When a company hires a team of flaw-finding penetration testers, or ethical hackers, it’s important to confirm that “ethical” part.
The testers must be tested and vetted just like any other employee with access to sensitive data, according to IT pros who spoke with IT Brew. The investigation includes background checks and environmental controls.
“You’re basically trusting a vendor to attack you, right? That’s the premise of a pen test,” said Sue Bergamo, CIO and CISO at BTE Partners, which often looks for security gaps in a vendor’s networks and applications.
Pen-ultimate. Using tactics like social engineering, vulnerability scanning, and credential stuffing, a pen tester may look for access points via networks and applications and demonstrate exposures of sensitive data, like personally identifiable information and credentials—valuable items for an unethical hacker.
A report from identity and access management firm ForgeRock found that 52% of all reported breaches came through third-party partners and suppliers. (The report did not specifically identify pen testers as perpetrators in the breaches analyzed.)
A recent survey from the data security and infrastructure protection company Fortra found that 54% of respondents in 2023 conducted an annual penetration test—and that 23% of respondents change their third-party pen testing service each year.
Checks on people and tools. Bergamo insists on background checks and using written contracts, which offer a legal mechanism to take action against a rogue pen tester.
“The company needs to prove to me that they’re not just bringing in skilled people, but that they have a program within their own internal organization that’s HR-driven that vets these people,” Bergamo said.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
A penetration test may involve powerful attack tools—say, a shellcode-executing framework like Cobalt Strike, used by red teams and malicious hackers alike.
For Chris Novak, managing director of cybersecurity consulting at Verizon, trust is built by demonstrating the controls over such invasive weaponry. Logging and alerting, for example, offer the Verizon teams the chance to monitor if a pen tester crosses a contractual line.
“We make sure that the tools that we allow them to use on a per-engagement basis are set up with controls that match the rules of engagement we agreed to with the customer,” said Novak.
Justin Wynn, director at the cybersecurity advisor Coalfire, emphasizes practices like data obfuscation in reports, as well as secure file transfers and out-of-band, over-the-phone communications in lieu of email.
It’s who ya know. Wynn also gets a feel for a pen tester’s “personal methodology.”
“You gotta vet the skills, the technical competency of a tester. And then the majority of the job, especially as consultants, is how well you interface with clients, how responsible you are,” said Wynn.
Bergamo has one set of “trustworthy” consultants that go with her on most projects—one less worry for the CIO and CISO. Bergamo often finds herself asking her peers: Do you know where your crowdsourced ethical hackers come from?
“I’m paid to be paranoid,” Bergamo said.