There is a big difference between hacking and ethical hacking.
One is illegal; we are not. One is a common method of breaching cybersecurity defenses; one is a tool which is a highly recommended way to strengthen them. And both are on the rise in New Zealand alongside an escalation in cyber attacks.
Hacking and its ethical variant have an identical method: bypass cybersecurity defenses, identify and exploit vulnerabilities and force intrusion into applications. Their goals, however, are different: threat actors seek to perform malicious activity, while hackers use their newfound knowledge of security vulnerabilities to bolster the defense they have penetrated.
Another key difference is the presence of an authorization. Before releasing an application for general use, a careful software developer will give penetration testers carte blanche to perform a mock cyber attack and break down the application’s security barriers, thus giving developers a better idea of its functionality. overall security position.
But not all software and application developers ask professional penetration testers for an assessment before launching their software, despite research highlighting the role of penetration testing in “drastically reducing” security incidents while validating the effectiveness of current security measures used by organizations.
Should organizations, especially those with high cybersecurity requirements, implement ethical hacking as an integral part of their cybersecurity approach? Insomnia Security’s security consultant Shofe Miraz says yes – eagerly and as early in the process as possible.
“In any situation where software is about to deploy, penetration testing should be done early on,” says Miraz. “It should definitely be included as part of a larger version of the security product. “
Prior to her current role, Miraz was a penetration tester at healthAlliance, Aotearoa’s largest shared services organization in the country’s public health sector. In this role, he performed testing on web and mobile applications, APIs and Docker containers. It was there that he gained a perspective on the true value of ethical hacking, working on systems encompassing the District Health Boards of Northland, Waitematā, Auckland, and Manukau Counties.
It was also there that he learned that the earlier ethical hacking is introduced into the development of a system or product, the better the security results will be.
“In large organizations, security can often be an afterthought,” says Miraz.
In such cases, there could be a conflict of ideologies, as the organization has a deadline and does not want to wait until the product is deployed, even though ethical hackers have tested the product and found vulnerabilities.
But if penetration testing is built into the development phase, he says, security won’t become an obstacle later.
He has incorporated this lesson into his work at Insomnia Security, where he regularly performs penetration testing before products go into production. And this is possible thanks to a strong connection between the security, development and integration teams.
“The development team builds it, the security team tests it, the integration team deploys it,” says Miraz. “We have found that this cycle builds confidence in the end product.
This is, by and large, the model used by the many cybersecurity companies specializing in penetration testing in New Zealand, such as Lateral Security and ZX Security. Lateral, for example, maintains that penetration tests should always be performed whenever a new ICT application, system or device is being deployed, or the configuration of an Internet accessible service has changed.
So, with these standards common to the entire ethical hacking community in Aotearoa, how are we doing on the global stage?
“It’s hard for me to say we’re the best in the world,” says Miraz with a smile, “but I’ve seen some really good work from specialist companies in New Zealand. “
Miraz says there is a special focus on the quality of reporting in Aotearoa – in the actual data gleaned from the violation of the product’s defenses, as well as the way it is presented to the customer. If the customer does not understand the test results, it is unlikely that any of the problems discovered will be resolved.
It also makes sense to invest in quality reports: “If they understand the problem and fix it, they will come back for retesting. It’s a win-win.
As for raising awareness and highlighting the ethical hacking community in Aotearoa, there is Hack and Learn.
Founded by Dylan Clark, head of emulation and cyber threat defense at IAG, the Auckland-based InfoSec group was born out of Clark’s desire to form a community around those who wanted to learn more about ethical hacking. The group’s monthly sessions, where participants simulate penetration tests on specially designed servers, attracted up to 50 clients before COVID struck.
“I really wanted to have a team of people who could learn together – a practical community. It didn’t exist, so I put it in place, ”says Clark.
Hack and Learn sessions focus on web application hacking, where penetrators (also referred to as the “red team”) use the “elimination chain methodology”: an exhaustive list of reconnaissance, arming, delivery , operation, installation and finally control.
“During the session, we’ll give them time to understand the logical flaws in the application, and then they can arm a payload and exploit it. We support them and make sure that everyone is at the same level. “
Clark co-presents Hack and Learn with Shofe Miraz. The duo created their own purpose-built machines with custom web apps designed to be hacked, but not easily. The apps are strictly internal and offline: the group does not attempt to violate any real apps or websites.
Clark and Miraz often reinforce this point in their sessions – the main focus is learning, not wanton destruction. Of course, creating a dedicated community of penetration testers isn’t just about teaching people about ethical hacking: it’s about increasing awareness and interest in cybersecurity in general and, ultimately. account, to attract more people into the industry.
“That’s the main reason I started: to motivate people, to get them excited, to get them to learn,” says Clark. “It’s a very specialized skill set, so it can be difficult to get into cybersecurity in New Zealand. “
And what better way to get people into the industry than by exposing them to the most notorious – and, some would say, glamorous – activity of cybersecurity?
“Yeah, hacking is cool,” says Clark. “But the defensive side too. “