Penetration testing, kangaroos and tsunami
12 December 2018 - Reading time: 3 minutes
I would not say that I was at all surprised by the information that Australia’s parliament recently passed new (and apparently some of the world’s toughest) anti-encryption legislation. (Check e.g. this: https://www.bloomberg.com/news/articles/2018-12-06/australia-moves-toward-passing-law-targeting-whatsapp-signal). It was, so to speak, “in the air”. Australia is not the only one, by the way. In 2016, the UK gave authorities a "license to hack". Similar legislation is already in place in China and in Russia (Again, I guess no one is surprised by that either).
It looks like IT companies operating in the sunny Kangaroo Country now have no choice, but with the smile, “provide a[ll?] necessary help” to government agencies so they can decrypt communication on various platforms such as Signal, Telegram, WhatsApp, etc. The purpose of all this action obviously is very noble as it should provide the necessary technical capabilities to decode messages used by organised crime and terrorists. But here we have an interesting dilemma. It is understandable that all those government agencies must have up-to-date technology to be able to deal with modern rapidly evolving threats. Also, let’s be honest: it does not matter how liberal you are by heart, - you sleep much better knowing that “our” government agencies are equipped better than “theirs”. On the other hand, we could be creating a dangerous precedent: in the 21st century, the age of information, we are giving to someone a license to create security holes in IT systems. As if we don’t have enough of those holes already.
The government will be reading our emails and accessing our data if they need it, whether we like it or not. I see no problem with this as it’s their job and their responsibility to protect the country. But, at the same time, as a security-conscious person, I don’t like the idea that the same security holes can (and, surely, will) be found and immediately exploited by cybercriminals, - because those guys have no scruples and no moral obligations. They will come, exploit you, blackmail you and take everything they can leaving smoke and ashes behind. Additionally, if you are in IT business and one beautiful morning you wake up and realise that you have a massive data breach, - I don’t think your furious customers will appreciate the explanation saying “we apologise for the breach which was caused by a backdoor installed by authorities which was accidentally found and exploited by hackers”.
So, what can you do? Considering that legislation sometimes comes almost as an earthquake or tsunami – you can’t really avoid it, but you can have an “early detection system” in place, be prepared and minimise the damage. I think it is imperative to have your IT infrastructure well-tested on a regular basis, including all Internet-facing web and mobile applications. Many people do not understand that penetration testing is about more than simply ticking the compliance box. It gives you strong confidence that you will be well-prepared when the lightning strikes. And, believe me, it will, rather sooner than later. Penetration testing should never be a one-time action but a part of a complex security management programme for the whole organisation. Keep asking yourself whether your due diligence requirements are really being met by your actions. The standard of care that was considered sufficient in the past may be less than adequate in the face of today’s cyber threats and data protection environment. Think in advance, put emphasis on prevention, always try to predict the unpredictable and stay safe.