Security is like a fortress..?

The security of the digital assets of an organization are often compared to defending a medieval fortress, where a company's network is seen as a fortress which a foreign power would like to break into and take over. Fortresses during these times were protected by moats, and tall, strong ramparts. Together, these precautions ensured that hostile armies had great difficulty in getting in. With every organization moving into the cloud and digital assets being in different networks or some even shared, comparing your organization's cyber security with a medieval fortress does not hold. Another good example is the Trojan Horse. In this ancient Greek myth, Greek soldiers hid themselves in a wooden horse so that the Trojans themselves would carry them inside. The type of computer virus that we now know as a Trojan Horse has obvious similarities to the myth. The moral of the tale is that you can prepare the strongest of defenses, you’re ultimately only as strong as your weakest link. Do you know your weak link or vulnerabilities in your digital assets? Penetration testing, better yet PtaaS is an indispensable and necessary tool to find these weak links and give you the information to fix them.

What is pentesting and how does it differ from PTaaS?

A penetration test (pentest) is intended to expose any (potential) vulnerabilities in your digital assets like your devices, IT infrastructure, web and/or mobile mobile application. An ethical hacker attempts to circumvent the security of the digital assets by for example gaining unauthorized access to systems and data or increasing system privileges. In this way, the ethical hacker gives you insight into the level of security of your digital assets. At its core, PTaaS is pentesting, but with this form of penetration testing, the whole process is moved to a cloud-based environment. Within a PTaaS platform, you can easily start a pentest, gather real-time findings, and request retests easily. This way, you have way more control over the whole pentest process, and contact with your ethical hacker is made easy. Pentesting, with the increasing threat of cyber crime and cyber war, is no longer voluntary. Laws, case law, and regulations like the upcoming NIS2 forces organizations to periodically execute pentests. Unfortunately, most organizations still use pentesting ineffectively. Most pentesting is used after a digital asset is developed: it is hard to fix vulnerabilities that are caused by a flaw in the design. A pentest is also a snapshot. Likely, not all vulnerabilities are found and new vulnerabilities probably emerge next week. An effective pentest policy not only fixes vulnerabilities to prevent serious short-term problems. It also makes sure an organization in the long term continuously learns from the vulnerabilities and eventually embeds security in the design, development, and implementation of digital assets (shift left). In this way an organization will have fewer vulnerabilities, finds vulnerabilities sooner, and fixes them faster.

Pentesting versus vulnerability scanning

Organizations regularly confuse a penetration test with a vulnerability scan. The latter is an automated tool or set of tools that scan digital assets for known vulnerabilities. Some scanners can find known vulnerabilities in IT infrastructure components, some in (specific) web applications. An ethical hacker uses these tools to gather information about digital assets. Vulnerability scanners are relatively dumb. They mostly do not verify vulnerabilities resulting in false positives or even worse: false negatives and thus do not exploit vulnerabilities. Vulnerability scanners are incomplete by definition and lack human creativity. A lot of other cybersecurity tools are focused, like many cybersecurity regulations, on preventing or detecting attacks from the outside. A firewall or virus scanner examines primarily what is coming into the network from the outside. Other systems try to detect and prevent intrusions from the outside like an IDS/IPS or SOC/SIEM. A pentest offers another approach altogether. With pentesting, an ethical hacker takes on the role of a ‘cybercriminal’ and starts to look for vulnerabilities that could be exploited. The big difference is that they’re looking inwards, from the outside, to find ways to gain access. Don’t get us wrong…a pentest is not the holy grail. An effective cybersecurity policy includes a coherent system of measures to identify threats, protect assets, detect possible breaches, respond to incidents, and recover from incidents. Measures can be organizational, technical, and physical.

How does Penetration Testing as a Service work?

With Penetration Testing as a Service, the whole pentest process is moved to a cloud-based solution. This means that the whole pentest process is embedded in a cloud environment: starting with requesting a test, sharing findings, retests, chatting with your ethical hacker to reporting. This approach to pentesting is fairly new in the cybersecurity industry. Hacksclusive is one of the few Dutch providers that offer complete pentest solutions in a cloud-based platform. So, how does a pentest exactly work in this situation? Let’s take a look:

• Preparation: Once the scope is determined and starting date is agreed upon an online kick-off meeting is scheduled with all parties involved. In the meanwhile, you can invite team members to the platform and add them to the project. During the kick-off the test is clarified and the planning is finalized. We also go through all the requirements for the test like whitelisting our IP-addresses, access to the test environment, credentials and so on. Missing information is registered on the platform. After the meeting, the indemnification statement is digitally signed by all parties using our platform.
• Information gathering: As soon as the test starts a number of automated tools are triggered to gather information about the assets. In your dashboard, you can see that the status of the test is changed from ‘scheduled’ to ‘running’. You can also see which ethical hackers are involved.
• Vulnerability identification: Based on the gathered information, the ethical hackers start looking for vulnerabilities. In the case of a web application, they try to disrupt the ‘happy flow’. They use a combination of automated scripts, tools, and manual testing. The platform helps the ethical hacker to quickly document vulnerabilities using a vulnerability database with known and/or similar vulnerabilities. New vulnerabilities are added to the database.
• Vulnerability exploitation: All vulnerabilities are verified. Next, the ethical hacker tries to exploit the vulnerabilities. Typically this and the previous step are executed iteratively. It is important that ethical hackers are creative in finding new vulnerabilities and combining vulnerabilities. The platform provides ethical hackers with ‘hints’. However, the quality of the hackers is distinctive. We like hackers with a bug bounty track record.
• Vulnerability evaluation: Only verified and/or exploitable vulnerabilities will be reported. The ethical hacker makes sure the reproduction steps and evidence are complete and adds/updates the recommendations. A verified and/or exploited vulnerability is evaluated and receives a risk score (CVSS low, medium, high, or critical). This is done automatically. After a manual review by our quality lead, the vulnerability is published and visible in your dashboard. You will receive an alert if a finding requires immediate action. You can directly send the finding to your backlog in, for instance, Github or Jira

Why should I trust Penetration testing as a Service?

Good question. Some organizations are still reluctant to use software in the cloud and trust their (confidential) data to a cloud provider. Let alone, a start-up. So why trust PtaaS, and why trust Hacksclusive? First, the formal side.

Hacksclusive has a security policy to prevent unauthorized access, modification, publication, or loss of your data. The security measures taken by Hacksclusive are based on ISO/IEC 27002 (2022) and the security guideline NCSC (2015). Measures include the appointment of a security lead, pre-employment screening, physical access control, MFA, the use of a VPN and so on. Moreover, our platform is SOC 2 certified. Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy.

Probably, at least from our perspective, the more informal side…to trusting Penetration testing as a Service with Hacksclusive is our strong focus on quality control. Within our platform, we have the best ethical hackers and we let them do what they do best: hacking. Thanks to the platform, our hackers lose less time with project management and reporting, meaning they can keep their focus on pentesting.

PTaaS is fast, reliable and transparant

Making use of Penetration Testing as a Service is a sensible first step towards building a cyber-secure business. Having the whole pentesting process in one cloud based environment has a lot of advantages. Like most of SaaS tools, a cloud based environment gives you easy access to your projects. Pentests in the cloud can easily be requested and monitored and findings are reported to you immediatly. This way, you get full control and transparancy over your pentest process. 

Hacksclusive is a pioneer in PTaaS and has created an effective way for businesses to leverage Hacksclusive’s expertise with an accessible and secure platform. Companies can easily gain a clear vision of their digital infrastructure in an independent and professional manner.

Once you know what your vulnerabilities are, fixing them (and eliminating your risk) is a piece of cake!