Streamline your cloud experience and maximise your cloud investment with Microsoft Azure-aligned public cloud services.
Host all of your workloads in the most appropriate location while experiencing the simplicity of one cloud from Six Degrees.
Enhance your cyber security and safeguard your organisation with our cyber security strategy and advisory, consultancy, and managed services.
Connect your business through a comprehensive connectivity portfolio delivered via our owned and operated core Next Generation Network (NGN).
Access the smarter, faster technology needed to make the most of your hybrid working future.
Streamline your hosting with comprehensive colocation services delivered from three UK data centres.
Gain clarity and control of your 5G estate, ensuring ongoing cost efficiencies are managed on your behalf through our managed service.
Gain confidence in your cloud direction and achieve accelerated time to value through our assured and optimised cloud services.
Master today’s complex threat landscape and protect your business with our intelligence-led security services.
Videos and webinars are a great way to digest the latest technology insights.
Our eBooks and whitepapers provide in-depth insights from our experts.
Our thought leaders publish regular blogs on up-to-the-minute topics.
Learn all about the latest news from Six Degrees as we continue to evolve.
We host regular in-person and virtual events for our clients.
Learn how we enable our clients to achieve more; providing superior secure solutions, powered by our passionate people.
We are proud to partner with many of the world’s leading vendors, enabling you to leverage our continual investment in difference-making technology.
Learn how CNS at Six Degrees delivers intelligence-led security services that protect organisations in today’s hostile landscape.
We are committed to operating in an environmentally and socially conscious way. Learn more about our commitments as a business.
We are proud of our secure cloud credentials. Learn why we’re one of the most highly accredited providers in the UK.
We are a friendly and passionate bunch here. Whether you want to work with us or for us, we think you’ll enjoy the Six Degrees experience.
Home » Blogs » Cyber Security Testing Ethics
A crucial part of cyber security testing is breach testing. But due to its intrusive nature, it throws up ethical considerations and can be unpopular with employees. Covert operations can be particularly controversial and must be performed with care to make sure they are ethical, secure, appropriate, and constructive.
Penetration testing (or pen testing for short) and red team testing are different forms of security testing performed by cyber security firms to find weaknesses in a client’s cyber security, to advise them and to mitigate these gaps.
Penetration testing aims to reveal security vulnerabilities in a system in a controlled and safe way. The testing usually focuses on specific targets, such as a website, external infrastructure, a particular office or mobile applications. This kind of testing helps organisations assess their current system security and evaluate the strength and efficiency of their security strategies.
Many advanced persistent threats (APTs) rely on poor security hygiene. In the latest US Center for Internet Security (CIS) Critical Controls, penetration testing is listed as a vital control against the most common threats from hackers, empowering organisations to “test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.”
Pen tests are usually carried out using a mixture of techniques. This includes semi-automated techniques such as vulnerability scanning, fuzzing (injecting invalid, malformed or unexpected inputs into a system) and port scanning to identify potential areas of weakness, combined with manual exploitation and investigation. This approach not only highlights weaknesses, but also helps to identify the level of risk associated with these weaknesses.
Red team testing is a more holistic approach to security testing. It looks at the organisation as a whole to identify weaknesses in areas like an HR or payroll system, to test an organisation’s detection and response capabilities. This type of test can also involve a blue team trying to defend the system. The distinguishing feature of a red team test is the element of surprise: the defending in-house blue team has no advance warning and treats the attack as a genuine threat, providing a real-world test of the effectiveness of a company’s security.
When allowing a cyber security company to conduct penetration testing against your firm, you’re potentially exposing personal data and sensitive information. As with any service, third party penetration testers can range from ultra-professional and secure to mediocre, or, at worst, lacking skill or actively being corrupt. That’s why it’s so important that you check the credentials of your chosen provider, to satisfy yourself that they are ethical and professional.
A low-quality provider could miss certain vulnerabilities or weaknesses or damage important information. Even worse, a corrupt provider could reveal or abuse sensitive information for their own financial gain.
Employees of companies are often opposed to red team testing, finding it intrusive and threatening. The fact that external organisations deliver it seems particularly problematic: a survey reported by IT Pro revealed that employees were happier to conduct red team-style testing themselves, targeting colleagues, than to be on the receiving end of an external programme. Working with a reputable testing partner, who can help reassure staff and explain the purpose of the testing, can help to mitigate this challenge.
With these risks in mind, take care when choosing a third-party partner to conduct either of these operations. There’s a variety of industry schemes that provide reassurance about the professionalism of a firm. The National Cyber Security (NCSC) CHECK accreditation or the CREST accreditation give reassurance that the cyber security specialist organisation employs skilled testers and has secure credentials and robust methodologies. CREST or Cyber Scheme Team Leader (CSTL) certifications demonstrate that individual testers meet high professional standards for pen testing. You can find out more about the value of external pen testing credentials in our separate blog.
For public sector and other highly regulated organisations, proof of HM Government security clearance is also vital. It offers assurance that the people you’re hiring are trusted to handle the most sensitive data.
Even with a highly trusted and expert cyber security partner, many employees find security testing intrusive, especially red team testing that’s launched covertly. Communication is key. While you need to make sure that red teaming is carried out in real world conditions, you can brief and educate staff about the principles of your cyber security testing, so they understand its purpose and value.
We strongly advocate training and awareness for all employees covering cyber security best practice and their individual responsibilities for keeping data, technology and systems secure. A general briefing about cyber security testing and what your firm does could form part of this. That means everyone understands that red team testing and pen testing help to keep employee data, customer data and commercially sensitive data and communications secure, so everyone is protected.
It’s a good idea to have a documented cyber security policy, with clear rules of engagement that define what kind of invasive testing can be carried out. Describe how your organisation maintains confidentiality and ensures that the partner carrying out the testing is trustworthy and experienced.
You should always carry out intrusive testing in a responsible and ethical way, to protect your staff, customers, data and assets.
The ethics of cyber security testing are more challenging than you might think. Penetration testing and red team testing are both important weapons in the fight against cybercrime, but they’re only truly effective when carried out by a trusted and professional provider as part of a comprehensive and continually updated cyber security strategy, including staff training and communication.
To protect your business, work with a trusted and fully certificated provider like us. The cyber security team at Six Degrees can give you advice to suit your organisation and deliver cyber security strategy, implementation, testing and monitoring services to the highest industry standards. Get in touch with our experts to see how you can protect your organisation in an ethical, effective and secure way.
Spend five minutes in the cyber security world,…
10 Microsoft Teams Hacks that will Improve Your…
Phishing and Ransomware Survival Guide 2023 In the…
More information on our Privacy and Cookies Policy can be found here: https://www.6dg.co.uk/privacy-cookies/. You can update how we contact you in the future by visiting our Communications Preference Centre here: https://www.6dg.co.uk/preference-centre/.
