Rapidly-evolving cyber security threats imperil all organisations and demand the full attention of their boards. And it’s no surprise why; the Ponemon Institute calculates the average total cost of a data breach to be $3.86 million in its 2018 report. A comprehensive cyber security strategy is therefore essential to protect data and systems. Yet as we grapple to understand the scale and nature of the menace, challenges remain around threats, budgets and achieving the right level of in-house skills, writes Scott Nicholson, director at the info-security and risk assurance consultancy Bridewell Consulting, pictured.
Faced with these threats, organisations will inevitably turn to third-party providers for solutions. The options can seem bewildering, but penetration testing, also known as ethical or white hat hacking is fast gaining traction. This identifies security gaps before malicious hackers, ensuring holes in defences are fixed. But it is also a key element in the testing of processes, procedures and technical controls.
For hacking to be ethical, it must only be conducted after agreement between the ethical hacker and the organisation, and in full accordance with the law. The hacking company should also be fully aligned with independent industry bodies such as CREST. Compliant with these requirements, penetration testing is so effective that it is mandated by some risk and compliance frameworks, such as PCI DSS, and the UK Government’s IT Health Check for public sector organisations. It also enables organisations to avoid or mitigate potentially very severe fines for data breaches under the terms of the General Data Protection Regulation (GDPR). This regulation has an explicit requirement for regular security testing and evaluation.
There will always be sceptics, however, who think network monitoring software is enough, but they would be mistaken. Whereas software may scan the network and alert security teams to any issues, ethical hackers go much further, like their malicious counterparts. They use their test results to sneak their way in and work out where the vulnerabilities are.
Cost may be an issue, but it is worth balancing the price of penetration testing with the risk of attack. Some organisations process personal data. If that data is stolen, it is a disaster in every way, while for other businesses, compromise of their networks and infrastructure could be catastrophic. This makes penetration testing an easier sell to the C-level or financial director. Even where companies do not process sensitive data, an attack could inflict severe reputational damage.
Objective view
All these points make penetration testing a powerful tool in the hands of internal security and compliance teams seeking more budget. Gaining a totally objective view of what hackers can achieve is a highly persuasive proof point. The technique also helps assure partners, customers, prospects and other stakeholders that an organisation is fully committed to security.
How the ethical hacking is conducted can by determined by the organisation in concert with the provider. A company’s website or web applications, for instance, can be probed for weaknesses in the coding, design or publishing. Infrastructure penetration testing is another method, in which ethical hackers test everything from servers and routers, to switches, firewalls and end-points, such as PCs and laptops. Ethical hackers are also able to test the devices themselves and their applications.
Deeper testing
Whereas ethical hacking focuses on testing one specific infrastructure element such as gaining access rights to a system, red teaming takes things further. This is a full attack simulation that focuses on all areas, from breaching networks and systems, to using social engineering, and gaining physical access to premises and devices. It helps identify critical issues that need remediation. Because it is more far-reaching, the simulation takes much longer than traditional penetration testing, with engagements lasting from a few weeks to a few months.
Typically, at the end of the exercise the findings are presented to the organisation with recommendations on remediation of exposed gaps and vulnerabilities. If, however, a critical problem is identified early on, the alarm is raised immediately so a fix can be implemented. A red team engagement also provides a brutally objective view of the threat level facing an organisation, laying bare what malicious hackers are capable of. This is an extremely convincing set of results when the aim is obtain more cyber security spending from a board.
Embracing ethical hacking
Should penetration testing become a critical part of an organisation’s overall cyber security strategy? Definitely. Yes, it requires you to put your faith in a third party trying to hack your business, but working with the right security partner, with the appropriate experience and accreditations, can bring significant value to your organisation. Penetration testing and its near-relative red teaming are incredibly effective in identifying gaps and vulnerabilities in your network, devices, and infrastructure, so you can substantially reduce the risk of an attack. Their findings will also prove highly persuasive in securing more budget for cyber security programmes, and demonstrate real commitment to security for the benefit and protection of customers, potential customers, partners and other stakeholders.
As cyber criminals and malicious actors become ever more sophisticated and devious, penetration testing enables organisations to seize the initiative in keeping themselves secure.
About the firm
Berkshire-based Bridewell is a NCSC Certified and CREST accredited cyber security business, among the exhibitors at the three-day Infosecurity Europe 2019 show at London Olympia in June. Visit www.bridewellconsulting.com.
