Why Cyber Security Needs Ethical Hacking
Outside experts, known as ethical hackers or white hats, can perform penetration testing to put the vulnerability of a company’s IT to the test and increase cyber security. But many organizations shy away from the effort and expense. Six arguments in favor of penetration testing.
Viele Unternehmen haben die Relevanz von Cyber Security erkannt. In principle, any company can become the target of a cyber attack today – for example, through ransomware that encrypts company data as part of an extortion attempt. This form of cyber attack in particular is usually widely distributed: instead of targeting a specific company, the attackers simply wait to see which organization will respond to their phishing email. Outside experts, known as ethical hackers or white hats, can perform penetration tests to put the vulnerability of a company’s IT to the test. But many organizations, whether private or public, balk at the effort and expense. The only way to do this is to identify as many attack vectors as possible through appropriate pentests to close them off before cybercriminals can exploit them. To raise an organization’s cyber resilience to a solid level, ethical hacking is essential. Below are six arguments why penetration testing makes sense for companies.
Argument 1: External pentesting identifies security vulnerabilities
Unfortunately, those responsible for budgetin do not always see that their IT administration team needs cyber security support. There is sometimes a perception in management that pentesting is something that administrators can do on the side. They can’t. There are good reasons for this. The task of IT administration is to ensure the smooth operation of IT in the organization. The company’s IT specialists also have excellent knowledge in this area. The expertise of ethical hackers is, by its very nature, the opposite: they uncover ways that can enable corporate IT to be destroyed. In addition, cybersecurity and ethical hacking are fields of knowledge that are changing and evolving extremely rapidly. Thus, pentesters can only secure their knowledge advantage because they are highly specialized and deal with their topic on a daily basis.
Argument 2: Be able to analyze the machine code
While IT administrators deal with the operational level of software, ethical hackers deal with the program code. If necessary, pentesters also apply reverse engineering, in which they analyze the program files at runtime and observe their behavior. Of course, it is necessary to understand the binary or machine code of the program. Administrators usually can’t do that, because it’s not in their area of responsibility. Ethical hackers are thus also able to find undocumented functionality that could not have been anticipated but are potential attack vectors. Dies können beispielsweise Testmethoden sein, die ein Softwareentwickler oder eine Softwareentwicklerin zum Debugging genutzt und irrtümlich im Programm hinterlassen haben. Therefore, cyber security is a specialized field where a great deal of know-how comes from dealing with the subject on a daily basis.
Argument 3: An internal Red Team can reduce costs
If a company is large enough, it may be worthwhile to organize ethical hacking in-house. To this end, the company is building its own dedicated Red Team for more or less continuous pentesting. Then the attackers in the Red Team often face a dedicated Blue Team with the defenders. For its own Red Team, a company usually needs to hire at least two to three full-time pentesters – or more, depending on the size of the company. Thus, in the long run, an internal Red Team is probably the more cost-effective solution in terms of cyber security in large companies. However, it has the disadvantage that sooner or later the own Red Team is threatened by a certain operational blindness. The advantage of external ethical hackers is therefore usually that they bring a fresh perspective to pentesting – in the form of valuable experience from numerous other companies and organizations with correspondingly diverse IT structures.
Argument 4: The indispensable pentests are not off-limits
However, there is still a tendency in some companies to make ethical hacking taboo. Consistent pentesting then already fails due to the company´s concern that carrying out such tests could become public – and damage its image. It does not help a company in any way to place taboos on the subject of cyber security. On the contrary: in the age of general digitization, IT security is a challenge that all companies have to face, from medium-sized machine manufacturers to IT giants like Google. As a company, showing that you are addressing the issue of IT security appropriately helps your image far more than it hurts it. Through ethical hacking, an organization demonstrates its desire to strengthen its cyber resilience.
Argument 5: ISO 27001 and TISAX also require penetration tests
In general, the understanding of penetration tests is growing. Standards such as ISO 27001, which deals with the information security management system (ISMS), require both incident-related security checks in the event of changes in the company’s own IT and regular checks. Accordingly, regular pentests are necessary in any case for certification according to ISO 27001. In addition, ISO 27001 has its counterpart in the automotive sector in the “Trusted Information Security Assessment Exchange” (TISAX). TISAX is an industry-specific ISMS standard of the German Association of the Automotive Industry (VDA). TISAX certification also requires penetration tests.
Argument 6: Properly designed pentests work
In any case, if you decide to conduct a security audit using ethical hacking, it sends a positive signal. However, the design of the test needs to be carefully considered. When selecting suitable pentesters, it is advisable to look not only at their theoretical certifications, but to place particular emphasis on their practical experience. It is also important not to artificially limit the scope of the test – for example, by excluding legacy systems. After all, no attacker would think of excluding legacy systems still in operation as potential attack vectors; on the contrary.
In addition, pentests require to choose between white box and black box approaches. In the case of the former, information, data or source codes are already available to ethical hackers. Such a whitebox test is recommended, for example, if you want to specifically determine how secure a completely new application is. In contrast, a black box approach may be advisable in independent follow-up audits, for example, if the scope has already been thoroughly audited in the white box process and the organization has already taken appropriate security measures. Between these two extremes, of course, a wide variety of options are possible.
In conclusion, it can be said: Ethical hacking has become an indispensable part of the cyber security toolbox of companies and organizations. In the process, pentests document the commitment to cyber resilience not only to certification bodies, but also to the public and interested stakeholders. It is high time that companies finally break the nonsensical taboo around penetration testing and aggressively communicate their commitment to cyber resilience. Because a well-made pentest is always something useful.
This article by Ventum expert Michael Niewöhner also appeared in Funkschau.
Manager at Ventum Consulting and expert in Cybersecurity