With security breaches becoming more sophisticated, organisations are facing a growing need to test and improve their cyber security posture. Constantly looking to avoid being the next cyber security breach statistic, they are increasingly seeing the value in consistent and rigorous penetration testing.

For AC3 penetration tester Elias Ennebt, there is a thrill in trying to crack the code and get through the barriers. In the long run, however, his work can be vitally important for those businesses that have potential leaks.

The role of penetration tester is a very specialised one, he says. “It’s a simulated attack against a system or endpoint,” Ennebt explains. “For example, I perform a simulated attack on a web application that a business holds and manages or a server within a cloud, or even a server on-premise.”

It’s an important role, but he’s often not given much clarity when it comes to the brief for the attack. “I’m not provided with any information about the system,” Ennebt says. “So, without any information, I’ll attempt to hack or compromise the system. Or just leak any information in there.”

What sort of organisations should be looking to invest in this kind of system? Ennebt says it’s dependent on the industry. “For the financial sector, take a large bank for example, they have a reserve talent for their exercises. They do it at the end of the software funnel,” he says. “But when it comes to it, at the end of projects that have been built and delivered, these institutions should consider using penetration testers.”

In something like the healthcare industry, however, the system is being built in a hospital. So, penetration testing will come at the end of the process, before and during all the assurance activities. “Cyber hacks are always going to happen. They aren’t going away,” Ennebt says. “But it’s not as simple as just doing them for the sake of it; you should be doing them for the customers’ trust.”

The general assurance of penetration testing is where it fits into the cyber security framework. “Penetration testers should be working with the risk team, the managers and any internal security teams as well,” Ennebt advises.

FROM THE CYBER WORLD TO THE REAL ONE

While most penetration testing involves trying to hack into the business remotely, there are also penetration testers who attempt to actually break into an on- premise site. “There are some people who do it physically, so you’re physically jumping over a barbed wire fence,” says an excited Ennebt.

Has he ever done this too? “I haven’t! But, even if I had, I couldn’t tell you,” he replies, with a wry smile.

How can we help you?

Penetration testing, explained

FROM THE CYBER WORLD TO THE REAL ONE