When you purchase through links on our site, we may earn an affiliate commission.Heres how it works.
“We have a problem here…” said the voice on the phone.
Ourcustomerhired us to test their computer systems for vulnerabilities…and we had just found a big one.
(Image credit: Shutterstock)
Our testing had uncovered a serious bug in the customer’sfirewall.
This bug crashed the connection, knocking the whole company offline.
The bug was similar to the recent CrowdStrike flaw, but on a vastly smaller scale.
After a tense 30 minutes, we got the customers data pipe back online.
Our customer was appalled that in years testing, nobody thought to attack the firewall protecting the web link.
Because that is what a black hat hacker might do.
For our customer, the test revealed a serious flaw in theirnetworkthat they patched quickly, preventing another disaster.
Penetration testing is a vital part of building a secure environment, but it is not without risks.
I did white hat hacking for years.
Before you hire a penetration tester, here are some important issues to consider.
Cybersecurity pioneer, founder and CEO of Zenaciti.
Risk is unavoidable
It is impossible to predict how systems may react topenetration testing.
As was the case with our customer, an unknow flaw or misconfiguration can lead to catastrophic results.
Skilled penetration testers usually can anticipate such issues.
However, even the best white hats are imperfect.
It is better to discover these flaws during a controlled test, then during a data breach.
While performing tests, keep IT support staff available to respond to disruptions.
The whole point of a test is to see what breaks.
Hacking the void
Black hat hackers will attack anything and everything they can.
Consequently, penetration tests must test everything.
If parts of your web connection are excluded or systems are turned off, testers cannot assess theirsecurity.
Likewise, testers cannot test something they cannot access.
Testers will need access to all parts of the web link to make the tests valid.
This means they will use well-known vulnerabilities they are confident they can exploit.
Some hackers are still using ancient vulnerabilities, such as SQL injection, which date back to 1995.
They use these because they work.
It is uncommon for black hats to use unknown or zero-day exploits.
These are reserved for high-value targets, such as government, military, or critical infrastructure.
It is not feasible for white hats to test every possible way to exploit a system.
Rather, they should focus on a broad set of commonly used exploits.
Lastly, not every vulnerability is dangerous.
A good white hat hacker will rank vulnerabilities based on how easily they are to exploit.
Skill matters
Most white hats use a broad set of tools for testing.
Be careful with testing providers that assign only junior or contracted testers.
Use a pool of three to five companies and rotate among them.
Different companies have different skill sets.
These tests will focus on a single exploit path and can miss many other exploitable avenues.
A good testing company will conduct both a systemic assessment and a focused “black hat” style break-in.
Third party traps
One of the most significant areas of weakness is third party applications or systems.
Unfortunately, some vendors may specifically prohibit you from testing their systems.
This can present a massive set vulnerabilities you cannot detect or defend against.
These tests are overwhelmingly successful, because people are inherently trusting.
Rather than random tests, perform targeted phishing tests to evaluate if employees follow security policies.
If users fail a social engineering test, focus on education not admonishment.
Time is the enemy
Time is the ultimate constraint for any penetration tester.
There are only so many hours in an engagement.
Consequently, testers must use their time efficiently.
This means automating as much as possible, so they can focus their attention on the more nuanced vulnerabilities.
Black hats, on the other hand, do not have time restrictions.
They can take weeks, months, or even years to break in.
This inherently creates an unequal arrangement.
It is unreasonable to expect penetration testers to devote unlimited time or effort into a test.
This would make the testing outlandishly expensive.
Allocate resources to address issues after the test.
Think systemically
Avoid fixing vulnerabilities individually.
Implement systemic improvements across the organization.
Most vulnerabilities can be remediated through automated software and OS patching.
For misconfigurations, standardize system deployment and management.
Conclusion
Penetration testing is essential for any organization.
It is better to have an white hat hacker find a vulnerability before black hat does.
However, no security control or technology is perfect.
Flaws are inherent in any complex system.
Even the best security products, practices, and people can fail.
The technologies you use are not as important as how you manage, monitor, and test those technologies.
They will break anything to get your data.
For security to be effective, you gotta think like a black hat hacker, and test everything.
Especially the systems you believe are safe.
We’ve featured the best encryption software.
The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc.
If you are interested in contributing find out more here:https://www.techradar.com/news/submit-your-story-to-techradar-pro
