Insurers, investors combine to urge more pen testing; tackling MSPs remains a challenge

Pen Test lead at 6point6 Misha Newman talked us through some common finds.

Misha Newman is head of penetration testing at 6point6 – a British digital consultancy that names the Home Office, BBC, and Clear Bank as clients. An NCSC CHECK-approved provider, 6point6 has a growing security team that conducts penetration tests (simulated cyber attacks) for a wide range of clients.

Newman, 29, joined the company in 2018 after three years on the cyber defence services team at KPMG UK. The Stack joined him to chat market trends, MSPs, recruiting cybersecurity talent, and more.

What's driving the rise in demand for pen tests?

As cyber insurance becomes more popular, one of the questions they ask when defining the premium is whether the company is doing pen testing. We’re seeing quite a lot of companies who’ve thought about this for the first time, because their insurance is pushing them. There’s also a trend in the healthcare industry: GP surgeries, dentists; companies that make software supporting these sectors that are asking about services a lot more.

The government is also pushing out pen testing requirements to more and more organisations. CBEST, a requirement from the Bank of England for banks to conduct pen testing, and now STAR-FS, which is like a baby version of CBEST but for financial industry participants that didn’t have to do CBEST before, are pushing out requirements to a mix of more and less mature organisations.

What are IT capabilities typically like at less mature clients?

It’s quite a mixed bag. You get a lot of organisations that have decided to outsource all of their IT. They don’t even really know what’s going on. Some of those [outsourced] providers are quite good, helpful, and reasonably security conscious. But some are super, super defensive: they just see this as an additional cost; someone meddling with their bottom line, basically arguing that ‘the client was happy with the service before you came along!’ MSPs [managed service providers] are a real mixed bag; I wouldn’t want to put them all in the same boat as many are very helpful.

A common issue however is when your client is using a shared hosted environment -- and we need access to those back-end systems to do a proper review. If that environment is shared with other clients’ data, then the MSP basically end up saying ‘you can’t do the test’ because you need permission from every client. That’s a common thing.

With the organisations that don’t outsource their IT, we see a lot of very small IT departments in general; they’re not typically going to have a dedicated IT security person. If you get an IT person who’s security-conscious, then that’s lucky and you've got a gem. We had one client who kept delaying the test; they were under pressure from an investor to do it. Then just before we were due to finally do the test, their IT person quit... It may have been nothing to do with the looming test, but...  So for some it’s an alarming checkbox exercise; for others they really want to find as many issues as possible and take it really seriously.”

What are you typically asked to look at, and what do you find?

A bit of everything: local networks/infrastructure, key web applications… We find a lot of unpatched boxes. Or organisations where they’ve patched the operating system but left third-party applications on there which haven’t been updated for years with critical vulnerabilities. That’s very common. Password qualities being terrible and it being very easy to brute-force user accounts. Domain admins who consider themselves pretty savvy using the name of their dog for their password and using it across all high-level accounts. We still see people putting RDP straight onto the internet; by default Windows has a lot of noisy and vulnerable protocols turned on and people don’t know how to turn them off; LLMNR; not using authentication for SMB. Even just default credentials like network devices… People just setting things up without configuring them with security in mind.

You’re growing amid a skills shortage. Is it tough to find people?

At the junior levels is a bit easier: it’s quite a hot market right now are people are aware of the degrees and opportunities around. About half of our hires are people transitioning from another role: programmers who want to get into cybersecurity; people from the nuclear industry; sound engineers! There’s a lot of interest in the sector. In terms of junior people I typically look for a relevant degree, people who have done the OSCP, and there’s quite a few people around.

Certainly at higher levels, it’s pretty hard to find people, no matter what you’re paying. In the UK there are certain qualifications like CHECK that have a lot of value; people like to see that badge. It expires every three years and we’ve had issues with Covid delaying exams. We’ve had a role open for four months and haven’t found a single applicant who has the web app CHECK team leader certification. Of course we encourage junior staff to try and sit the exams, train them up, etc.

How much of an issue is MSPs who are not security conscious?

Well obviously for regulated organisations, they’re not using that kind of MSP. But for smaller providers I really think there’s room in the market for an MSP to arrive who does robust security testing so when a private equity company tells their client to get tested, the MSP can prove they have a robust back-end in place. No one seems to be demanding that of them; I think there’s a bit of a gap in the market there – for MSPs who are proactive on this stuff when they sign up clients. Because it’s such a mix out there: I’ve worked for clients who had five different brands around the country and each of those brands had a different MSP – all with remote admin access into your environment; doing patching, etc. That was an interesting test to do, you’re seeing some MSPs who have done security testing, and some who are basically one guy doing it as a side-gig.

Follow The Stack on LinkedIn