AFP arrest casts a pall over InfoSec industry

Due diligence

SC Magazine asked Hacklabs and fellow penetration testing firm Securus Global what due diligence they conduct on new staff.

“We take this stuff very seriously,” said Drazen Drazic, managing director at Securus.

“All staff have police background checks and reference checks. All of those are cross-referenced across industry contacts  - as most people know each other in this industry.”

Candidates are often knocked back, he said, when background checks reveal undesirable traits.

Drazic said that even those candidates that pass a stringent interview process and sign up must first “sign-off on compliance to internal policies, that they understand all laws relating to cyber crime and related acts here and abroad, that they work under strict scoping conditions on all client engagements.”

Equally as important, they agree in their contract that they have a duty of care when it comes to customer systems and data.

Gatford notes that organisations can sort the wheat from the chaff by choosing IT security firms accredited by CREST, which provides “very specific guidelines about data handling that can be audited against.

“It offers clients a method for holding IT security organisations to a higher standard,” he said.

Gatford notes that IT security professionals do need to keep their skills up-to-date and be aware of the latest attack methods. But hiring grey hats isn’t the way a firm should achieve that outcome, he said.

“It’s a bizarre industry – pen testers have to be above board as security consultants, plus have to be aware of the sub-culture to adequately do our job. Ultimately the safest way to do that is to only ever try new approaches in context of approved client work.”

Copyright © SC Magazine, Australia