For the majority of small businesses Information Technology (IT) is clouded in mystery. I often here business managers / owners express the view that they feel vulnerable. I know exactly how they feel! When I get in my car I just want to to get may from A to B, I really don’t need to know how an internal combustion engines works and hate it when something goes wrong. So, when a client had to prove their competency as part a tender process, you can image their reaction. They needed to show that they took their online security seriously, so turned to a third party to validate their online database application and website security.
We come across ethical hackers on a regularly basis these days. This is partly due to the Payment Card Industry Data Security Standard (PCI DSS) that requires regular vulnerability tests, but also because businesses are taking their IT security more seriously, which is extremely positive news and something we have been urging for sometime.
Ethical hackers are often called upon to test systems and identify potential vulnerabilities within business systems. There are three primary approaches used:
- Server environment vulnerability tests
- Application vulnerabilities tests
- Server and application vulnerabilities tests
Obviously the last one is the most appropriate, but most companies offering these services only do one or the other. It is pretty easy to set-up a script that runs through know vulnerabilities, so for many of these businesses, it’s a case of aim and fire, wait for the results and then send client huge ” sometimes meaningless ” report that does little other than scare them.
This is exactly what happened to our client, who was trying to show that they took IT security seriously! The post vulnerability test reports are often designed to scare clients into spending more and more money, so are very aggressive. Despite been told the whys and wherefores of the test, the ethical hackers still used their standard approach, which was inappropriate (to say the least).
The client has been left feeling ripped off ” to the tune of several thousand pounds ” and somewhat perplexed at the high handed attitude of the ethical hackers.
I would like to say this is a one off instance, but I am afraid it isn’t, so please take care when choosing a specialist and if you need some advice then please contact us and we’ll do our best to point you in the right direction.