Each business has its own vulnerability. Damien Gitter, Technology Leader, Senior Ethical Hacker at Telindus practices cyber-intrusion at companies, startups and e-commerce, and challenges their IT infrastructures to better protect them against “real” hackers.
Photo: Damien Gitter, Technology Leader, Senior Ethical Hacker at Telindus / Credits © Telindus
How do you conduct your customer intrusion tests?
We put ourselves in the shoes of an attacker, who will try to steal vital information from a company, or harm its activities and assets. Concretely, depending on the budget allocated by the client, we target its most sensitive elements, trying to detect all existing vulnerabilities and identify all possible intrusions by cybercriminals. We then provide an evaluation of the level of security at time T, of the target entrusted to us.
Once your attempted break-ins have been carried out, what feedback do you give to your “victims”?
We deliver a report on the duration and depth of the intrusion test, with an analysis and recommendations. The document contains a summary of the tests carried out, with supporting evidence, a list of the flaws detected and the problems encountered, as well as our recommendations. More generally, once the vulnerabilities have been identified, we provide remedies, knowing that these patches can generate new vulnerabilities. For this reason, we also carry out a second analysis, once the patches have been put in place, to ensure that security levels are in line with our recommendations and that the vulnerabilities have disappeared.
How regularly do you think these tests should be performed?
According to CSSF recommendations (banking and insurance), SWIFT requirements (banking) or ISO recommendations (all activities), tests should be performed after each major change in the IT infrastructure. This could be a new version of the system, the implementation of new functionalities, which will have an impact on the core business, or which will offer new services to users. Because the addition of new functionalities generates new risks of vulnerabilities. Each new step in a continuous development and improvement process should imperatively include the security and protection component. If this is not integrated, it will have to be done at some point.
Why do startups or SMEs come to you?
Very often, small companies are so busy developing that the question of security seems more than incidental to them, and very much on the bangs of their activities. They therefore call on us because investors, customers or partners have asked them about their security levels.
What types of intrusive interventions do you offer them?
According to their budget and to help them as well as possible, we target the main part of their assets and their activities: their website, their wifi network, all the logistic and physical elements of their connected infrastructures. In particular, we test their e-mail infrastructure, their cloud environment and all public IPs. For this, we also take into account their business models, because hacking a website will not have the same impact for an e-commerce platform, whose business relies on this portal, as for an SME that uses a web page to simply publish a photo and its contact information.
What vulnerabilities are startups particularly exposed to? And, what solutions do you propose?
These are usually linked to their websites and their e-mails: this is their core business. So our tests will focus on these two elements. Unlike larger companies, there are no buildings or heavy IT infrastructures at stake.
The fact that entrepreneurs are specialized in IT and IT development, isn’t there a risk that they overestimate themselves and underestimate the vulnerability of their infrastructure?
Attackers exploit the weaknesses of their targets. So even experts working in IT are not immune to attacks or bad practices. You have to know your limits and it is important to always have a critical eye. The audit is thus essential to keep a healthy objectivity whatever the core business of the audited companies. Whether it’s for password protection or to quickly spot phishing and scamming attempts at the president, everyone can benefit from an audit.
Finally, what advice would you give to startups and e-commerce companies to protect themselves?
You can have a strong level of protection without putting a lot of resources into it. And affordable semi-professional hardware is enough to offer a fairly high level of security with a good layer of redundancy. With a few security applications in place, you can have a sufficiently secure website and easily avoid more than 90% of cyber attacks. In the current period and in the future, the protection of startups and e-commerce companies, as well as that of their customers, requires better risk prevention. It is essential to implement the means to detect any anomaly as quickly as possible, in order to provide an effective response to each potential incident and make security part of a continuous improvement process.