HK firms drag feet on pen testing

Hong Kong companies are vastly reluctant to undergo penetration testing to deterIndustry insiders say Hong Kong companies are vastly reluctant to undergo penetration testing to determine the resiliency of their IT environment against cyberattacks.

“Most of the time, companies only carry out basic assessment to fulfill audit requirement, which is not enough,” said Anthony Lai, a white hat and general manager of Knownsec Hong Kong, as well as founder of VXRL.

Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.

Mandatory requirement is the major driving force that compels companies in the city to bring in penetration testers to hack into their systems.

“The number of organizations, who take cybersecurity seriously enough, to carry out regular penetration testing without having a regulator of some kind at their back, is unfortunately extremely small. Cyber security is typically lauded in public, but ignored in private. This has to change, but having given hundreds of talks about cybersecurity, it is clear to me this is not a change which is coming anytime soon, unless there is widespread government regulation,” said Michael Gazeley, managing director of Hong Kong-based Network Box.

According to Gazeley, a significant number of Network Box clients undergo penetration testing once a quarter. And they are almost universally motivated by regulatory requirements. The company sees a lot of penetration tests being conducted on payments systems in compliance with the Payment Card Industry Data Security Standard (PCI DSS).

According to Lai, penetration tests on web applications and internal network are popular among Hong Kong, which are normally conducted on a time frame between seven and 30 days depending on the scope of engagement.

And companies have to take several things into consideration.

“They need to know which systems and/or applications are critical to them according to risk level; whether they have already done any security assessment before and carries out baseline monitoring and hardening, this is important. Then, they have to decide whether production or testing sites are available for us to test and whether they want a black box test or not, a complete simulation of an attacker to get into the system,” Lai said.

For Gazeley, the most obvious consideration would be to determine if a company is ready for a penetration test.

“Like every kind of test, it is no use entering the testing phase, without any idea of what is going to be tested, nor what is required to pass the test,” he said

Fear of negative results

According to Gazeley, one challenge they encounter is the varying quality level of penetration tests.

“From our standpoint, we are usually the third-party managed cybersecurity service provider standing on the sidelines, waiting for the test results, which we then help analyze and explain to our clients. Just as not all cyber security systems are of equal quality, not all penetration testers are of equal quality either; it is not uncommon for us to find problems with penetration testers’ work,” he noted.

From the company’s perspective, Lai meanwhile observed that doubt is being cast whether the penetration testers got sufficient findings.