Popular media does a great job of contrasting the typical auditor and hacker. The former is highly organised, carefully dressed and wedded to lists, rules and standards. The hacker is in many ways the total opposite. He or she is extremely casual, harbours disdain for order, rules and hierarchy of almost any kind, and embraces uncertainty and ambiguity.
So it’s hard to imagine the two working together. But if you want to address cyber security needs effectively, that’s exactly what needs to happen given that auditors and hackers working together is the best way to build resilience into an organisation’s cyber security posture.
Companies have adopted the term ‘resilience’ to convey a sense of next-generation protection and to address the reality that, nowadays, preventing attacks is not guaranteed. With an expanding number of zero-day exploits, increasingly sophisticated social engineering tricks, massively resourced adversaries, and exponentially expanding attack surfaces (thanks to the internet of things) preventing all attacks is history.
However, the resilience I’m describing is not about how well an organisation’s teams coordinate their response in the face of an attack, or how a company’s systems are designed to monitor changing environments, or even how big data analytics can be used to scour your web traffic, software and endpoints for weaknesses.
I’m not referring to resilience generically; I’m using it to describe a very specific approach, and this approach involves auditors and hackers. Neither in isolation can provide the kind of protection – the kind of resilience – that organisations require today.
Auditors who come to assess an organisation with lists developed by national authorities, international standards bodies, or any other prescribed rules are great at scoring and quantifying. They can provide data to decision makers on what needs to be done to improve the security posture and to say ‘this system is compliant’. But as we all know, just because a company’s password regime has ticked the regulatory box, doesn’t mean every employee’s password will stand up to the persistent determination of a clever hacker.
This is the trouble with compliance. It’s certainly better than nothing, as it sets a minimum floor of cyber security protection. But being certified compliant does not mean the organization is impervious to breach. It’s why you can win the compliance battle but lose the war, in the case of a successful breach.
On the other hand, penetration testing (pen testing) by white hat hackers is recognised as a crucial tool for determining how prepared an organisation is against attack. And yet, by itself, it leaves an organisation unsure, in a methodological way, what it got right and what it got wrong. If the pen test does succeed in hacking a user’s password, it doesn’t provide a measurable way to understand why the security failed and whether there is a systemic fault in the organisation or just an isolated case.
A company that has received all ‘A’s for compliance to applicable standards and regulations doesn’t really know if it will hold up against an attack. Meanwhile, the results of a pen test don’t give organisations a comprehensive list to quantify what went right and wrong. Without such methodology, being sure you’re making the right changes is exceptionally difficult.
By combining the competencies of auditors with hackers, a fuller, more positive picture emerges. Entities are able to gain confidence that their networks have been tested from almost every possible angle, through a framework that methodologically scores their posture against all relevant standards and regulations and quantifies, via a clear format, why some areas were successful in defending against attack and others weren’t.
To be frank, this approach isn’t new – it’s just new to IT and IoT. Oil and gas, aviation, and new drug development – just to take a few examples – have all used similar systems. A system is modelled, and then months and even years are spent imagining and testing the model against every conceivable scenario.
By combining advanced, intelligent pen testing within an auditor’s meticulous framework, entities gain quantifiable insights into their organizations’ strengths and weaknesses, along with the confidence that comes from some of the most rigorous pen testing available.
Auditors and hackers need not be the best of social friends, but when you want to make sure your organization is resilient against cyber attack, you definitely want them in the same room together.