Choose your topics

The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Penetration Testing

Set a Thief to Catch a Thief: Keeping Hackers at Bay

Set a Thief to Catch a Thief: Keeping Hackers at Bay
Written by


Published on

20 Nov 2018

Set a Thief to Catch a Thief: Keeping Hackers at Bay


A recent survey has revealed some of the techniques used by hackers, both black hat, and white hat. The survey dubbed the ‘Black Report,’ aimed to get a fresh perspective on cybersecurity and attacks. Instead of collecting responses from IT –professionals and business owners, those surveyed were hackers from both sides of the fence – from the legitimate —  penetration testers, who aim to highlight the flaws in organizations’ cybersecurity systems so that they can be improved, to the criminals who look to exploit those flaws for their own gain.

The report revealed how hackers compromise systems, the time it takes them to break in and, crucially, the methods that keep them at bay.

How they hack in

  • 71% of respondents claimed they could breach a target in less than 10 hours.
  • Once inside the perimeter, 78% said that critical data could be identified within a further 10 hours.
  • For 72% of respondents, it would then take five hours or less for them to exfiltrate the data.
  • In total, 54% of hackers surveyed said the entire breach would take 15 hours or less.
  • Those surveyed used familiar methods to carry out their attacks:
    • Phishing and network attacks were among the most common, and 88% said they used social engineering to gain information about their target.
    • It’s not surprising that these methods are the most frequently used – they were identified as the most common attack types in Verizon’s Data Breach Investigations report 2018.
    • The majority of respondents revealed their methods have to change regularly.
  • 59% of hackers surveyed said that their attack methods become out of date or easy to detect within six months.
  • 29% said that they were constantly upgrading to new tools or techniques that improved the efficiency and effectiveness of their attacks with each engagement.
  • As a result, just 3% said they encountered environments that they could not break into.
  • 79% said that target organizations’ security posture rarely left them impressed.

One of the reasons hackers might be unimpressed by an organization’s security posture is that, rather than expensive tools, they may have security under control by investing equally in people and procedures. They may have invested in some cyber security systems and software to help protect them, but the impact is not going to come from technology alone.


Keeping them out

The survey asked hackers what message they’d send to CEOs about security. The top responses were…

  • that cybersecurity “is a journey, not a destination.”
  • organizations will “never be secure.”
  • security requires “a strong combination of people and technology.”
  • goal-oriented pentesting was “very impactful” or “absolutely critical,” as 79% of respondents attested.

We absolutely agree. The right people and processes, including effective penetration testing, are essential parts of an effective cybersecurity posture. In our work, there has never been a situation where we have found no vulnerabilities for any organization whose systems we have tested, so you need to be empowered to find and fix those with a system that’s going to help facilitate that. Still, it’s not about buying the latest, most expensive system for threat prevention as that won’t stop every vulnerability from reaching you.

The same is true from a pentesting perspective: many pentests fail to provide the deep dive that’s needed. Some companies which offer pentest services will provide nothing more than a branded vulnerability scan, done with tools that could be used by any company. These automated scans typically do not include the mix of skills and experience, proactivity and proficiency of a qualified professional penetration tester with a technology background.  In other words, they lack the knowledge and approaches that an experienced, skilled hacker would bring to bear when probing a network’s defenses.

Truly effective penetration testing services will provide a detailed overview of all the techniques used and will include the human element – showing how vulnerable your staff are to commonly-used methods such as social engineering and phishing. Beyond this, penetration testings should be performed periodically, with a detailed report handed to the organization with recommendations for them to implement themselves. As mentioned earlier, security is a journey, not a destination.  Every time a new person joins a company or changes are made to the IT infrastructure, a new vulnerability could emerge.

This is why we offer ‘Pentest-as-a-Service©’ – where organizations get ongoing support from our professionals, who help to interpret and action the results of the Penetration Test. This helps our customers put the results of the test into practice, gaining a long-term view that will help them to put controls in place to prevent attacks, and crucially – to put procedures in place to deal with any threats if they do manage to get through.

For more details about our innovative Pentest-as-a-Service© approach, click here.

Cybersecurity Attacks that will Actually Lead to a Compromise

On January 15th, 4 PM UK time, our Cybersecurity Practice Director, Luke Potter, hosted a free webinar giving an informative talk around up and coming security threats that have been realized this past year within the SureCloud client base. He gives an insightful view on how the bad guys are finding new and creative ways to hack into organizations as well as individuals as well as advice on how to best prevent the new threat vectors.

The webinar is available on-demand via BrightTALK here.