Why do companies order hackers to hack into their IT systems?
White hackers can find vulnerabilities before attackers do.
Amid stories of large-scale cyberattacks on states, banks, and the smartphones of innocent citizens, the word “hacker” has become synonymous with cybercriminals. According to the original definition, they were just strong programmers with an in-depth understanding of computer systems. They are not hard to find today, and there is a whole industry of “ethical hackers” who hack into IT systems at the behest of their owners.
They are far from being as well known as their cybercriminal colleagues, but their services of finding loopholes and phone hacking services are in steady demand among businesses and the public sector. The interest is understandable because the purpose of white hackers’ work is to point the customer to the vulnerabilities before they are taken advantage of by malicious hackers.
How do white hackers work?
Now penetration tests are divided into external and internal. In the first case, specialists play the role of an attacker from the outside, trying to hack a customer’s IT systems from the Internet. Working with internal networks helps to look at IT systems through the eyes of an internal attacker (for example, an employee of the customer company), who initially has more data and a better chance to cause damage.
At the end of the project, the pentesters prepare a detailed report with the methodology, progress, and results of the study, confirming each vulnerability found with screenshots of the computers, lists of accounts with fragments of extracted passwords, which can be checked with data owners, and configuration files of network equipment. Pentesters do not fix detected vulnerabilities: this is the task of in-house specialists since they are the ones who are supposed to operate the system.
Some contracts include rechecking the results after in-house specialists eliminate deficiencies. There is also the practice of cross-inspections when 2-3 companies do one set of work in succession, and the company pays for each check-in full. But it is not customary to conduct two independent inspections in parallel. Running tests in parallel on real infrastructure can be dangerous. But in the work of white hackers can be an element of sports competition, when they hack at speed models of power grids, production sites, transport infrastructure – but only models.
In particularly complex cases or when critical infrastructure is involved, so-called booths – complete duplicates of the infrastructure – can be used, say several of the experts interviewed. They are allowed to be hacked so as not to disrupt the work of the main system. It is quite expensive to duplicate the system, so the company needs to balance the costs with the benefits of such a check. It is used more often in critical infrastructure – when managing hazardous production facilities, where a failure is fraught with large financial losses.
Who Orders Tests
The earliest and most common customers come from the financial sector, but recently the list of industries is expanding.
Some want to secure business and test applications, others, including government agencies, are trying to reduce reputational risks in case of a cyber attack on web resources, and others are concerned about the confidentiality of the information and their know-how.
As a rule, the tests are conducted after a major infrastructure upgrade. First, the company conducts two tests: the same pentesting team identifies vulnerabilities and later checks to fix them. And then the third test is done by a different team to find new attack vectors. This cycle of checks is conducted on average once a year.
The pentests are needed to check the speed of response to incidents by the internal information security service. Most often pentests find mistakes of programmers themselves, but other significant vulnerabilities are rarely found. The main source of problems is personnel and lack of digital hygiene. People use weak passwords and leave security holes. Dictionary passwords and open data transfer protocols were found in all the systems examined by the specialists, and, according to their data, vulnerable versions of software, publicly available interfaces for remote access and hardware control were present in 91% of systems.
Each project is assembled from different services and services, so there is no standard price for a penetration test. The market is actively evolving along with technology, and attackers are also making serious investments in their tools. Because of this, the market for penetration tests as a protective measure will grow by 25% annually.