The Q & A is with Ilia Kolochenko, CEO of High-Tech Bridge SA – a Geneva, Switzerland-based private company which provides information security services and solutions. Founded in 2007, the company was judged by Frost & Sullivan as an industry leader and best service provider among ethical hacking providers in Europe. The company’s Software as a service (SaaS) web application security assessment solution, ImmuniWeb, is both CVE and CWE compatible by MITRE, and was introduced to the market earlier this year.
- How are hackers finding exploits in low value IT systems and using the gaps to get the big prize?
Today it’s not so easy to compromise a large company from the outside. Therefore hackers are looking for easy and rapid ways to hack: their approach is to find and exploit the weakest link in the information security perimeter.
Quite often third-parties (suppliers, partners, legal advisors) are becoming this weakest link, as information security is less of a priority for them and they often have privileged access to the corporate network of a “big fish” targeted by hackers. Therefore it’s enough to compromise one third-party to get into a big company.
- Tell us about existing vulnerability assessment tools and how they work?
The market of vulnerability assessment tools is pretty mature today: one can easily find simple, quick and free tools made by security enthusiasts, as well as complex, expensive and quite efficient commercial software.
If we are not talking about SaaS (Software as a Service) vulnerability assessment solutions, the principle of work is very simple: you install the tool, configure it for your system, run the assessment and analyze the report. The most complicated part is to analyze the report and properly follow up (fix the vulnerabilities and weaknesses discovered).
- What are the weaknesses in automated vulnerability assessment tools?
Despite huge progress in information security technologies, software (robots) still cannot be as efficient as humans.
Automated scanning software has two problems: false-positives and false-negatives. A false-negative is a vulnerability that is missed by the scanner and therefore not included in the report, they lead to a false feeling of security and are quite dangerous. False-positives are only a time-consuming issue, basically, it’s an item in the report marked as a vulnerability or weakness that doesn’t exist and was erroneously detected by the scanner. Both problems can be avoided if a competent security auditor is behind the scanner, a person that many SMBs usually don’t have or simply cannot afford.
- Why aren’t SMBs using ethical hackers?
The three biggest obstacles to SMBs making use of ethical hacking are: lack of time, lack of money and complexity of the process. Usually SMBs have many other priorities vital to their business and lack the resources (especially in IT) to manage information security in a proper manner. High-quality ethical hacking services are expensive; a competent ethical hacker will not agree to work for the price of an IT-support guy. Ethical hacking project planning and management can be complex and take a long time to finalize, long NDAs, customizing assessment scope and specific methodologies for the attacks takes time. Large companies can easily bypass all these complications, while SMBs quite often abandon the information security field when faced with these issues.
- Tell us about online hybrid vulnerability assessment.
High-Tech Bridge introduced the hybrid approach to vulnerability assessment via a new SaaS called ImmuniWeb®. The idea is very simple: enable anyone with any device and connection to the Internet to assess the security of his website or web application in a simple, fast, reliable and affordable manner. The only front-end that an ImmuniWeb customer sees is the ImmuniWeb Portal, on which one can easily sign-up, configure his or her assessment project, select the assessment date, make a payment and receive the report, no matter if he is surfing from an iPhone or PC.
Hybrid vulnerability assessment is so-named because it’s performed by our proprietary web security scanner in parallel with a live security expert who manually tests the web application. The combination of tool and human guarantees zero false-positives and tailored recommendations for each of the discovered vulnerabilities. The price of one ImmuniWeb assessment is affordable to any SMB and even to a private person.
- How is ImmuniWeb being received by the market?
The market is quite positive, nonetheless, ImmuniWeb is currently only available by invitation and people interested in using ImmuniWeb can request an invitation code at https://portal.htbridge.com/support/nonauthenticated/?invite=1 . Recently we were featured in the Financial Times and mentioned by security analyst Graham Cluley.
Here is an interview with Ilia Kolochenko, Chief Executive Office of infosecurity firm High-Tech Bridge, on ethical hacking, its importance in safeguarding IT service and infrastructure, and High-Tech Bridge’s presence at the ITU Telecom World 2013 Cybersecurity Pavilion this November.