Should Pen Testers Think Like Hackers?

It’s no secret that hackers pose a serious threat to just about anyone who stores information online, from companies all the way down to the individual. Equally unsurprising is that as technology grows ever upwards, so too does the hacking community. These two facts lead us to the obvious question; how can one protect important information from hackers? The answer many have come to agree on is penetration testing. And practitioners of this new form of testing should, perhaps, be encouraged to think like hackers themselves.

should pen testers think like hackers?

What is penetration testing?h2

In short, penetration testing (pen testing for short) is the practice of probing your own systems with the same technology and skills that hackers might use to attempt to break into your systems. Pen testers are those who would proudly tote the skills of hackers, but instead use them to highlight errors in need of repair and holes in need of patching.

In general, the two primary goals of pen testing are to gather information on your system from an outside perspective, and to gain insight into how best to defend your information. At the end of the day, it’s very advanced probing and info-gathering for the benefit of the company, and especially their IT department. But, is this really the best solution?

What sort of risks are there?

Well, the misgivings some people might have about pen testing are obvious, and not at all unwarranted. To pen test effectively would be to essentially pay someone to hack your own system, to dig into all the information you’re trying to protect. It’s very much like crashing a car in a controlled environment to see where the car’s weaknesses are, as to allow you to reinforce those deficiencies for when it really matters.

But is that worth it? You’d be placing a good deal of trust in whoever is doing it, be they a single man or a team. If they chose to take the chance they’re given to actually hack you, what could you possibly do to stop them? Perhaps even more worrying, what if they did the job as advertised, but decided to keep all of the best holes in your system a secret from you, for their own later use or to sell out to others? Clearly, there are many inherent risks in testing like this, and especially encouraging pen testers to think like hackers in the process.

How about the benefits?

Herein is why plenty companies still choose to follow through with pen testing, regardless of the risks. It is exceedingly effective when done well. Assuming a pen tester has done their job properly, their process can easily reveal any number of security hazards or failures which might have threatened your confidential information in an infinite number of ways.

If you’ve found a pen tester at least as good as the average hacker and let them go through with their work, then you’ve guaranteed your system is secure against any hacker of equivalent skill to the one who did your testing. In and of itself, that is a very enticing offer to wave in front of someone.

So, what’s the problem?

Here’s where the real conflict arises. It’s obvious that pen testing is effective and certainly worth going through with, but how should pen testers themselves pursue their trade? Should it be a clinical, highly organized approach? Should they slapdash their way through a test to get as close to basic hacking as they can? What sort of mindset should a pen tester approach their work with in the first place?

On the one hand, you would obviously prefer that a pen tester simply do their job in the most straightforward way possible, and they’d likely prefer that as well. After all, you don’t throw your car into oncoming traffic during crash tests, do you? You just use a static wall or target, even if that isn’t the most ‘realistic’ thing for a car to crash into out on the streets.

But on the other hand, hackers are certainly clever and they approach situations uniquely. If their mindsets and techniques were easy to understand and protect against, we wouldn’t need these tests in the first place, would we? Encouraging pen testers to think like hackers themselves would, by extension, tighten defenses against exactly the sort of things hackers would try. So which way should they go about doing it?

Really now, how should they think?

What it comes down to is necessity and choice. Certainly, pen testers do not need to think like hackers to accomplish their jobs well enough. Any professional who knows what their doing could simply do their job to the level best of their ability and make the improvements that anyone naturally sees fit to make. But that isn’t all that they’re able to do, is it?

For pen testers to think like hackers is unnecessary, but highly valuable. It can increase the thoroughness of your information gathering plenty of times over by virtue of the more in-depth, intricate methodology of their approach. This extra precaution is not needed and for some, it will always pose an unnecessary risk to encourage pen testers to think like hackers. For others though, this is the only way to ensure the safety of their information from those looking to invade their privacy and to steal it.

In conclusion, pen testing is a modern form of invasive information gathering which probes the defenses of systems and servers and just about any other method of information storage to find weak points which hackers might exploit. It has many clear benefits and is perfectly applicable for most modern businesses and companies, but carries with it some obvious concerns in terms of the risks it might pose and the mindset of its users.

In the end, pen testers can achieve a much more thorough, precise result by exploring and utilizing the mindset of professional hackers than they could otherwise produce. Whether or not that pay-off is worth the risk will ultimately be up to those calling the shots for their information.

Comments are closed.