The IT security market can seem like a quagmire of complexities and confusion from the outside. And there are a heap of misconceptions about the kinds of people that get into hacking, the lives they lead and the motivations that drive them.
It’s true that for some individuals, cybercrime is both a way of life and a means of making a living. But what about those on the other side of the fence; experts who work to fight back against the digital forces of darkness?
Penetration testing is the perfect example of how diverse the hacking ecosystem can be. It lets code kings put their skills to the test, but without any malicious intent. So what is penetration testing and how can it benefit businesses today?
Probing For Vulnerabilities
Data breaches can be hugely expensive for organisations around the world. In the UK alone, such attacks have cost investors in FTSE 100 companies a total of £42 billion over the past five years. A typical attack can set a major firm back £120 million, and recovery can take a long time, leaving reputations in tatters and share values in the toilet.
Because of this, many multinationals are willing to take preventative measures and invest in advanced security systems. This is all well and good, but how do they determine if the solutions that they have spent vast sums on are actually effective? It is not enough to sit around and hope that attempted hacks keep failing. Instead, it pays to be proactive.
This is where penetration testing comes into play. Businesses will pay white hat hackers to size up their IT resources and then throw everything they have at them to see what sticks. If they find a vulnerability, rather than leveraging it for their own gain, they will let the client know so that it can be patched.
While black hat operators work independently to take down targets and cause serious disruption, white hat hackers are ethically driven and are simply another form of IT professional. This is a day job for a growing number of people and services like this are increasingly essential for organisations that want to see if their security and staff training is really up to scratch.
One thing that penetration testing proves is that the myths surrounding hackers are generally false. They are not all teenagers tinkering in university dormitories, or basement-dwelling loners with no social skills. They are educated, experienced and passionate about what they do.
Furthermore, there is no specific age, gender or racial group into which hackers typically fall. They come from all walks of life, often having picked up the skills as a hobby while maintaining a full time career in another industry.
Making false assumptions can be the downfall of businesses when it comes to data security. It’s best to avoid being complacent about the resilience of existing layers of protection. Penetration testing can even factor in social engineering to find flaws that go beyond the hardware and bring human error into the equation.
Of course, just as white hat experts now work to provide penetration testing services, those with nefarious motives are also upping their game. Groups of hackers are literally setting up training programs to recruit more people to work on their damaging, wide-reaching campaigns. And some are following mainstream business models, selling access to their distributed denial of service (DDoS) networks in the same way that modern tech giants sell cloud hosting and storage to customers around the world.
This is just one of the reasons why penetration testing makes sense; the bad guys are equipped with impressive resources and are growing in power by the day. Businesses need all the help they can get from people who know what they’re doing.
Black hat operators have one big advantage over their white hat counterparts; time. While penetration testers will be able to take on a client’s security measures with the same tactics and tools as their cybercriminal counterparts, they will have to do so within a fixed schedule. A contract can only last for so long, and businesses have limited amounts of cash to spend on penetration testing.
In spite of this minor issue, penetration testing is still the best weapon that modern firms have available in the battle against hackers. Sometimes you have to fight fire with fire.
ABOUT THE AUTHOR:
Andrew Mabbitt is a cybersecurity expert at Fidus Information Security. As an ethical hacker, his job is to detect and rectify security vulnerabilities before malicious hackers do.
- Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
- Blog2022.12.13What are the Common Security Weaknesses of Cloud Based Networks?
- Blog2022.10.12Vulnerability management with Wazuh open source XDR
- Blog2022.08.29Deception Technologies: Improving Incident Detection and Response by Alex Vakulov
- Blog2022.08.25Exploring the Heightened Importance of Cybersecurity in Mobile App Development by Jeff Kalwerisky