1. What is ethical hacking?
Ethical hackers look for the security holes in websites, mobile applications, and (wireless) corporate networks,” explains Sander Van der Borght, ethical hacker at Davinsi Labs. “We use the same tools and techniques as malicious hackers and report any vulnerabilities we find. We also run phishing campaigns to build and measure user awareness. End users remain a very vulnerable link. In this way, we help companies to protect themselves against hackers with bad intentions.”
“Ethical hackers use the same techniques as rogue hackers to expose and repair vulnerabilities in your cybersecurity.”
2. Security scanners or ethical hacking?
‘’The human brain still reasons better than a computer and can think out-of-the-box,” explained Sander. “Automatic scanners do not take the operation or context of an application into account. They are an added value because they can scan many assets and large volumes in a short time. However, they provide no guarantee about the quality and depth of the results. For example, we might find a vulnerability that allows us to create a user with more rights than originally allowed. Or we are able to look into orders or invoices of other people. These types of vulnerabilities are very serious and are called business logic vulnerabilities. A scanner does not find these kinds of vulnerabilities and as a result a lot of things stay under the radar. If you want to be compliant, you need to have penetration testing done.
3. When is it best to have your company ethically hacked?
Sander: “One test unfortunately does not give a conclusive guarantee that your policy is foolproof. Hackers invent new tools and techniques every day. So what is secure today may have a critical vulnerability tomorrow. It is therefore important to do penetration testing regularly. It is best to start early in the development phase to have the code of your application tested and then preferably at each major change (of code and/or infrastructure). This way, you can solve problems before they occur.”
4. What about new technologies?
‘’New technologies are no harder to hack than existing ones,” says Stephen Corbiaux, ethical hacker and Solution Lead Vulnerability Management at Davinsi Labs. “Software continues to be developed by people and people make mistakes. The fact that the top ten threats from ten years ago are still burning today says it all. But if there is one category that is hugely vulnerable, it is IoT. It is impossible to put a number on poorly secured devices and devices that do not get security updates after two to three years.’’
5. Can only large companies arrange to be hacked?
Stephen: “No, ethical hacking is indispensable in a good security strategy for SMEs as well. As a first step, we look at the crown jewels and infrastructure that are online. When an organization has sufficient security maturity in its external environment, internal assets are tested. This can be done through customized penetration testing, even for the smallest infrastructure or application.”