Internet security has been hotly debated throughout the media recently. Anyone and anything connected to the net is under attack. The average person can stop attacks with antivirus programmes, firewalls, spam filters and intrusion – or by avoiding dodgy emails that appear in their inbox, but what about more sophisticated attacks that are becoming increasingly common?
Some attacks look like they come from your colleagues, or quote names, incidents and ID numbers that only insiders at your company would know. Other sophisticated attackers use a known vulnerability in widely used software to grab login IDs and use them to crack open a business network – so how do you guard your corporate wellness against them? Fortunately, there is an antidote; the penetration tester.
John Yeo, European head of Trustwave’s SpiderLabs pen test team, which carries out hundreds of penetration tests every year, explains, ‘They pay us to replicate the same kinds of attacks used by the bad guys, the cyber criminals.’ Companies like Yeo’s try to find ways to penetrate the defences of a company and see if those defences can thwart the most sophisticated attacks. Otherwise known as “white-hat hackers”, these skilled security testers are vital to fight against sophisticated hackers who put more time, resources and technical skill into their approach.
According to Christian Angerbjorn, a former in-house pen tester at one of the UK’s High Street banks and now security head at IF Insurance, banks and other financial institutions are top targets for hacking. ‘The closer you are to cash, the closer you’ll be to getting attacked,’ he commented. ‘The importance lies not in what you are doing but in quantifying the risks you face.’
You might think your money is better spent on security tools and training, but a thorough pen test, Angerbjorn claims, will give you a good sense of what attacks are likely to work and help define the action you need to take to defeat similar attacks. He added that a penetration test is more about the test than it is the penetration. ‘The question is not whether you can get in, usually you can because the more you dig the deeper you get,’ he said. ‘The more important thing is what risks you expose and what damage could that do.’