Any business that isn’t doing penetration testing to identify and address vulnerabilities in its IT environment should get started — fast.
It’s easier than ever for malicious hackers to breach an organization’s network. There are many tools available today to automate the exploitation of remote hosts, so the bad guys don’t need as many skills or have to work as hard to get at what they want, says Maninder Pal Singh, executive director of the cybersecurity technical certification body EC-Council Global Services. These days, a main goal for them is to target data that can be monetized.
It’s difficult to breach up-to-date and appropriately configured operating systems running on servers equipped with state-of-the-art firewalls, intrusion detection and prevention systems, he says. But trouble lurks when companies regularly develop new applications and customize existing ones, especially without following such practices as Secure Software Development Life Cycle or conducting security reviews when technology is added or altered.
“This could result in unfixed vulnerabilities that are used by attackers to break into the network,” Singh says. “Using the applications as the entry point, the hackers can gain access to the servers and network.”
What Is Penetration Testing?
A penetration test, or pen-test, allows organizations to discover the weak spots in their IT systems before a malicious actors does. Once the initial vulnerabilities are exploited, the testers use those as a pivot point to expand their access on the target network and try to gain access to higher-level privileges. The goal is to show an organization its vulnerabilities and then provide concrete advice on how to remediate them.
Mark Lachinet, a security solutions manager at CDW, explains in a blog post the company's Comprehensive Security Assessment service, in which its white hat hackers use the same tools and techniques deployed by cybercriminals against organizations' network. “The difference is that we’re the good guys, and we use the information we discover during this penetration test to help you improve your network security,” he says. “You get all the lessons learned that normally result from a security breach without actually experiencing the breach itself.”
According to Lachinet, organizations often discover that they have devices that lack proper security controls and fall outside of normal management practices. He also notes that organizations are usually surprised by how high up inside organizations testers can get by using social engineering tactics. And usually, organizations ask to have their own cybersecurity teams observe the testing.
Penetration testing can help organizations “avoid the debilitating costs of a breach and prioritize security spending,” as CDW notes.
Best Practices for Hiring a White Hat Hackers
Using penetration testers, sometimes called white hat hackers or ethical hackers, to look for vulnerabilities helps to avoid costs and other damages to a business when systems or data are compromised and the breach is disclosed, says Joel Snyder, senior partner at IT consulting firm Opus One.
Another advantage of hiring independent penetration testers is that they bring objectivity to the table, which internal developers, designers or IT security may not be able to do. “It’s good to have an independent group that stands back to hold up the mirror,” says John McCumber, director of cybersecurity advocacy at (ISC)² , a nonprofit membership association for information security leaders.
But it’s important to be careful when hiring a white hat hacker. Many companies bill themselves as offering penetration testing services but aren’t truly expert at it. Such companies often hire inexperienced semiprofessionals — think college kid with a laptop — who don’t have the skills to go deep into penetration testing. They may catch some obvious mistakes but not fundamental errors like coding vulnerabilities, says Snyder.
Here are some best practices for making good choices when hiring white hat hacker contractors:
- Decide on the appropriate type of penetration testing. White box or black box tester? With the latter, the contractor receives only the information that an attacker could figure out based on publicly available information. A hacker performing a black box test may receive nothing more than a URL. In a white box test, the hacker receives far more information — not only the URL of the app but maybe copies of the source code and other information an external attacker is not likely to possess. Black box penetration testing may mirror a more realistic scenario, Snyder says, but white box testing helps the contractor do deeper testing and deliver greater insight into critical vulnerabilities. White box testing also better prepares a business against internal attacks, such as from a current or former employee.
- Get recommendations from trusted sources and real-world evidence of the white hat hacker’s expertise. Staff developers at most businesses have probably worked at other companies that used effective penetration testing services, so ask them for suggestions, Snyder says. When interviewing potential contractors, ask for past customer references. “Some of their customers may forbid them to disclose their names,” he says, but if they’ve done penetration testing more than 10 times they should have at least a few clients willing to talk about their experiences. “If they don’t, they’re not a good choice,” he says.
- Choose a contractor that has something to lose if it performs poor service. There are a lot of tiny operators in the penetration testing world, and many of them are relatively inexpensive, but it’s best to hire a company with assets and a reputation to protect, Snyder says. Insisting on a signed confidentiality agreement ensures that the contractor will not use any data it might get in the course of testing, except for the benefit of the client.
Look for Ethical Hacker Certifications from White Hat Hackers
There are a number of organizations that provide certifications in ethical hacking. While some argue that certification matters less than a demonstrated track record of success, many agree that certification is a worthy thing for businesses to look for when selecting a penetration testing provider.
At (ISC)², the certification methodology ensures that individuals gain a broad understanding of information security protection, says McCumber. It requires that individuals complete a complex and costly process to achieve certification that meets American National Standards Institute requirements. “We use this to assure that those who get certifications have shown us that they have the necessary knowledge, skills and abilities,” he says. “We consider the Systems Security Certified Practitioner (SSCP) a key certification for professional penetration testers.”
There are ways to access deep cybersecurity expertise using managed services, too. CDW, for instance, offers Threat Check, which uses automated technology to watch for malicious network traffic and detect infected clients and botnets, then lets businesses leverage the support of CDW’s experienced engineers and solution architects. They can advise customers about issues, including which network, policy and software changes can be made to better protect organizations from cyberattacks and device breaches.
What Should a White Hat Hacker Look for in a Penetration Test?
Once the choice is made, the next step is to clarify the testing parameters.
Whatever a business decides about its approach to finding and fixing vulnerabilities, and the resources it will use to do that, there’s one thing to always remember: “Systems evolve, connections are added or deleted, environments change,” says McCumber. “This is a recurring process.”
- Define the boundaries of the engagement. “The scope has to be well defined. Exclusions (types of attacks not to be performed) should be clearly called out,” says Singh.
- Consider contracts carefully. A penetration testing contractor with lots of experience may require a liability release, Snyder notes. That can include the provision that if the network goes dark as a result of the penetration testing, it’s the client’s problem. “Think about that and make sure you negotiate that,” he says. Singh adds, “The contract has to cover applicable risks through clauses like confidentiality.” Another good idea is for payments to be tied to levels of effort — make sure to include the stipulation that the job isn’t done when the first vulnerability is found, says Snyder.
- Agree on the format of the final report. Advise contractors of expectations — for example, that they include in the report “the steps required to reperform testing and screen shots for ‘proof of concept’ along with the standard observations, risk rating and recommendations,” says Singh.
Whatever a business decides about its approach to finding and fixing vulnerabilities, and the resources it will use to do that, there’s one thing to always remember: “Systems evolve, connections are added or deleted, environments change,” says McCumber. “This is a recurring process.