Computer Futures

The Growth Of Penetration Testing

The mining of sensitive personal data belonging to some of Hollywood’s great and good brought the subject of data security into the public eye once again. The invasion focused on a hack into data held on personal user accounts stored with Apple’s iCloud. Inevitably attention in the technology world has shifted to the credibility of Apple’s defences, with the most common question being: could Apple, and other companies, do more to ensure data integrity?

In ‘doing more’, companies holding vast data sets often invest in what is known as penetration testing. This is the use of various tools that probe the defensive solidity in place to protect computer networks, systems and web applications from intrusion.

The emergence of penetration testing, and evolution into a business need

Penetration testing first evolved along with the creation of large networks of data in the 1980s and 1990s. The US Defence Department undertook some of the largest penetration testing schemes during this period, and the commercial sector soon followed suit.

It is now commonplace for companies to seek to test their security systems regularly, and it comes as little surprise to learn the cost of failing to maintain system and data integrity. A CSI / FBI report into the costs to US businesses of standard security breaches estimates that costs would amount to $350,000 per organisation.

The need for the services of companies, and in-house tech talent, that can fully test, diagnose and troubleshoot weak security has led to a private sector penetration testing market place valued at $3billion in the US alone in 2013. The global picture truly reflects the total commercial rollout of penetration testing more starkly. Cyber security requirements for private business and Government institutions such as defence, public healthcare bodies and transport systems amounts to a market worth nearly $68billion.

Penetration testing as an ethical hacking career choice

Only five years previously, the debate in IT circles was about the worthiness of ‘pen testing’ at all: those discussions seem spurious now in the face of events like the Apple iCloud hack, the 2011 rip of one million Playstation account holders, and the seemingly constant waves of Chinese cyber attacks directed towards US institutions and businesses.

Naturally, penetration testing has evolved to try to meet these threats. From first being applied to simply uncover and thus identify weaknesses in networks security, penetration testing now commonly involves exploiting those holes to fully expose an organisation’s IT infrastructure.

Additionally, the sheer variety of industries requiring penetration testing services means there is no such thing as a ‘one-size fits all’ approach. The financial services industry is a good example of this need for bespoke solutions. As a heavily regulated industry there is a strong emphasis on stringent cyber security infrastructure.

Companies are also seeking to benefit from the first generation of ethical hacking graduates now active in the job market. Known as ‘white hats’ in Internet slang, ethical hackers are IT graduates trained up and skilled to come on board often as in-house technical support for cyber security within businesses. Degree courses in ethical hacking are found throughout the university systems of countries such as the USA and the UK, and it is likely that these ‘good’ hackers will play an important role in how businesses and Governments confront the hack threats they face.

Is penetration testing set for an overhaul?

In the immediate future, it is unlikely pen testing will undergo totally radical change, but it will evolve. Many businesses will continue to develop in-house cyber security protocols via ethical hacking teams, or traditional external support services. However, the value of so-called bug hunting hacking communities could mean that the real cutting edge in combatting cyber threats will come from less corporate sources.

These so-called bug bounty hunters – the most famous of which is probably HackerOne - are hackers who, for financial reward, notify businesses like Twitter and Facebook about security flaws. In some cases, as in the HackerOne example, these loose collections of globally dispersed pen testers are working into a huge business stream that has retained client lists as a legitimising factor.

What is clear, though, is that the constant rise in cyber crime means that pen testers, ethical hackers and bug bounty hunters will have a very busy future ahead of them. In many cases, it may also be a lucrative one as well.