I know a lot of pentesters, many of the best in the cybersecurity industry. I’ve written about pentesting in a popular book, and in so many corporate blog posts that they’re too numerous for me to name here. Now that I work for Hack The Box, I’m having fun playing with our Labs. It’s a great perk of my job to not only enjoy learning with our platform, but also to regularly have discussions with the people who design our Labs, HTB Academy courses, and CTFs. In fact, in addition to working on our blog, I’m also developing a HTB Academy course of my own. No more spoilers! Be patient.
The craft of pentesting is so much fun. If you’re a pentester, companies pay you to pretend to be a cyber attacker. It’s no wonder that more people than ever are joining the HTB Community to learn how they can enter this exciting and rapidly growing field.
Hack The Box also works with businesses of all kinds to train their cybersecurity talent and help them prepare for both pentesting and readiness for the ever evolving cyber threat landscape of today and tomorrow.
When a business is ready and well prepared, penetration testing (sometimes called “ethical hacking”) is an excellent way to find vulnerabilities a security assessment can miss. Pentesting done right can help an organization avoid becoming the next big news headline cybercrime victim, because they hired professionals to think like a hacker to find the craftiest of exploits.
But there are many misconceptions out there about pentesting and business. In this post, I will offer facts to address the myths. Then I’ll help your business by showing you how Hack The Box can help your company prepare for a pentest, regardless of your industry or where in the world you are.
Myth: Never perform a basic security assessment on your network. Pentests are always best! Security assessments are always cheap and ineffective.
Fact: Businesses of all sizes and in all industries should perform security assessments. Security assessments are typically based on a particular security regulation, policy, or standard. A company with web apps should assess their security based on OWASP’s standards and their Web Security Testing Guide (WSTG). A business with European data should security assess for GDPR compliance. Assessing an incident response plan based on the NIST Cybersecurity Framework is probably a good idea. There are also literally thousands of other security standards that your company could perform assessments with, some will be more appropriate for your business than others. My advice is that your business should not only assure regulatory compliance, but also run security assessments based on stricter standards and security baselines. Assure compliance, then go beyond that. Security assessments and pentests are two different ways to security test your network, and neither is superior to the other in a general sense. They’re different kinds of security tests with different purposes. All companies should security assess, but not all companies are ready for pentesting.
Myth: When you hire pentesters, you invite them into your network and then let them break whatever they want. Go hog wild!
Fact: Perhaps this myth is more commonly believed by laypeople than businesses, but it should be addressed anyway. Pentesters should always be given a specific testing scope and sign a lengthy legal contract which explains what they may and may not do. This applies no matter what. Whether you hire an external third party to perform pentests or whether your company has its own internal red team, whether you’re performing black box testing or white box testing. A specific scope must always be outlined and mutually agreed upon. Pentesting without legal consent isn’t pentesting, it’s cyber attacking. Legal contracts protect both the company being pentested and the hackers who are doing the pentesting.
In addition to this, never initiate a pentest obliviously. A pentest should always have a carefully designed plan. “Today, we’re going to see if someone can physically break into the datacenter.” “Today, we’re going to see if devices on the network security perimeter can be DDoSed so an unauthorized external entity can break into the internal network and then privilege escalate.” Your red team campaigns or external pentests should always have a particular goal or set of goals which align with your company’s specific cybersecurity objectives. Your CISO must get involved here (if you have one), as should your CTO. Also you must keep in mind that pentesters are simulating cyber attacks! The everyday operation of your network should be prepared for this. For example, perhaps production should be shifted to different network segments accordingly so if a pentester puts a few servers offline for a bit, your company’s productivity and uptime isn’t significantly impacted.
Myth: My brand new ten person software development firm needs a pentest... and a bug bounty program.
Fact: Only companies with a moderate to high security maturity level should be pentested. And only software and hardware developers with a high security maturity level, a bug report triage plan, and products or services with a very large customer base should have a bug bounty program.
Companies like Apple and Microsoft are ideal candidates for bug bounty programs, your new mobile app development startup isn’t ready. If you don’t know what security maturity is, then you aren’t ready for a pentest. There are different security maturity models that some companies use, such as the Security Awareness Maturity Model and the Gartner Security Process Maturity Model. But in a nutshell, security maturity is based on a few different factors.
How large and experienced is your company’s cybersecurity team?
How many years has your company maintained and enforced information security policies?
Does your company have an incident response plan?
Does your company have the infrastructure and systems necessary to address zero day vulnerabilities when they’re discovered?
Does your company have a thorough understanding of all the regulations that apply to it, and a strong track record for compliance?
Do you have a CSIRT?
Do you have a CISO?
Even if your company has advanced security professionals on-board from day one, it takes years of diligent teamwork to build security maturity over time. Hiring a few Hack The Box trained professionals can give your company a head start, but it will still take time to build security maturity. Typically only security mature organizations are ready for pentests. An organization with little security maturity often isn’t ready yet. . A pentest may find way, way too many vulnerabilities because you didn’t address most of them with security assessments first. This could overwhelm your IT and information security teams and distract them from establishing a security configuration baseline and performing initial hardening efforts. You likely just won’t be ready to make effective use of a pentest’s findings. There’s a reason why Dwayne Johnson can bench press 400 pounds while I shouldn’t try to bench press more than 50 pounds.
I may not be able to bench press more than 50 pounds now. But if I keep working out, maintain a healthy diet, and listen to my personal trainer, I may be able to bench press 70 pounds in a year. Whether your business is ready for a pentest now, or is trying to build security maturity to pentest three years from now, here’s how Hack The Box can help.
Get your IT people to start thinking like a hacker now. Even if your network isn’t ready for simulated cyber attacks yet, our Dedicated Labs and Professional Labs are. We cordially and enthusiastically invite your technical talent to do everything they can to try to break them! We have Labs designed for hackers of all skill levels, from total n00b to advanced pro hackers, and every step in between. We’re always adding new Labs to our ever growing collection which are designed to test the cyber exploitation skills that cybercriminals use. Our Labs are created with the specific cybersecurity testing needs of business, and for new and emerging cyber threats. When your staff get hands-on experience with our Labs, they’ll learn how they can improve the security hardening of the networks they’re employed to defend. And in that process, your business will simultaneously sharpen your red team and build your security maturity.
Make full use of HTB Academy for Business. HTB Academy features interactive cybersecurity training courses covering a broad range of topics and skill sets. We’ve got courses ranging from Linux Privilege Escalation to Login Brute Forcing, from Intro to Assembly Language to Network Traffic Analysis. We’ve got courses that cover a variety of both offensive and defensive security areas. When your company signs up for HTB Academy for Business, your employees will have access to all of our courses. And we’re always adding new gamified educational content with the input of the many industry leading companies we work with.
If your company already has a red team or other sorts of network hacking professionals, watch out for our Business CTF competitions. We had our first Business CTF in July, and it was a smash success. We had 374 teams compete with 1621 players. We gave away £20,000 worth of prizes. And many of the biggest names in business played some sort of role or competed, from Toyota to F-Secure, from INGBank to Microsoft. Read all about it. We’re already planning for our Business CTF next year, and we’ll let you know when you can sign your company up for it.
It’s easy to find out how Hack The Box can help your business with your particular cybersecurity training needs. The first step takes only a few seconds with a simple web form.