A low hum of keys being tapped echoed overhead as the team of six penetration testers focused on just a single form in a web application for the duration of the day. The possibility of missing a single issue on the page had to be minimised – the scope was extremely narrow and the team had unrestricted choice in attack vectors – the path, tools or approaches by which hackers can deliver a payload or a malicious outcome. The target: a multi-national bank.
Meet the white-hat hackers helping to protect computer security for companies looking to discover vulnerabilities in their systems before hackers can exploit them. Employing similar techniques used by blackhat groups, hacktivists and criminal syndicates, our team hone in on manipulating the application in a way that might present them with a foothold into the system. By trawling through the application page-by-page, for weeks on end, the team also gain a unique insight into the architecture and flow of the system; including entry and exit-points where hackers might focus in the event of an attack.
The initial penetration test of an organisation’s network often saves time and money further along the track if they are compromised.
Our incident responders have insider knowledge of the application and are able to investigate infrastructure changes and mitigate the unauthorised transfer of data more quickly.
Internet security is a young field that allows for plenty of opportunities, which may be shadowed with both good and bad intentions. The rapid expansion of internet connected systems has given way to the emergence of multiple products and technologies, each with their own vulnerabilities and security issues. This means compromising simple defenses of high impact systems has a low skill-barrier of entry.
These days it is not uncommon to find young, energetic minds with a skill for hacking, but a failure to understand the technology they are attempting to subvert.
Often, these types of hackers who gain access to networks lacking layered security controls can take on a ‘press-all-the-buttons’ approach – leaving Industrial Control Systems (systems ranging from factory production lines to turbines at a power plant to water supply systems) or internet-connected devices in a malformed state. While this is an extreme example, organisations aim to protect against both intentional and unintentional security threats. Ransomware, cyber-attacks and hacks are not new, they have been around since the emergence of computers in the 80s, just deployed in a different forms, such as floppy disks.
The emergence of the World Wide Web created a new ‘application’ for this technology to cause havoc.
Regularly clients require particular work that fits into their umbrella scope of corporate security. Often the most offensive attack method we use is designed to create resilience in the likely event of compromise. A great example of this was a client who came into a lot of money very quickly. The organisation was unprepared for the varying threats the company would be exposed to once their influence and reach spiralled into the global market.
No longer were they just facing competitors in the commercial space, but disreputable people sought to target the company from all over the world.
To help them understand their exposure, BAE Systems ran a considerable Open-Source Intelligence operation to gauge company assets, people and technology. This project showed that while many of our security assessments involve complex methodologies of entry, the lowest hanging fruit can sometimes have the largest impact on an organisation. In a later phase, the executive team were investigated to understand their online presence, vulnerability to blackmail, spear-phishing and other related information-gathering threats. On of the most valuable outcome of this activity for the client was gaining an understanding of what assets they owned as a preliminary measure, before being able to then correctly implement security controls within their organisation.
One of the greatest aspects of working at BAE Systems is the interoperability of my colleagues’ skillsets within each sector of a security assessment.
When I first walked into BAE Systems, I was greeted not by name, but rather by security specialisation. We have a specialist in web applications, the supervisory control and data acquisition (SCADA)/industrial control system (ICS) hacker, the forensics and incident responders, the mobile expert, the reverse engineer and the bug hunters, to name just a few. The flow of information between testing, understanding the clients’ security needs and incident response is often interlinked, allowing for penetration testing and incident response to work hand in hand. As with any organisation, their surface risk has a direct impact on their resilience against compromise, and we work at both angles to minimise the likelihood of malicious entry and reduce the impacts of compromise to our clients.