rvlsoft - Fotolia

Penetration testing essential for success in security arms race

Demand for security testing, which should be conducted from the onset rather than as an afterthought, is growing in Australia

The demand for security testing services is rising in Australia, as more companies seek to be agile and roll out new systems regularly without injecting unnecessary risk, according to an IBM cyber security expert.

On a recent visit to Australia, Charles Henderson, global head of IBM’s X-Force Red ethical hacking team said security testing is essential for companies to be successful in the security arms race.

According to Henderson, the team’s Australia-based ethical hackers have so far engaged with enterprises in the finance, retail and industrial sectors, along with game developers, to identify vulnerabilities in their systems through penetration testing.

In penetration testing engagements, Henderson said organisations could take up subscriptions – some global organisations invest millions of dollars yearly on penetration testing – or bring in X-Force Red for a one-off test.

Once the group is hired, it works with the client to set up formal rules of engagement and establish boundaries for the test. “Without permission, we would be criminals,” said Henderson.

It was important that the boundaries allowed for thorough vulnerability tests to be performed. “Attackers only need a single vulnerability and they are in. We need to find every one we can,” he said.

While Henderson declined to say how many team members had been appointed in Australia, he said they were part of a global group now numbering in the hundreds, and that it was important to keep bringing in diverse talent with new thought processes.

Read more about cyber security in Australia

Given the nature of the work, IBM also conducts thorough interviews and background checks when hiring new members for X-Force Red.

“We’re looking people who have been in the industry with good references and whom we can understand as individuals, not just as testers,” Henderson said. “You have to put a process in place to make it hard for your people to go rogue.”

That is critical, as X-Force Red hires people to think like criminals. “What we do would be a crime without the statement of work giving us permission,” he said.

IBM places focus on security testing

There is a certain irony in IBM touting its security credentials in Australia after 2016’s online census debacle, where the IBM-developed census system was brought to its knees by a cyber attack.

Henderson said the census system had been developed before he joined IBM, but he acknowledged that X-Force Red did perform security testing for some IBM projects, emphasising the importance of conducting security testing from the onset rather than bolted on as an afterthought.

The recently released Cyber Security Survey from the Australian Cyber Security Centre revealed that 90% of all Australian organisations surveyed – public and private – faced some form of cyber attack or intrusion attempt in the 2015-16 financial year.

But the report also noted that 43% of organisations tended not to identify cyber security threats or vulnerabilities before they were compromised, and 51% only found out about breaches when they were alerted by a third party.

Even so, almost three out of five organisations surveyed (59%) said they did engage in “third party/supplier risk assessments” – though it was not clear what percentage of these were formal penetration testing engagements.

Read more on IT risk management