Not all hackers attacking companies are bad guys; some are being paid to do so by their target. In a service known as penetration testing, a security firm attempts to access or control a client’s systems in order to uncover weaknesses that could be exploited by a real attacker.

Certain types of businesses are legally required to undergo penetration tests, but many others are opting for them too, says Brian Holyfield, cofounder of Gotham Digital Science, a company based in New York that specializes in this service. Holyfield told Tom Simonite, Technology Review’s IT editor for hardware and software, that during some large jobs, Gotham deploys three of its hackers against a company for weeks at a time.

TR: Why is penetration testing needed? Couldn’t you just tell a company which vulnerabilities an attacker would look for?

Holyfield: We aren’t looking for standard vulnerabilities. Most of the time we’re looking for code-level vulnerabilities in custom applications. Everybody has Web apps now, and the reality is that the firewall does little to protect them.

What kinds of companies do you work with?

We work mainly with banking and finance, health care, and software vendors. All sites and systems that accept credit cards are expected to undertake testing if they make more than a certain number of transactions per year. But a lot of companies are not compelled to do this. The biggest market we’re serving is companies that provide software as a service. They are being asked by customers about what they are doing to ensure it is secure.

Are customers scared about volunteering to be hacked?

The first time anyone goes through this, there is a level of nervousness and even paranoia. We have to work to get them to put aside their egos and understand that it’s not an us-versus-them exercise; we’re not trying to make anyone look bad. When a “pen test” is over, clients are generally happy that we found the problem before the bad guy.

What is a good example of vulnerabilities you have found? 

In one recent engagement, we compromised a marketing website for a major financial institution that was running on an unpatched Web server. That server was used as a jumping point to traverse through the firewall and get connectivity to systems on their internal network.

We found that one of the accounts [taken from] the Web server (we had cracked the password) was also an administrator on the vault that stores everyone’s passwords for that network. We could log in as anyone. A good lesson here is that just because a system isn’t critical doesn’t mean the server can be written off from a security perspective. Once you gain access to the perimeter box, you typically have a lot more options for attacking more important systems, since you are now behind the firewall. The other lesson is the importance of not using the same password on different systems. 

After your “attack” is over, what do you present to the customer?

We always have a written report and step-by-step screen shots and instructions that we can hand to a developer and say, “Here’s how you do it.” After the penetration test we add value by making it clear exactly what needs to be done. That compares with a classic security audit that tends to be heavily weighted toward best practice.

Are the people that do this for the good guys any different from the bad guys?

It requires not only specialized skills but also a certain type of person. It’s not that people are good at their job as much as it is their hobby, what they live and breathe. They have the desire not only to figure out how something works but to figure out how to use something [for a purpose] that it wasn’t intended for.

It’s a fine line between someone with that passion just for the sake of interest and knowledge and someone who will cause harm or try to make money. When we’re looking for talent, part of our recruitment process is a very strict background check to look for a dark side. There have been many cases where we know very talented people that we just can’t hire.

Is penetration testing becoming more common?

Yes, it is starting to become much more mainstream. One sign of that is how it is becoming easier for people to get permission from their Internet service provider, who has to know so they can understand that it is not a real attack. Today, infrastructure companies like Amazon make it very easy. If you’re hosted in Amazon’s cloud, getting permission for a penetration test is as easy as filling in a simple Web-based form.

Could penetration testing have prepared Sony for the recent attacks in which user data was stolen?

A penetration test typically focuses on the front door, but there are a ton of windows. I think Sony was actually targeted specifically. Social engineering and spear phishing [crafting messages to trick a particular person into revealing sensitive data] could have been used against individuals with access to the data. Testing social-engineering attacks is an option for a pen test, but most people don’t go for it. They already know the risks.