1. Interview with: Chris Gatford,
Managing Director, HackLabs Pty
Limited
“Many companies perform some IT
system vulnerability tests, but that is
not enough. CIOs must also conduct
penetration tests, simulate an attack on
their system and mimic the actions of
an attacker without the usual dangers,”
advises Chris Gatford, Managing
Director, HackLabs Pty Limited.
Hacklabs is a sponsor company at the
marcus evans Australian CIO
Summit 2017, taking place in the Gold
Coast, Australia, 19 – 21 July.
What issues are CIOs facing today?
Many organisations in Australia have
never really focused on information
security. With budget constraints and
fewer staff, they often lack standard IT
security controls, but we have seen
significant attacks recently and
ransomware is becoming a big problem.
Australia is a trusting nation so people
tend to click on things that show up in
their inbox. CIOs must put protective
and preventative controls (such as
security awareness training) in place to
identify security issues before they
arise.
How does a penetration test differ
from a vulnerability assessment?
Why is it necessary?
A penetration test highlights security
controls that are both working and not
in place. Compared to a vulnerability
assessment, a penetration test actually
exploits weaknesses to determine what
information is actually exposed. It looks
for vulnerabilities that could disrupt the
confidentiality, availability or integrity of
the network. CIOs can see what
happens in an attack in a safe and
controlled way, and can address issues
accordingly. The reason why they need
to perform a penetration test over a
vulnerability assessment is to actually
prove beyond doubt that a vulnerability
is present.
Why do you consider a penetration
test both art and science?
It requires a skilful practitioner to put a
hacker’s hat on, adopt the mindset, and
apply it to compromising the environ-
ment. This is not something an
automated tool can do, it requires
intellect and out-of-the-box thinking.
This is where the art of testing comes
into it.
Most CIOs probably think they are
doing enough to prevent attacks.
What vulnerabilities do they tend to
overlook?
One of the most common mistakes CIOs
make is only test their own environ-
ment, and not think more broadly. They
do not test third parties that hold the
same sensitive information from their
organisation or fail to ask them for
evidence that they are performing
penetration tests. This could be a
provider for accounting software or
billing services.
They also do not test their people. It is
very easy for an attacker to get
sensitive information from employees.
Attackers do not need system vulner-
abilities to gain access to data. CIOs
should not be afraid to test employees
with social engineering, not just email
but also phone calls and in-person
requests. The physical boundary should
also be tested to make sure there are
no gaps that allow an attacker into the
organisation.
Many security events actually go
unnoticed. Our tests are often done
without IT’s knowledge, and as IT
typically does not monitor systems for
unusual behaviour, it rarely sees
anything and is unaware that a
penetration is under way or concluded
until it is provided the results.
How frequently should penetration
tests be done?
At least twice a year, as technologies
and attacks change, and when the
organisation changes applications,
infrastructure or providers. CIOs must
keep up to date with this. We do this
daily and it is still a struggle to keep up
with the industry. Therefore anyone who
is tasked with managing information
security on top of their existing
workload just does not stand a chance.
CIOs must put
protective and
preventative
controls in place
to identify
security issues
before they
arise
Why IT Systems Need to Conduct IT
System Penetration Tests
2. The Information Technology
Network - marcus evans
Summits deliver peer-to-peer
information on strategic matters,
p r o f e s s i o n a l t r e n d s a n d
breakthrough innovations.
Please note that the Summit is a
closed business event and the
number of participants strictly
limited.
About the Australian CIO Summit 2017
The Australian CIO Summit is the premium forum bringing elite buyers and sellers
together. The Summit offers enterprise and government chief information officers
and IT solution providers and consultants an intimate environment for a focused
discussion of key drivers for IT innovation. Taking place at the RACV Royal Pines
Resort Gold Coast, Queensland, Australia, 19 - 21 July, the Summit includes
presentations on aligning technology, upgrading capabilities and redefining
processes, implementing the correct cloud model, rethinking IT organisational
structures and navigating legacy systems.
www.australianciosummit.com
Contact
Sarin Kouyoumdjian-Gurunlian, Press Manager, marcus evans, Summits Division
Tel: + 357 22 849 313
Email: press@marcusevanscy.com
For more information please send an email to press@marcusevanscy.com
All rights reserved. The above content may be republished or reproduced. Kindly
inform us by sending an email to press@marcusevanscy.com
About HackLabs Pty Limited
HackLabs was formed by industry veterans, who have had extensive experience in penetration testing (approximately 30 years and
over 1,000 penetration tests between them). The objective for HackLabs is to provide our customers with a world class deliverable
product that empowers the IT team with the ability to fix identified vulnerabilities.
This key objective drives many of our developments such as client portals and forums as well as the instructional videos we provide
our customers at the conclusion of our work. The video will help to explain the impact of the technical vulnerability as well as the
process to show how to fix the vulnerability.
www.hacklabs.com
About marcus evans Summits
marcus evans Summits are high level business forums for the world’s leading decision-makers to meet, learn and discuss
strategies and solutions. Held at exclusive locations around the world, these events provide attendees with a unique opportunity to
individually tailor their schedules of keynote presentations, case studies, roundtables and one-to-one business meetings.
For more information, please visit: www.marcusevans.com
To view the web version of this interview, please click here:
http://events.marcusevans-events.com/australiancio2017-chris-gatford