The nature of cybersecurity threats keeps evolving. Unless systems evolve to manage these threats, they will be sitting ducks. While conventional security measures are necessary, it is important to obtain the perspective of people who can potentially threaten systems, or the hackers. Organizations have been allowing a category of hackers, known as ethical or white hat hackers, to identify system vulnerabilities and provide suggestions on fixing them. Ethical hackers, with the express consent of the system owners or stakeholders, penetrate the systems to identify vulnerabilities and provide recommendations on improving security measures. Ethical hacking makes security holistic and comprehensive.
Do You Really Need Ethical Hackers?
It is certainly not mandatory to employ the services of ethical hackers, but conventional security systems have repeatedly failed to provide adequate protection against an enemy that grows in size and variety. With the proliferation of smart and connected devices, systems are constantly under threat. In fact, hacking is viewed as a lucrative avenue financially, of course at the expense of organizations. As Bruce Schneier, author of the book "Protect Your Macintosh" put it, "Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place; be transported halfway across the planet in seconds; and be stolen without your knowledge." Your IT department, unless you have a big budget, can prove inferior to the onslaught of hackers, and valuable information can be stolen before you even realize it. Therefore, it makes sense to add a dimension to your IT security strategy by hiring ethical hackers who know the ways of black hat hackers. Otherwise, your organization might run the risk of unknowingly keeping loopholes open in the system.
Knowledge of Hackers’ Methods
To prevent hacking, it is important to understand how the hackers think. Conventional roles in system security can only do so much until the hacker’s mindset must be introduced. Obviously, the hackers' ways are unique and difficult for conventional system security roles to handle. This sets the case for hiring an ethical hacker who can access the system like a malicious hacker might, and on the way, discover any security loopholes.
Penetrative Testing
Also known as the pen testing, penetrative testing is used to identify system vulnerabilities that an attacker can target. There are many methods of penetrative testing. The organization may use different methods depending on its requirements.
- Targeted testing involves the organization's people and the hacker. The organization staff all know about the hacking being performed.
- External testing penetrates all externally exposed systems such as web servers and DNS.
- Internal testing uncovers vulnerabilities open to internal users with access privileges.
- Blind testing simulates real attacks from hackers.
Testers are given limited information about the target, which requires them to perform reconnaissance prior to the attack. Penetrative testing is the strongest case for hiring ethical hackers. (To learn more, see Penetration Testing and the Delicate Balance Between Security and Risk.)
Identifying Vulnerabilities
No system is completely immune to attacks. Still, organizations need to provide multidimensional protection. The ethical hacker’s paradigm adds an important dimension. A good example is the case study of a large organization in the manufacturing domain. The organization knew its limitations in terms of system security, but could not do much on its own. So, it hired ethical hackers to assess its system security and provide its findings and recommendations. The report comprised the following components: most vulnerable ports such as Microsoft RPC and remote administration, system security improvement recommendations such as an incident response system, full deployment of a vulnerability management program and making hardening guidelines more comprehensive.
Preparedness for Attacks
Attacks are inevitable no matter how fortified a system is. Eventually an attacker will find a vulnerability or two. This article has already stated that cyberattacks, irrespective of the extent a system is fortified, are inevitable. That does not mean organizations should stop bolstering their system security – quite the contrary, in fact. Cyberattacks have been evolving and the only way to prevent or minimize damage is good preparedness. One way to prepare systems against attacks is to allow ethical hackers identify the vulnerabilities beforehand.
There are many examples of this and it is pertinent to discuss the example of the U.S. Department of Homeland Security (DHS). The DHS uses an extremely large and complex system which both stores and processes huge volumes of confidential data. Data breach is a serious threat, and tantamount to threatening national security. The DHS realized that getting ethical hackers to break into its system before black hat hackers did was a smart way to raise the level of preparedness. So, the Hack DHS Act was passed, which would allow select ethical hackers to break into the DHS system. The act laid out in detail how the initiative would work. A group of ethical hackers would be hired to break into the DHS system and identify vulnerabilities, if any. For any new vulnerability identified, the ethical hackers would be financially rewarded. The ethical hackers would not be subject to any legal action because of their actions, though they would have to work under certain constraints and guidelines. The act also made it mandatory for all ethical hackers participating in the program go through a thorough background check. Like DHS, reputed organizations have been hiring ethical hackers to raise the level of system security preparedness for a long time. (For more on security in general, see The 7 Basic Principles of IT Security.)
Conclusion
Both ethical hacking and conventional IT security need to work together to protect enterprise systems. However, enterprises need to work out their strategy toward ethical hacking. They can probably take a leaf out of the DHS policy toward ethical hacking. The role and scope of ethical hackers needs to be clearly defined; it is important that the enterprise maintains checks and balances so that the hacker does not exceed the job scope or cause any damage to the system. The enterprise also needs to give the ethical hackers the assurance that no legal action would be taken in the case of a breach as defined by their contract.