By C F Fong
For some of us who are familiar with the term ‘Hacker’, we understand the general public’s perception about what they’d imagine Hacker could do – usually towards a more negative way. The mass media too, often portray hackers are the executioner of all evils in the cyber space.
In the real world we are living in, there are a group of individuals, who are having good intention in mind, carrying out the mission to ‘hack’ for a good reason and purpose, we would call them the “White Hat Hackers”.
In contrary to common believes, White Hat Hackers do carry out penetration testing or ethical hacking, just like what the malicious hackers do, however, White Hack Hackers done so, with the sole objective to discover vulnerabilities in the test target, report vulnerabilities, and provide recommendations and advisory to the target owner.
Penetration Testing in Malaysia
White Hat Hacker services are nothing new in Malaysia. Major financial institutions and telecommunication operators in Malaysia do engage trusted security firms that are offering White Hat Hacking services for decades. The engagement frequencies are usually based on risk acceptance of the organizations themselves. With the pro-active discovery of loopholes and vulnerabilities, organizations can stay abreast about the latest cyber threats and be able to become vigilant in combating malicious hacking attempts.
A good example is the recent “WANNACRY” Ransomware attacks. WANNACRY Ransomeware is targeting vulnerable and outdated Microsoft Windows systems to encrypt files and replicate itself to new targets. Pro-active Organizations which have been conducting regular penetration testing and vulnerability assessments would have had these outdated Windows systems identified during the testing and assessment exercises. Chances are, they may have already got these system decommissioned or patched up prior to the WANNACRY Ransomware pendemic.
What is Vulnerability Assessment
There are still much confusion between “Penetration Testing” and “Vulnerability Assessment”. To understand this further, we can walk through an example below:
Vulnerability assessment is conducted to understand and discover what are the ‘vulnerabilities’ or loopholes in an assessment target. An assessment target can range from a simple computer to a network of servers and networking equipment.
As the name implies, Vulnerabilities Assessment (“VA”)’s main objective is to identify vulnerabilities. Security analyst can identify common vulnerabilities by analyzing the assessment target from various angles: by the computer software that the assessment target is using, the networking function and sometimes the business functionality of the assessment target.
From a more technical perspective, some assessment target may exhibit obvious vulnerabilities, e.g. if the assessment target is an old and outdated Microsoft Windows XP system, the analyst can conclude that the assessment target is vulnerable to various SMB protocol attacks, plus any attacks that exists after April 2014, in which Microsoft has stopped releasing patches for Windows XP operating system.
During the Vulnerability Assessment, the security analyst may also cross check any potential vulnerabilities on an assessment target by refer to vulnerabilities database that is in relevance with the assessment target. A database commonly used to refer of such is known as The National Vulnerability Database (NVD), that is currently maintained by National Institute of Standards and Technology (NIST) .
It is also interesting to note that the Vulnerability Assessment activities mentioned above can sometimes be fully or semi automated.
There are many software currently in the market can be used to carried out such assessment. Nevertheless the accuracy and relevancy of the assessment results are often relative to the tuning of an experienced security analyst.
What is Penetration Testing?
In essence, penetration testing can be described as an extension of Vulnerability Assessment.
During the Vulnerability Assessment process, the analyst will be gathering vulnerabilities intelligence about the assessment target; these intelligence can be further exploited by penetration tester to penetrate into the assessment target.
Since the vulnerabilities exploitation from penetration testing may potentially introduce different magnitude of impact to the test target, normally penetration testers will have a structured testing plan and contingency plan while executing the penetration test, and this is the clear differentiation point between an profession Penetration Tester and Malicious Hacker.
Malicious hacker do no necessarily concern about the stability of the testing target; whereas the Penetration Testers have to always ensure that the penetration test plan they are executing do not compromise the confidentiality, integrity and availability of the testing target.
What Should I Choose: Penetration Testing or Vulnerability Assessment?
If your organization have never performed any security assessment before, it’s always easier to begin with Vulnerability Assessment first. As the assessment will have least impact to your current business operations, and can be done in a rather shorter time period as compare with conducting a Penetration Test.
System and network new vulnerabilities are discovered almost frequent as daily basis, we are only as good as we were secured yesterday. Hence, Vulnerability Assessment shall always be conducted in a more regular basis, depending on the risk tolerance of an organization.
Once your organization security controls become more matured in terms of security and vulnerabilities management, then you should be considering activating penetration testing to test out the effectiveness of the security controls of your organization. The penetration testing exercise is a yardstick to test out how effective are your security controls and your current remediation process.
LGMS started as a specialized penetration testing and security assessment firm a decade ago. Today, LGMS is the single largest neutral-based Cyber security firm, which is specialized not only penetration testing and security assessment, but also computer crime investigation and digital forensic.
LGMS is also the First and Only Malaysian cyber security consulting firm who are awarded with the CREST UK (Council of Registered Ethical Security Tester) certification, PCI QSA & PCI ASV accreditation. And LGMS is also the first company in Malaysia who obtained ISO 9001 quality certification on their professional services – in which Penetration Testing and Vulnerabilities Assessment are included.
C F Fong is the CEO of LGMS. He was given the Cyber Security Professional of The Year 2016 award, and the company bagged IDG’s CSO of The Year 2013