulated attack is to identify any weak spots in a system’s defenses which attackers could take advantage of.

In 2020, the rates of cyber crime increased immensely and in 2021 it has continued to increase. During the pandemic, many companies started working from remote areas. Several companies started to digitalise their business, which increased the demand for various cyber security solutions and penetration testing solutions. 
Employees got access to use the company's data on their personal devices, which surged the chances of data breaching and data loss.

All these factors are accountable to the surge in demand for penetrating testing and the Global Penetration Testing Market size is expected to reach $3.1 billion by 2027, rising at a growth of 12% CAGR. 

Penetration testing is performed to test a network, computer system, and web application to identify security weaknesses including the possibility to access the system's data & features by unauthorised parties and strengths that allows a full risk assessment to be completed. Penetration testing is the method of testing, which is used to increase and measure the installed security solutions on various devices like computers, mobile phones, and other information systems.

It is becoming more important than ever to undertake regular vulnerability scans and penetration testing so as to avoid vulnerabilities and make sure that your organisation is protected against cyber attacks. Penetration testing could help enhance the cyber defenses that are in place while ensuring the safety of the company.

The number of cyber attacks on organisations is increasing year on year and various businesses of all sizes are being targeted by criminal hacking groups or nation-state actors. The approach to security has evolved over the last few years, however, to focus on having a year-round view of security and vulnerabilities as opposed to a singular Penetration Test is a point in time assessment, and therefore limited as regards ongoing view.

A rise in multiple cyber-attacks and the lack of knowledge and defenses to tackle them has made it extremely important for companies to use ethical hacking to combat hackers. 

While Black Hat hackers use their skills for malicious purposes to defraud high-profile companies or personalities, Ethical Hackers or White Hat hackers use the same techniques, penetration testing, different password cracking methods or social engineering, to break into a company’s cyber defense but to help companies fix these vulnerabilities or loose ends to strengthen their systems.

Typically, penetration tests are used to identify the level of technical risk emanating from software and hardware vulnerabilities. 

Exactly what techniques are used, what targets are allowed, how much knowledge of the system is given to the testers beforehand and how much knowledge of the test is given to system administrators can vary within the same test regime. This is like a bank hiring someone to dress as a burglar and try to break into their building and gain access to the vault. If the ‘burglar’ succeeds and gets into the bank or the vault, the bank will gain valuable information on how they need to tighten their security measures. 

A penetration test, or ethical hacking test, is an authorised simulated cyber attack on a computer system, performed to evaluate the security of the system.  

The test is performed to identify vulnerabilities, including the potential for unauthorised parties to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed. The process typically identifies the target systems and a particular goal, then reviews available information and undertakes various means to attain that goal.

The goals of a penetration test vary depending on the type of approved activity for any given engagement, with the primary goal focused on finding vulnerabilities that could be exploited by a nefarious actor, and informing the client of those vulnerabilities along with recommended mitigation strategies. It’s best to have a pen test performed by someone with little-to-no prior knowledge of how the system is secured because they may be able to expose blind spots missed by the developers who built the system. For this reason, outside contractors are usually brought in to perform the tests. These contractors are often referred to as ‘ethical hackers’ since they are being hired to hack into a system with permission and for the purpose of increasing security.

Many ethical hackers are experienced developers with advanced degrees and a certification for pen testing. On the other hand, some of the best ethical hackers are self-taught. In fact, some are reformed criminal hackers who now use their expertise to help fix security flaws rather than exploit them.

The best candidate to carry out a pen test can vary greatly depending on the target company and what type of pen test they want to initiate. Only a penetration test carried out by a trained security professional can give you a proper understanding of the security issues you face.  

To protect your organisation, you should regularly conduct penetration tests to:

  • Identify security flaws so that you can resolve them or implement appropriate controls.
  • Ensure your existing security controls are effective.
  • Test new software and systems for bugs.
  • Discover new bugs in existing software.
  • Support your organisation’s compliance with the UK GDPR regulation and UK DPA (Data Protection Act 2018), and other relevant privacy laws or regulations.
  • Enable your conformance to standards such as Payment Card Industry Data Security Standard.
  • Assure customers and other stakeholders that their data is being protected.

What are the types of Pen Tests?

  • Open-box pen test:  In an open-box test, the hacker will be provided with some information ahead of time regarding the target company’s security info.
  • Closed-box pen test:   Also known as a ‘single-blind’ test, this is one where the hacker is given no background information besides the name of the target company.
  • Covert pen test:  Also known as a ‘double-blind’ pen test, this is a situation where almost no one in the company is aware that the pen test is happening, including the IT and security professionals who will be responding to the attack. For covert tests, it is especially important for the hacker to have the scope and other details of the test in writing beforehand to avoid any problems with law enforcement.
  • External pen test:   In an external test, the ethical hacker goes up against the company’s external-facing technology, such as their website and external network servers. In some cases, the hacker may not even be allowed to enter the company’s building. This can mean conducting the attack from a remote location or carrying out the test from a truck or van parked nearby.
  • Internal Pen Test:   In an internal test, the ethical hacker performs the test from the company’s internal network.

This kind of test is useful in determining how much damage a disgruntled employee can cause from behind the company’s firewall.

In an online world infested with hackers, we need more ethical hackers. But all around the world, hackers have long been portrayed by the media and pop culture as the bad guys. Society is taught to see them as cyber criminals and outliers who seek to destroy systems, steal data and take down anything that gets in their way.

  • Many cloud vulnerabilities are often missed when only pen testing is used as these tests are focused on data center techniques and not cloud tactics. Flaws are often only apparent in the full context of the environment and this is made clearer by using pen testing and ethical hackers.
  • Primarily the IT security team devises the security program but if done in coordination with the ethical hackers, they can provide the framework for keeping the company at a desired security level.  Additionally by assessing the risks the company faces, they can decide how to mitigate them, and plan for how to keep the program and security practices up to date.
  • After completing a pen test, the ethical hacker will share their findings with the target company’s security team. 

This information can then be used to implement security upgrades to plug any vulnerabilities discovered during the test. 

No matter how large or small your company is, you need to have a plan to ensure the security of your information assets. This plan should include Pen testing and the use of ethical hackers to test your organisation’s electronic systems.

For information & recommendations on Penetration Test contact Cyber Security Intelligence.

References

NCSC:   Imperva:      DigitalPathways:      Software Testing News:    Cloudflare:   

 ITGovernance:     GlobeNewswire:      Dark Reading:      Packt:      Packt:  

You Might Also Read: 

The Value Of Network Pen Testing To Reduce Cyber Attacks:

 

« Stolen: Personal Details Of 80k Australian Government Employees
Hackers Compromise Indian Prime Minister's Twitter Account »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

Synovum

Synovum

Synovum was formed with the intention to provide high quality advice, consultancy, training and project management services to clients in all sectors of industry.

Engage Black

Engage Black

Engage Black provides solutions for securing and protecting cryptographic keys, data at rest, and data in motion.

I-Tracing

I-Tracing

I-TRACING are experts in IT security, specialized in legal compliance of information systems, security of information systems, and the collection of digital evidence and traces.

Ministry of Defence Georgia - Cyber Security Bureau

Ministry of Defence Georgia - Cyber Security Bureau

The aim of the Cyber Security Bureau is to establish and develop stable, effective and secure Information and Communication Technology systems for the Civil Office of MoD of Georgia.

Cyber Execs

Cyber Execs

Cyber Execs is a Cyber Security Consultancy & Executive Recruitment firm.

Tech Mahindra

Tech Mahindra

Tech Mahindra is a global leader in IT solutions, BPO, business consulting services & digital technologies.

CyberDegrees.org

CyberDegrees.org

CyberDegrees.org aims to provide top-notch information for students seeking Cyber Security education and career guidance.

MyCyberSecurity Clinic (MyCSC)

MyCyberSecurity Clinic (MyCSC)

MyCyberSecurity Clinic's main goal is toward establishing an international reference centre for excellence in the field of digital forensics and data recovery services.

Sygnia

Sygnia

Sygnia is a cyber technology and services company, providing high-end consulting and incident response support for organizations worldwide.

Approov

Approov

Approov provides a comprehensive runtime security solution for mobile apps and their APIs, unified across iOS and Android.

Accenture

Accenture

Accenture is a leading global professional services company providing a range of strategy, consulting, digital, technology & operations services and solutions including cybersecurity.

Metmox

Metmox

Metmox mission is to be trusted advisor and partner to protect our customer’s evolving Cloud, Network, Application, IT infrastructure and cybersecurity needs.

LaScala

LaScala

LaScala is an IT Managed Services provider delivering technical, security, and compliance solutions with dedication, compassion, and agility.

SequelNet

SequelNet

SequelNet is an emerging MSP, providing 360° business IT solutions and consulting services.

FusionAuth

FusionAuth

FusionAuth is the customer authentication and authorization platform that makes developers' lives awesome.

Clarity

Clarity

Clarity is an AI cybersecurity startup that protects against deepfakes and new social engineering and phishing attack vectors accelerated by the rapid adoption of Generative AI.