7 questions on ethical hacking
Published on 09/03/2021 in Tech, tips & tricks
Ethical hackers use the same techniques as rogue hackers to expose and repair vulnerabilities in your cyber security. Sander Van der Borght and Stephen Corbiaux, ethical hackers at Davinsi Labs explain.
1. What is ethical hacking?
"Ethical hackers look for the security holes in websites, mobile applications, and (wireless) corporate networks," explains Sander Van der Borght, ethical hacker at Davinsi Labs. "We use the same tools and techniques as malicious hackers and report any vulnerabilities we find. We also run phishing campaigns to build and measure user-awareness. End users remain a very vulnerable link. In this way, we help companies to protect themselves against hackers with bad intentions.”
2. Security scanners or ethical hacking?
"The human brain still reasons better than a computer and can think out-of-the-box," explained Sander. "Automatic scanners do not take the operation or context of an application into account. They are an added value because they can scan many assets and large volumes in a short time. However, they provide no guarantee about the quality and depth of the results. For example, we might find a vulnerability that allows us to create a user with more rights than originally allowed.
Or we are able to look into orders or invoices of other people. These types of vulnerabilities are very serious and are called business logic vulnerabilities. A scanner does not find these kinds of vulnerabilities and as a result a lot of things stay under the radar. If you want to be compliant, you need to have penetration testing done.”
The fact that the top ten threats from ten years ago are still burning today says it all.
Stephen Corbiaux, ethical hacker and Solution Lead Vulnerability Management at Davinsi Labs
3. What steps does such a process entail?
- Clear agreements are made about what exactly is to be tested.
- The penetration test(s) are started. All functionalities of an application are scrutinized.
- A detailed report documents all findings: what impact they have and how likely they are to be exploited. When it comes to critical vulnerabilities, we are contacted immediately and can guide the client to a quick solution.
4. When is it best to have your company ethically hacked?
"One test unfortunately does not give a conclusive guarantee that your policy is foolproof. Hackers invent new tools and techniques every day. So what is secure today may have a critical vulnerability tomorrow. It is therefore important to do penetration testing regularly. It is best to start early in the development phase to have the code of your application tested and then preferably at each major change (of code and/or infrastructure). This way, you can solve problems before they occur.”
Ethical hacking is indispensable in a good security strategy for SMEs as well.
Sander Van der Borght, ethical hacker at Davinsi Labs
5. What about new technologies?
"New technologies are no harder to hack than existing ones," says Stephen Corbiaux, ethical hacker and Solution Lead Vulnerability Management at Davinsi Labs. "Software continues to be developed by people and people make mistakes. The fact that the top ten threats from ten years ago are still burning today says it all. But if there is one category that is hugely vulnerable, it is IoT. It is impossible to put a number on poorly secured devices and devices that do not get security updates after two to three years.”
It is not just poorly secured IoT devices that pose significant risks. We mapped out the security trends and threats of 2021 for you.
6. Can only large companies arranged to be hacked?
"No, ethical hacking is indispensable in a good security strategy for SMEs as well. As a first step, we look at the crown jewels and infrastructure that are online. When an organization has sufficient security maturity in its external environment, internal assets are tested. This can be done through customized penetration testing, even for the smallest infrastructure or application.”
7. Do you have any real-world examples?
"For a hospital, we did a red team exercise. In such an exercise, we are given carte blanche, hacking the entire organization with all possible techniques and trying to physically penetrate buildings. At the hospital, we managed to copy their access badges to bypass the access control and break into their data center and CCTV channel.
In a more targeted assignment at a company that manages critical infrastructure, we gained access to the license plate system, were able to enter the parking lot and upgrade our badge with all possible privileges. This kind of access is worth gold to the criminal underworld, so it should not be underestimated.”
The golden key: a solid security policy
"Once you have been hacked, it is too late. All you can do then is collect sufficient evidence and try to stop the attackers. Too often, we see that a successful attack is the result of a neglected basis: no patch management or no filtering of e-mail attachments, too limited awareness of the dangers among end users. Everything starts with the elaboration of a solid security policy, whereby proactive testing by ethical hackers of your online infrastructure and applications, as well as the vulnerabilities of end users, is essential to be just that one step ahead of the adversary.”
Strengthen cybersecurity Belgium
To keep abreast of the latest developments in cybercrime, Proximus is a member of the Cyber Security Coalition. Stephen: "The Cyber Security Coalition is a grouping of Belgian companies, academic institutions and government authorities. It meets regularly to discuss the latest trends, tools and findings. This allows them to share their experiences around cybercrime on a sector-wide basis.”
Davinsi Labs is a Proximus Accelerator and helps companies achieve Digital Service Excellence through specialised Security Intelligence and Service Intelligence solutions. In today's digital world, customers expect their data to be managed with the utmost security and they want a fast, flawless customer experience. As a Managed Services Provider, Davinsi Labs offers a portfolio of solutions to achieve Digital Service Excellence for the most business-critical applications and services.