By Martin Tan
Most businesses see the value in having an external party validate and audit the security of their systems and apps. Just like it’s hard to proofread your own writing, when your head is deep in the work, it can be easy to overlook gaps and vulnerabilities, especially if you’re consumed with a million other pressing tasks.
But while the value might be understood in theory, there are still a few lingering misconceptions around how a penetration testing engagement really works. Whether it’s a lack of understanding about what we need access to, or the false belief that we’re only there to be critical, these have the potential to hinder collaboration between the cyber security company and the client.
Here’s three points every client undertaking a penetration test should understand ahead of any engagement.
Good security comes from diverse perspectives
Pen testers are unique in that they take a hacker mindset. When we approach your business, we’re looking at it as if we’re an adversary – we don’t care about traditional rules and will leverage techniques that would often be illegal if we didn’t have permission!
The skills our penetration team use are similarly very unique – and we’re constantly honing and evolving these, through our own research, knowledge sharing and participation in competitions and exercises like bug bounties. Because of this, we’re likely to find pick up on things you might never have thought about, particularly under layered defences.
Humans > tools
Perhaps you think that using a good scanning tool can take the place of a pen test? There’s certainly a plethora of tools out there that can be leveraged when testing your security, but only a human can explore the full possibilities of what the true risk of a security issue is.
For example, you may think that an unpatched system presents little to no risk. When our team scan for vulnerabilities, we do this against the full context of your business. By chaining together everything we find, we can map out exactly how a bad actor could exploit your vulnerabilities in unexpected ways. And don’t forget your people – unlike a technical tool, we understand human behaviour and can implement all sorts of social engineering tactics that would allow us to evade your controls through human error.
Sometimes, it isn’t even your business that’s the target – often we’ve been able to demonstrate how a simple oversight in your security posture can allow a bad actor to target your customers and stakeholders, though using your credentials or stealing your data. As you can see, no tool or programme is a substitute for the creativity and intelligence of a real person.
We’re on your side
We’re here to do more than just share the results of a penetration test. When we engage with our clients, we take the time to really understand their business, so our consultants can build a scope that clearly identifies what needs to be tested, and why. Following an audit, we work with you to ensure you have a robust understanding of what vulnerabilities we’ve found, the risks they present, and how they can be used by adversaries – which is invaluable for remediating any issues.
We aren’t here to embarrass or show up the IT or developer team. We’re here to help find the weak points in your security and paint a picture for you on how malicious hackers work, and the steps they would perform during a breach. Occasionally there has been some resistance from teams to fully open their business up to us – for example, I’ve had clients show reluctance when handing over their source code. However, it’s important to understand that giving us more information allows us to provide more thorough feedback and advice.
If there’s one parting thought to leave with businesses looking to improve their cyber security posture it would be this – be open minded when engaging with your security consultant when it comes to penetration testing, and turn it into a learning experience, rather than just a box ticking audit exercise. A good consultant should be your trusted partner to find the gaps and weak points in your cyber security and help you on your journey to mitigating the risk associated with these – after all, if a penetration tester can find a vulnerability, it’s only a matter of time before a cyber-criminal will discover it as well.