Security hacks from the (ethical) hackers

While it might seem counterintuitive to employ an ethical hackers to break into your company’s systems, ethical hacking – or penetration testing – has become a legitimate career path and a much sought-after service in recent years as cyber-attacks increase.

In a recent study, most IT decision-makers across the globe said that they lacked confidence in their organisation’s strength against cyber-attacks, and 64% said that they believed that their company will experience a disruptive event in the next year.

Working from home has only increased the CIO and CSO’s anxieties: 74% of IT decision-makers say they have seen an increase in attacks after employees started working remotely.

To prevent future attacks, ethical hackers and pen-testers are hired by firms to discover vulnerabilities in an organisations’ software before it can be wrongfully exploited.

Typically, pen testers draw up a report for their customers on the weaknesses found in their systems, suggestions on how they can improve, and ideas on how to better protect their systems and services from future attacks.

Here, we speak with  three ethical hackers about their experiences in cyber security and their outlook on future cyber threats. They include: Trustwave’s Ed Williams, director of SpiderLabs – the security firm’s elite team of ethical hackers, forensic investigators, and researchers; Phil Cordey – head of cyber consultancy at Cyber Security Associates (whose clients include the Bank of England) and James Pickard, security testing manager at cyber security firm IT Governance.

How do ethical hackers gain trust from enterprises to ‘hack’ into their business?

Ed Williams (EW):  Within the UK, the ethical hacking scene is quite regulated, and you have certification bodies, which at an organisational level, and a personal level, make sure that somebody isn’t a convicted criminal and that everything they’re doing is legitimate. A big customer in the UK is government organisations and that comes with its own clearances which are very tightly regulated, so it’s quite a mature market in the UK.

Phil Cordey (PC): This is a topic within the cyber security community at the moment. There have been some recent cases where ethical hackers, working independently, have been subsequently arrested and charged for finding weaknesses in IT systems and informing the company. When engaging with a penetration testing company, businesses should always ensure that the company has the right accreditations and is vetted by a reputable governing body regarding penetration testing. In the UK, businesses should check that the penetration testing company accredited by a recognised security certification body such as CREST and is part of the CREST community.

In terms of the individual penetration tester, at the very least, they should be a Certified Ethical Hacker (CEH), and where possible and/or applicable, hold other certifications, such as GIAC or the NCSC CHECK qualification scheme.”

What have been the most significant changes you’ve seen in cyber security over recent years?

EW: The push to the cloud: While a good thing, it is equally a terrible thing. We’ve seen ransomware attacks have increased and they go hand-in-hand because you can launch a lot more attacks just from the cloud.

PC: There have been a few things that have changed in the last few years: rise and ease that criminals can infiltrate and target a company, rise in vulnerabilities of IT systems (especially as these applications migrate to be hosted on the Cloud), criminals infiltrating the IT infrastructure and endpoint management solutions as a means to gain access to companies IT infrastructure.

James Pickard (JP): “There is a game of cat and mouse – as recent technology emerges new threats are inevitably discovered and as digitalisation has grown, there is a larger attack surface on both companies and individuals.

The media is also having an effect, as there is a larger amount of coverage on companies that have been compromised and the availability of this information often draws the attention of bad actors.”

What are the most common issues that you see in enterprises’ cyber security?

EW: There are two common issues that are both severe: Patch testing and passwords. Organisations find it difficult to get a grasp on their asset management and especially with the cloud. We know that ransomware is on the rise and fixing it involves going back to the basics.”

“Get the basics right and you’re going to be a tough nut to crack.”

There’s a lot of snake oil in the industry that states that one thing will fix all your problems. Well, that isn’t the reality.  Get the basics right and you’re going to be a tough nut to crack…You’re going to get compromised at some point, so you need to get this defence in place.

People are the biggest weakness. They make mistakes because they’re busy, they’ve got tight deadlines and they’re not aware of security.

PC: A lack of staff within the cyber security department/function is a big one we commonly see as a lot of companies still see security as part of an IT function, but it needs to be considered as its own department with experts hired accordingly.

“A lot of companies still see security as part of an IT function, but it needs to be considered as its own department with experts hired accordingly.”

A lack of regular testing of backup data coupled with a lack of procedures and testing on restoring services is another common one. As is a lack of policies and procedures within Information and IT Security to measure the effectiveness of controls.

Many of these issues boil down to a lack of true commitment from boardroom-level management and company leaders to invest in cyber security protection, especially given the changes made regarding application and service hosting. Ironically, the investment comes after an incident. Companies could save lots of time, money, and reputational damage by investing in effective security solutions in the first place. “

JP: The end users are one of biggest areas of concern as they offer a foothold into the systems. However, all parts of the company must play their part in security.

What threats do you see businesses facing in the future?

PC: From my perspective, the list of threats is a continuation from the last three years or so, but it includes: business email compromise and/or fraud through manipulation and imposter techniques; ransomware and encryption of key files and folders; account takeover due to poor protection controls, and data exfiltration of businesses and sensitive information.

What I find frustrating is that these incidents can be avoided, or their impact drastically reduced but there is still this disconnect between the need to secure an IT service against the cost and the impact of changing something which affects the end-user.

EW: I’ve been doing this for about 15 years, and I see reports of the same types of issues that I was doing when I first started – it’s all just really the basics and it’s important for organisations to make sure that they’ve got good cyber hygiene. When you’re looking at an enterprise-level organisation, it’s hard to do it across that scale. So, making sure things are patched is important but difficult.

Firstly, organisations need to know what they have got in terms of hardware and software. Once they know what they’ve got, then they can build a plan around it. So, businesses need to make sure that patching across the board is done and make sure that their passwords are not easy to guess.”

How has working from home resulted in more security issues?

EW: We’ve certainly seen a lot of different types of attacks. Mainly phishing attacks from people clicking on links and emails and attacks have been more targeted.

PC: In the early days of the pandemic, the priority for businesses was to get people working from home as quickly as possible. As a result, concessions needed to be made in terms of accessing and protecting systems for the good of the business functioning.

Take web browsing as an example. Within a company, the local firewall or web proxy would traditionally protect an endpoint from accessing malicious or unsanctioned websites and being targeted by criminals while being connected to the internet. However, when working from home, the protection from the firewall was no longer in place as staff accessed websites and online platforms directly.

Other areas where concessions were often made, included, securing access to applications, patching systems for vulnerabilities, updating antivirus signatures, blocking applications from being installed and much more. Each of these ancillary/supporting services was, and in some cases still is, no longer being performed or monitored since devices are still connected to the public internet directly, as opposed to being behind a company security system.

What can organisations do to better secure themselves?

EW: “Getting pen tested regularly and make sure that you’re not too narrow on scope. For example, we’ve done tests before where we’re just looking at a little bit of infrastructure that the organisation owns, but we know there’s other infrastructure that the organisation is aware of, but they don’t want us to look at because they know it’s bad. So, it’s about being honest with yourselves as an organisation and getting things fixed. There’s nothing more heart-breaking than doing a really thorough job and giving them a good report to only going back next year and seeing the same issue.”

PC: “Employee awareness and phishing testing go a long way in improving the security posture of a company. However, when deploying and planning cyber training, remember that one type of awareness does not suit every staff member. Blended training techniques and light-hearted training/information help inform and teach staff on the dangers of cyber-attacks, the consequences of an attack and how to protect themselves and the company.