What ever happened to all the white hats? A decade ago, lone-gun “ethical hackers” evolved from their risque air of mystery to form “tiger teams” and boutique firms, as enterprises sought valuable outside perspectives to uncover system vulnerabilities.
These days, you don’t hear so much about white hat hackers. Not because firms like WhiteHat Security or Aspect Security, where I worked, didn’t prove their worth but, rather, because they did.
Today, penetration testing has become commonplace, has even splintered in to vertical specialisms like mobile and web apps. Additionally, the importance of enterprise security has finally reached the corporate board level, with more tools than ever available for in-house deployment. The big consulting firms also offer the same kind of service dedicated firms do.
Many white hat practices have been adopted far and wide. This should be a good thing, and yet with 2.3 billion records leaked in July 2019 alone, the number of IT breaches still escalates weekly.
The problem is that companies’ relationships with security consultants has become transactional, a check-box exercise that often isn’t truly acted upon. The situation could benefit from enterprises rebooting their relationship with the fresh perspective that white hats bring.
Reconsider blue chip penetration
Nowadays, the same global firm that does your bookkeeping also wants to do your port-scanning and SQL injection evaluation. Big consulting firms like EY, CapGemini and IBM have been steadily entering into security testing, such as EY acquiring Aspect Security in 2018. For the C-suite, it can often make sense to seek the comfort of a big name, especially if it is already invoicing you for an existing service.
Larger firms often only do the bare minimum testing to complete a project, and that is understandable — in the security talent wars, many of the best-qualified professionals don’t want to work in big-company cultures or can get more interesting positions elsewhere. Enterprises should reassess whether going with a big gun over a specialist is the ideal approach for them.
Switch your attackers often
When companies engage outside security testers, they often make the cardinal mistake of sticking with their chosen vendor. Not only does this breed complacency, it can leave many vulnerabilities undiagnosed.
Like anyone, white hat hackers have different strengths and weaknesses. So enterprises should not leave it to a regular supplier to conduct the same tests year after year. Instead, they should be cycling through new testers every so often, so that attackers can push at different doors.
At HYPR, we change our penetration testing company every two years — getting fresh eyes on our product means complacency never settles.
Remove your hacker’s blindfold
Chief security officers who do retain a penetration testing firm often like to imagine that, by giving it as little systems architecture detail as possible, they are replicating a real-world attack scenario. Perhaps they also feel they are putting the ball in their white hats’ court to prove their worth from scratch.
Black-boxing your partners in this way is a recipe for leaving vulnerabilities undiscovered. Testers achieve best results with white-box access, full-system permissions; they need to know all the doors to push on.
More time and contact
Another challenge with the way that enterprises engage penetration testers is that they often do so on a project basis. That constrains the testing and deliverable down into a finite window of limited time. Real bad guys, however, have nothing but time.
Testers, similarly, should be engaged frequently in a way that best approximates the luxury genuine attackers enjoy.
The worst evidence that penetration testing has, for many companies, become a checkbox exercise is that so many of them often don’t bother acting on reports that highlight unknown security holes.
One time, at Aspect, we found critical flaws for a large retail client within 45 minutes, recommending its system be taken down to implement a fix. During a busy shopping season, the client declined that option and, sure enough, was rocked by a breach several weeks later, prompting the executive in charge to suffer a career-altering event.
Despite competing resource priorities, businesses need to properly weigh acting on testers’ advice, before it is too late. White-hat specialists can play an important part in reducing the chronic growing problem of security breaches — if only enterprises would let them.
