As news of major data breaches becomes a regular occurrence, more companies are renewing efforts to secure their sensitive data and prevent it from falling into the wrong hands.
Keeping networks and IP addresses safe from prying eyes is no simple task, and cannot be left exclusively to antivirus and intrusion prevention software and firewalls. With attempted attacks on valuable targets taking place dozens, if not hundreds, times per day, the likelihood of at least one of those attacks succeeding increases all the time.
To better protect your valuable data, you have to think like a hacker. Hackers are constantly devising new tricks, new malware, and new ways to worm into your network and wreak havoc. So who better to test your security and identify loopholes than a hacker?
Penetration testing, or pentesting, is not a new concept. It basically gives a hacker full permission to attack your networks and identify loopholes, vulnerabilities, and weaknesses using a number of tools, from commercially available programs to open source software. Unlike other hackers, though, pentesting is done by a so-called “white hat” hacker, who uses his or skills for the benefit of others, not to steal information. Armed with the details of where vulnerabilities exist, IT security can shore up the defenses and reduce the chances of an actual attack occurring.
Benefits and Risks
For most security professionals or business owners, the idea of actually paying someone to attack your system sounds counterproductive. The idea is to keep hackers out, not invite them to find ways in. However, any security plan is only as good as its last success, and a key part of any plan — security or otherwise — is testing to make sure it works. The last thing you want is to discover a serious vulnerability after your network’s been hacked and valuable data has been exposed.
Pentesters are, theoretically, the safest way to test your system. Contracting with someone who does not know the ins and outs of your security perimeter and network setup will help you get an independent and honest assessment of your framework. That being said, there are risks. Some of the most common risks include hiring:
• A pentester who does not have the technical expertise to thoroughly assess your systems. Often, these testers rely on tools and checklists instead of manual checks or creative thinking, which not only prevents them from thoroughly identifying potential security flaws, and then not being able to explain the risk.
• A pentester who has skills in one area. The so-called “rock star” pentester can successfully identify one or two types of potential breaches, but does not have the skills to conduct a more thorough test.
• A pentester who cannot — or will not — reveal the steps taken to penetrate the system.
• A dishonest or unethical pentester who actually creates a serious breach by exposing sensitive information.
What to Look for in a Pentester
Most of the risks associated with bringing on a pentester can be avoided by making smart hiring decisions. Knowing what to look for and the questions to ask can improve the chances that you’ll identify the weaknesses in your security protocols and correct them.
In short, some of the qualities you need to look for include:
Technical knowledge and recent experience. You want pentesters who have security certifications and training in cybersecurity in a lab or classroom environment in addition to real-world security. You want to avoid hiring “experts” who do little more than run tools and interpret reports, and instead seek those who may use tools, but only as part of the overall test.
A solid reputation within the InfoSec community. You want hackers who show they are involved in the community, by speaking at conferences, publishing reputable blogs, participating in “Capture the Flag” events, and committing to best practices and ongoing education and white hat activities. You don’t want the arrogant hackers who may value the “conquest” of your organization more than your security. Never hire someone who has little to no reputation; your company’s security is too important to leave to chance.
Good communication skills. If the pentester can’t explain the vulnerability in language that everyone understands, or how they found a vulnerability, the entire exercise will be frustrating.
These are just a few of the qualities you need in a pentester. You want someone with a passion for what they do — and the desire to improve security and protect valuable properties. Keep in mind, as well, that pentesting is just a tool for assessing your overall risk, and must combined with your own findings to accurately determine your potential risk exposure and your security profile. However, it is a powerful tool, and when used appropriately, can keep your company safe from a costly breach.