FREQUENTLY ASKED QUESTIONS
Common questions our team answer for our prospects, clients and industry contacts.
WHAT IS THE PROBLEM WITH 'POINT IN TIME' OR 'AD HOC' SECURITY TESTING?
All businesses want to remain secure. However, many only test their cyber security occasionally or for 'compliance' towards frameworks such as PCI-DSS or ISO27001:2013. Ad hoc security tests and audits are only effective at providing a 'snapshot' view of cyber health. The test results becoming out of date as soon as they are published. This is due to what keeps any successful business competitive - continual technology evolution and change. This fact in combination with the constant risk of new cyber exploits coming from malicious actors across the public internet, leaves businesses exposed for the majority of the year - the time BETWEEN their usual security tests.
WHAT IS PENETRATION TESTING?
Traditional Penetration Testing involves skilled cyber security professionals researching an agreed scope of a business' technology stack for known cyber vulnerabilities. Many use 'off the shelf' vulnerability scanning software in conjunction with human expertise to produce a 'point in time' view of the known risks that are present. A traditional pentest engagement can last from a single day to a number of days depending on the scope - or complexity - of the technology estate being explored. At the end of the exploration a report is usually produced that details the cyber vulnerabilities detected as well as their severity - normally to a 'CVSS' rating.
WHAT IS A 'RED TEAM' OR 'RED TEAMING'?
A Red Team is a group of ethical hackers working together to attempt to exploit cyber vulnerabilities within any given technology target. The target is normally defined by the client, and the Red Team's 'cyber attack' is limited to a small window of time. The purpose of Red Teaming is to test the cyber security detection and response capabilities within the client's business - usually from their in-house or out-sourced 'Blue Team' or 'Security Operations Centre (SOC)' attempting to detect and defend against the Red Team's simulated cyber attack.
CAN MY BUSINESS BENEFIT FROM COVERTSWARM'S CONTINUOUS OFFENSIVE CYBER SECURITY SERVICE?
Yes. If your business relies upon frequent technology change, modern and continuous software release cycles or is a high-profile target for malicious threats, then continuous offensive cyber security such as that offered by CovertSwarm is the best step to maintaining an effective cyber security posture.
IS COVERTSWARM A PENETRATION TEST OR RED TEAM COMPANY?
Neither. CovertSwarm's service offers a blended approach to cyber research and attack from skilled ethical hackers. By combining the skillset of expert Penetration Testers with the offensive capabilities of Red Teaming at a 'nation-state' level of attack, our team works alongside our client's technology, security and software teams to provide a unique and highly-tailored offensive security service that continuously detects risk, promotes best practices and educates in-house staff.
WHAT IS THE 'CYBER RISK GAP'?
The time between a business' traditional Penetration Test or Red Teaming engagements where business change or new online cyber risks can result in a risk gap forming between what the business believes its cyber risks to be and the reality of what could be exploited in their estate.
WHAT IS THE ISSUE WITH 'BUG BOUNTY' PROGRAMS?
Bug bounties are a great initiative and can fit well into a wider cyber security control set for highly-mature software engineering and security teams. Inviting constant ethical hacker attention against closed-book production environments or other in-scope targets can sound appealing. However, the highly-variable quality of testing, risk of unknown members of the public impacting operational stability, and unstructured vulnerability reporting can induce significant workload and ‘noise’ onto in-house teams needing to perform time consuming and costly triage before action can be taken (and bounties paid out). CovertSwarm recognises some extremely talented ethical hackers exist on popular bug bounty platforms, however ensuring consistent access to them and high quality from the platforms can be time and resource-consuming and very difficult to achieve.
WHY COVERTSWARM AND NOT TRADITIONAL PENETRATION TESTING, RED TEAMING OR 'CONTINUOUS' PENETRATION TESTING?
One of the biggest issues within the cyber industry is that Penetration Testing and Red Teaming are still 'point in time' and usually 'remote only'.
This approach worked 10 years ago - when a business' external attack surfaces were small, infrastructure change was glacial and application release cycles slow and non-continuous.
Today we see rapid rates of continual technology change across all business verticals. It is no longer appropriate for modern, progressive business to use legacy methods of cyber testing that cannot keep pace with today's rates of business change, or the speed at which malicious threat actors are now discovering new exploits.
'Continuous' penetration testing was born to try and solve this problem – but the approach is not fit for purpose: vendors in this space typically ‘scan’ client systems for known issues using automated tools. They rarely engage real human expertise to perform any deep analysis and even the newest vendors in this space are only testing at arm's length - never working to understand their client's business, its technology roadmap or processes. Whilst this basic-but-modern approach can have a place within a much broader security programme, it is 'lightweight' testing and can generate workload and 'noise' that misses deep and real cyber risks that could lead to breach or compromise for a business.
CovertSwarm offers a combination of focused research and attack against each of our client's unique technology stacks - and we own the detection of their 0-day vulnerabilities as part of our long-term engagement as their embedded offensive security team.