The Kill Chain is the cybercrime thriller from Scotland’s newest writer, GJ Scobie, published by Darkstroke publishing, in the summer of 2022. This blog post is one in a series called Facts behind the Fiction, in which I take an aspect of the plot and provide factual background material, giving an insight into the real world of cyber security and those who work tirelessly to defend our networks and data.
So, what is pen testing?
In the novel we discover our main character, Jacob Anderson started his career as a pen tester. The term is short for penetration testing and involves attempting to break into computer networks and systems, to demonstrate where these are vulnerable to attack and suggest actions to take to better secure them. There is an agreement between the tester and the company hiring them, a permission to test document, to ensure both parties are in agreement. Without this, the legality of the pen testers actions could be called into question. It is important to stress this. Hacking computers is illegal. Pen testing is a contractual business agreement between both parties, so do not go off and try and hack systems that do not belong to you and you have no permission to do so.
Pen testing is often categorised by the terms, black hat, white hat and gray hat. Black hat is a test carried out with little knowledge of the target and is designed to emulate the remote cyber criminal. White hat is a test carried out with full knowledge of the systems that are being targeted. Gray hat test involves some knowledge and typically involves being given accounts and then an attempt at privilege escalation. There are sound reasons for each method and companies will often use a blended approach of all three.
In the world of hacking, the term black hat denotes a bad guy, who hacks with malicious intent for personal gain; a white hat is a good guy, an ethical hacker who aims to improve security and operates with that all important permission. The gray hat hacker is kind of blurred in between and may act to find vulnerabilities and then report them via responsible disclosure. As noted above, hacking into other people’s systems is illegal. Some firms have bug bounty programs, where they encourage hacking of certain systems or applications on the understanding the hacker provides the results only to the firm allowing a fix to be made. Payment is then made to the hacker for the responsible disclosure.
Next time, honey traps. What are they?