Learn more about how penetration testing can keep your charity safe from cyber attack
Security vulnerabilities in your charity’s IT computer systems could leave it at the mercy of cyber criminals. But how do you there are any? That’s a particularly important question to ask when staff are working from home for the first time due to COVID-19.
The best way to find out is to use a technique called penetration testing. This involves getting a qualified person with the hacking skills of a cyber criminal to try to break into your systems, to see if they can succeed.
There are two ways to carry out a penetration test: you can use a member of staff if they have suitable skills, or you can hire outside penetration testers to carry out the test for you
If you want to carry out your own penetration tests then there are a number of cyber security tools which you can use, including automated penetration testing tools which search for various known security weaknesses and then attempt to exploit them.
The benefit of this approach is that it can be relatively inexpensive, but, inevitably, there are drawbacks. Firstly, a member of staff is very unlikely to be as skilled as a real cyber criminal who spends all their time coming up with ingenious new ways to hack into computer systems.
And, secondly, it is very difficult to carry out cyber security testing and find weaknesses in a computer system that you know intimately. That’s because you can become blinded to vulnerabilities that a fresh pair of eyes might spot relatively quickly. "There is an issue when internal people test things because they fall into a pattern of testing and tend not to find paths through less valuable assets," explained John Pescatore while a security expert at Gartner.
Charities like Comic Relief, therefore, use external penetration testers to probe their systems. "We collect millions of pounds worth of donations every year so it is vital that the systems we use are as secure as they can be," said Nigel Matthews of Comic Relief. "Assessing and mitigating cyber risk for a charity like Comic Relief is a huge task and we couldn’t do it without [penetration testing company] NCC Group and its world class experts."
The main downside to hiring outside penetration testers is the cost. The right penetration test may cost thousands of pounds, but if it prevents your charity from falling victim to cyber criminals then it could be a very sound investment.
This is not as easy as it sounds. There are plenty of companies that offer penetration tests, but the test itself is only as good as the person or people who will carry out the test. What’s more, it’s only useful if they test the right things and provide you with the right feedback at the end of the test to enable you to act on their findings.
Here are the basic steps you will need to take:
It’s important to use a cyber security company you can trust, so getting references or testimonials from past customers is important.
But equally importantly, it’s vital that the individuals who are carrying out the testing have the right qualifications to prove they have the necessary skills. There are many good qualifications to look out for, including CHECK Team Leader or Team Member, Council of Registered Ethical Security Testers (CREST) Infrastructure Certification Examination, Offensive Security Certified Professional and Mile2 Certified Penetration Testing Consultant or Certified Ethical Hacker.
If you have carried out a cyber security risk assessment then you may have a clear idea of the areas of your IT operations that you want a penetration tester to concentrate on. For example, with staff working remotely due to the Coronavirus pandemic you may want a remote working penetration test. Or you may need a penetration test for specific compliance testing purposes.
Alternatively, you may want advice from the penetration testing company about how your money can best be used to reduce your cyber security risk and improve your overall cyber security.
It’s also important to consider whether you want the penetration test to restrict itself to your digital IT systems, or whether – like a real hacker – it should be allowed to carry out phishing attacks or use social engineering to attempt to compromise your cyber security. (A social engineering attack involves interacting with staff directly – perhaps by calling someone up, pretending to be from the IT department, and asking them for their password.)
Scoping your penetration test clearly is the only way to ensure that the right things get tested and you do not waste money paying for tests that you don’t need.
The most important parts of any penetration test are the findings that it produces. It is imperative that these findings are presented in a way that makes it easy for you to act on as effectively as possible.
In practice, you should request that the penetration testers provide a clear description of every vulnerability that they discover, along with precise information about what you need to do to fix each one. Some of the digital vulnerabilities may be quite complex, but what is important is that you understand the solution rather than the problem. Many penetration testing companies offer free retests after you apply the recommended fixes to any problems they find, to verify that the fixes are effective.
It is also useful to request a high-level management report or executive summary of one or two paragraphs of non-technical explanations outlining the problems and the risks to the charity. This can be very useful for helping non-technical trustees and other people connected with the charity to understand why funds need to be spent fixing any problems found.
Penetration testing costs can vary widely, so it is sensible to get multiple quotes for penetration tests that are clearly scoped, with details of who would be carrying out the tests and what their qualifications and experience levels are, so you know exactly what you would be paying for.
Ultimately, you will probably only get what you pay for: an incomplete penetration test, or one carried out by an inexperienced tester, may be cheap. But it is doubtful whether it has very much value in terms of improving your overall cyber security posture.
Many companies in the UK offer penetration testing, including: