X
Tech

ASIC hiring white hat hackers

The Australian Securities and Investments Commission (ASIC) has started looking for a penetration testing firm to find security weaknesses in its web and IT infrastructure.
Written by Liam Tung, Contributing Writer

The Australian Securities and Investments Commission (ASIC) has started looking for a penetration testing firm to find security weaknesses in its web and IT infrastructure.

The news follows a similar move by ASIC in October, when the regulator started looking for counter-surveillance professionals to test its security, including some ICT systems.

Anyone in the industry would know that the easiest way to bypass security measures is by the exploitation of people.

Security professional

The contractor sought this week will test ASIC's security measures protecting its internal IT infrastructure once per year over a proposed three-year period. Besides identifying weaknesses that could allow unauthorised access to corporate information, ASIC wants to test the resilience of its systems to denial-of-service attacks, according to the tender documents.

Corporate penetration testers are also known as "white hat" hackers due to their use of hacking techniques for ethical ends.

The internal security test will assess ASIC's configuration of its firewalls, content filters, intrusion detection systems, antivirus, internet telephony, and some of the 2,000-plus devices on its network. Its mainframe has not been included in the scope of work.

Missing from the documents, however, is any mention of testing staff against social engineering techniques.

An Australian penetration tester who wished to remain unnamed told ZDNet.com.au that this was an often overlooked component of penetration testing. A typical social engineering test would include sending an email to staff using a fake domain which would make the email appear to be sent from within the company — for example, from the IT department.

"While users are seasoned in terms of seeing banking phishing emails, they're not expecting spear-phishing or targeted attacks. So to get an email from your local IT group asking people to log-in to a [web mail] site to test the account is working — that's often quite successful," they said.

"Anyone in the industry would know that the easiest way to bypass security measures is by the exploitation of people."

ASIC has, however, requested tenderers to advise of any additional areas that should be included in the assessment. Responses are due by 9 February.

Editorial standards