Testing the waters: The value of ethical hacking for business

Navigating the challenges of cybersecurity can be daunting for even the most prepared organizations. As Jamie Woodruff, an ethical hacker, said in a presentation at Vibrant Digital Future: “Your infrastructure is only as strong as your weakest employee. From hacking and cracking to social engineering, every team member within your organization is a risk that needs to be managed.”

Paul Farrington, manager: EMEA solution architects at CA Veracode, says that, with the 2017 State of Software Security report demonstrating that 77 percent of applications have at least one vulnerability on initial scan, it is not surprising that large organizations, such as Google and Apple, are setting up their own bug bounty programs, which employ or incentivize ethical hackers to find vulnerabilities in their software applications.

Ethical hackers or penetration testers, like Woodruff, can work with businesses to highlight the pitfalls and possibilities, run penetration testing, and generally help keep them and their data safe. With cybersecurity skills gaps and shortages continuing to impact the sector, bringing in external skills to test systems makes sense.

Demand increases for penetration testers

ISACA’s State of Cyber Security 2017 report found that, while one-third of the respondents note that their enterprises receive more than 10 applicants for an open position, 64 percent of that one-third indicate that fewer than half of the applicants are qualified. The report went on to note that, even skilled resources, “once hired, require time and training before they are fully up to speed and performing their job at a competence level equivalent to others who are already in the enterprise.”

As the demand for these skills increases and companies look to hire in penetration testers, the industry is working to enhance the reputation of a field that has not always been regarded favourably. The term ethical hacker is in itself problematic and can have negative connotations, particularly given its history. What were once called whitehat hackers now prefer the term penetration testers, and certification and accreditation are becoming the norm.

Dr. Danny Quist, CTO for RiskSense, says: “My first penetration testing (red) team wouldn’t admit its existence. That quickly changed. Now, becoming a hacker requires a natural curiosity and the ability to learn — that’s it.” He adds that professional training makes it easier, there are now plenty of resources available including YouTube videos, books and local Defcon/2600 groups. “Charter schools are training kids to hack. The military directly recruits from high schools to train hackers. There are certifications, training programmes, and college majors dedicated to the topic now,” Quist says.

CREST is a not-for-profit accreditation body representing the technical information security industry and provides internationally-recognized accreditation for organizations and individuals providing penetration testing, cyber incident response and threat intelligence services.

Ian Glover, president of CREST, says: “Talking predominantly UK, we have introduced professional level qualifications that are recognized by industry, government, employers and individuals, from basic entry level to expert and above, 10,000 hours and above.”

CREST emphasizes that all member companies undergo regular and stringent assessment; while CREST qualified individuals have to pass rigorous examinations to demonstrate knowledge, skill and competence. CREST is governed by an elected executive of experienced security professionals who also promote and develop awareness, ethics and standards within the cyber security market.

Glover adds that different approaches are being used in different parts of the world but the drive for professionalization of the industry is strong. CREST will be instrumental in the implementation of license and penetration standards in South East Asia. “In Singapore they are about to launch that. If you do penetration testing work and you are not licensed, it is potentially a two-year imprisonment and $50,000 fine,” he says.

Owen Wright, assurance director at Context Information Security, which is a CREST member company, says that they aim for their consultants to acquire CREST related qualifications, which require a high level of knowledge and technical ability. Any external consultants will also require the necessary security clearances – at least Security Check (SC) level – if accessing protectively marked information and assets.

He explains that companies are increasingly using ethical hackers for penetration testing to identify vulnerabilities in an IT system. Once in, a pen tester will usually try to exploit the vulnerability further and attempt to escalate privileges to understand the full level of risk.

“A ‘red team’ exercise will mimic a real-life attack against a company to evaluate the effectiveness of the company’s security defences,” Wright says. This will usually include looking at people and processes to see how well they cope when faced with a real-life attack.

Wright likens it to a fire drill. Everyone knows they need to leave the building if the fire alarm goes off and the safest route to follow. But a fire drill might reveal that a door is routinely locked or fire extinguishers that are missing or non-functional. “A penetration test provides that same kind of real world attack experience by mapping vulnerabilities, exposing gaps in security policy and process and ultimately managing risk,” he says.

Technical information has to then be translated into business intelligence, though. Dan Brown, cyber security consultant at FarrPoint, explains that ethical hacking has transformed from a purely technical role to one keenly tied to business continuity and risk translation of what the technical vulnerabilities are. He has seen the role gain in popularity over the last ten years.

“Businesses have always found it challenging to translate these very technical reports into risks that work on the same level as other business risks. Penetration testers are working with cybersecurity consultants to translate these risks into something that is more reminiscent of business metrics,” he says.

Four key drivers for a penetration test

Charl van der Walt, chief security strategy officer at SecureData, highlights four key drivers for a penetration test. The first, he says, is the checkbox. Many customers are pressured into undergoing testing for compliance reasons and these are often grudge purchases, with little cooperation from the customer, little incentive to learn and little will to genuinely remediate the issues that are discovered. He says: “These kinds of tests can’t always be avoided, but compliance alone is seldom a good reason to conduct a penetration test.”

Secondly, there is what van der Walt calls the “new helmet”. He likens this approach to the YouTube video about the little boy who gets a new bike helmet and immediately puts it to the test by running headlong into a wall at top speed. He wants to know if it works of course, and the best way to do that is to test.

“Even the most sophisticated IT operation has a little bit of little boy in them. Having invested countless hours and pounds into all kinds of risk, vulnerability and threat management people want to know – really know – how they’ll hold up under a focused assault and how the whole ordeal will feel,” van der Walt says. “It’s a primal psychological driver that’s a little hard to justify on a budget but is instantly attractive to people and businesses alike.”

He explains that the value is emotional and political. “Having presented the CTO with a copy of the CEO’s inbox, exfiltrated during the penetration test, all subsequent discussions about information security take on a different tone. This can represent a very powerful paradigm shift the CISO who’s struggling to get the board or managers to take security seriously,” he says.

Bug hunting is the third driver, according to van der Walt. Many more mature organizations, especially those that develop their own software, conduct penetration tests against new code releases as a matter of firm policy. The mechanisms for scoping these engagements, setting specific goals, rotating testers and recording and tracking the findings are well defined and strictly executed.

“It’s interesting to note that in this kind of testing, the major value proposition brought by the tester is not one of skill or knowledge, but one of perspective: being trained, directed and incentivized to think and act like a ‘breaker’, not a ‘builder’, which is a perspective the customer’s own people seldom have the luxury to assume,” van der Walt says.

Lastly, van der Walt says that the most enjoyable approach is the war games noted by Wright. Van der Walt says that while these are most common in military and government contexts, they are slowly gaining acceptance in the corporate world also.

“We as a business love this kind of testing the most, not only because it’s the most fun, but also because we are most free to emulate an actual adversary, rather than a government or industry standard or other industry testers,” he says.

Ethical hackers are cheap insurance

Ed Skoudis, SANS NetWars CyberCity director and faculty fellow and author of, and lead instructor for, the SANS Institute’s SEC560: Network Penetration Testing and Ethical Hacking course, explains that through finding flaws in processes, technology, and security awareness, ethical hackers can make practical recommendations based on actual problems, not just theoretical vulnerabilities. “In that way, ethical hackers help an organization allocate often-scarce resources for cyber defence more effectively,” he says.

Skoudis says the key to getting the best from an ethical hacker or penetration tester is to look for someone with both technical excellence and an understanding of how to provide value to your business. “Hitting both of those areas is vital,” he stresses, adding that, from a technical perspective, ethical hackers should have the skills to simulate the attack techniques in widespread use by threats to your organization, which could include cyber criminals, nation states, malicious insiders, and more.

“Additionally, an ethical hacker should also understand how to communicate risk in the vernacular of your organization. Different organizations face different kinds of risk and talk about risk in a different way,” he says. Depending on the organization, business risk can include financial impact, regulatory oversight, physical safety, brand damage, and much more. “Your ethical hackers help bridge the understanding of potential attacks to business risk, so you can ensure your defences are appropriate for the threats you face.” 

He adds that there is value in seeking out ethical hackers who can make practical, business-oriented recommendations for improving defences in a way that your operations team can actually implement. “Some ethical hackers really excel in recommending practical techniques that are, for lack of a better term, ‘operationalizable’,” he says. “Look for them.”

While bounty programmes and ethical hacking are an important aspect of cybersecurity, Farrington cautions against relying exclusively on ethical hackers to find security defects. Research has shown that most flaws uncovered by ethical hackers could have been prevented by developer training or testing in the development phase. “Organizations must therefore ensure that they take a holistic approach to software application development,” he says.

The value of an ethical hacker lies in prevention. As Quist says: “An ethical hacker will apply the same tactics, techniques, and procedures as an unethical hacker. The big difference is that you get to hear about what they find, and how to fix it. Ethical hackers are cheap insurance.”