With cyber-attacks increasing, ethical hacking assessments such as penetration testing are critical to help organisations to enhance cyber resilience.
We asked our Head of Pen Testing, Jed Kafetz, to outline some of the key benefits of and trends in pen testing and share some tips on how to get into it as a career.
What is ethical hacking?
As a security company with its roots in offensive security, Redscan specialises in helping organisations enhance their security posture by uncovering the exposures which may be beneath the surface and providing support to address them.
Ethical hacking involves applying an offensive mindset. That means using our knowledge of the tactics and techniques of malicious ‘black hat’ attackers to ensure our pen testing assessments genuinely reflect the way real-life cybercriminals behave.
Why is there often a nervousness among organisations to commission ethical hackers?
I think it’s because the word “hacking” is still closely associated with malicious activity. It’s commonly used in the mainstream media to refer to attacks by cybercriminals that lead to data breaches.
I think another reason that some companies might be nervous is because they are unfamiliar with the techniques and tools ethical hackers use, creating concerns about how their systems and servers will respond. There is a belief held by some that ethical hacking is damaging, but if it is scoped properly and conducted safely and to the highest technical standards, there is no reason for organisations to be concerned.
What are the main activities undertaken by your team?
The main focus of our work is of course pen testing but within that there’s a great deal of variety, such as web application testing, wireless assessments, API and configuration reviews, and red teaming. As well as the actual pen testing, our project work involves scoping and sales calls with clients and writing and peer reviewing reports for quality and technical assurance.
Another important aspect of the role is research and investigation. We collaborate closely when one of the team discovers something new, such as a new tool, technique or vulnerability. Any intelligence that we gather is used to help enhance the effectiveness of all of Redscan’s services, including our ability to detect and respond to current and emerging threats.
What are the biggest security issues you’re seeing right now?
One of the major issues that we see all the time is a failure by organisations to enforce multi-factor authentication (MFA) on systems and applications that are exposed to the internet and process sensitive information. All systems need MFA because people have a habit of reusing passwords. If it was enabled everywhere, there would be far fewer security breaches.
Companies should have a specific business case about why they are exposing a service to the internet, particularly in their externally-facing infrastructure. While an exposed service is appropriate for a company website, development servers or other services intended only for one other office, organisations should have firewall rules which only allow access to the intended users. Organisations should regularly assess their online presence and be able to justify why each service is exposed and to whom.
How does the pen testing team keep up with the latest attack techniques?
We have regular meetings with Redscan’s Engineering, SOC and Threat Intelligence teams. Each week we’ll look at a different aspect of security, whether that is Linux build or 365 configuration. We share offensive tactics and put rules in place to protect them.
We identify new offensive red teaming tactics and we make them tool-ready for our red team operations. When we’re creating our toolset to attack, we’ll create a toolset to defend it at the same time. That means we have defences for a tactic before it’s even used in the wild.
We’re always looking at channels such as Twitter and Reddit for open source intelligence, techniques and new tricks. Most new tools are announced on Twitter. We watch talks from Black Hat, DEFCON and OWASP and other organisations and stay in touch with the news through sources such as The Register.
Security is more than a job to our pen testers which means they spend time outside of work keeping up with the latest security news.
What do you find most rewarding about working in pen testing?
It’s very satisfying to know we’re helping to keep organisations safe, especially with new threats emerging all the time. Another big reward for me is dealing with vulnerabilities which are difficult to track down and play “hard to get”! We all collaborate together to make sense of them. Remediating a particularly tricky vulnerability is very rewarding.
What skills do you look for when recruiting consultants?
We look for people with a strong understanding of computing, networking and software development. First principle thinking is essential, because if you don’t have the foundations in place, it’s harder to troubleshoot effectively. A passion for security is something else we look for. It’s also important that a person has very effective communication skills. While we’re ethical hackers first, we’re also consultants, so we need to be able to communicate effectively with clients throughout the pen testing process.
Tell us about your own career path
After studying Ethical Hacking at Northumbria University, I became a Pen Tester at Pentest Ltd. As the only junior in an office of four seniors, I went through a very steep learning curve in the foundations of pen testing.
After about a year and half, I moved to IT Governance where part of my role was mentoring other pen testers. I then became a Senior Consultant which allowed me to hone my scoping and quality assurance skills and my knowledge of PCI DSS. This was then followed by a move to Redscan as a Senior Consultant.
At Redscan, alongside my pen testing responsibilities, I am involved with creating internal policies, procedures and methodologies to streamline our offensive capabilities. This year, I stepped into the role of Head of Pen Testing.
Do you have any advice for people interested in becoming a Pen Tester?
I would advise them to start with the basics first rather than going straight into taking part in bug bounties and Capture The Flag challenges. Start by reading The Web Application Hacker’s Handbook and Network Security Essentials. Gain an understanding of the first principles of networking and web application development, then familiarise yourself with the work of the OWASP Foundation, including the OWASP Top Ten.
Once you understand the principles, take part in CTF events and bug bounty programmes and look at studying for a professional qualification such as CREST CRT.