A stranger comes to town: White Hat hacking
The growth of cloud services has seen the importance of data security increase exponentially over the last decade. New technologies, evolving business practices and the ever-more sophisticated techniques being developed by cyber criminals, or "crackers", mean that security is one of the biggest challenges organisations face today. This is why many of them enlist the help of ethical hackers.But is there really such a thing? The words ethical and hacker aren't exactly synonymous. The risks are there, but without the use of white-hat hackers, are we exposing ourselves to attack?
An ethical hacker uses the same methods of penetration testing as their malicious adversaries, but ethical hackers are hired to do this with the sole purpose of reporting vulnerabilities to the organisation so they can be counteracted. Even the use of ethical hackers presents a risk, so it is important to understand the different types of hacks you can perform and the considerations you should take with each.
IP hacks
An IP hack involves you providing hackers with a specific IP address and enlisting their help in finding flaws and weaknesses to exploit. Care needs to be taken here because if the wrong IP is hacked, not only can it result in a security breach, but the results of your testing would be completely irrelevant.
Application hacks
This hack is a little more sophisticated, delving much deeper into your servers and databases. Obviously when granting this kind of access to your systems, you need to be able to trust the hackers you are working with. They should be experienced and be given strict guidelines to follow to protect the integrity of your data.
Physical infrastructure hacks
As the name suggests, this involves hackers trying to gain access to your physical environment, like your office or your server room. In doing this they can retrieve information from your systems, and look for human error like sensitive data being left on desks. This is less about your IT security and more about your operational practices - like who you allow access into your offices. Once again, it's vital that strict governing guidelines are provided to make sure all findings are dealt with appropriately.
Due diligence is key
The point of ethical hacking is to provide businesses with a snapshot of their overall security at a given point in time. It highlights your vulnerability to malicious attacks as well as accidental data loss, but unless you actually do something with the findings, they're completely useless. After identifying your potential threats, your security company should provide you with a list of actionable points from which you can move forward. These actions should be communicated down through every level of the organisation, to ensure all potential access points are protected.
Hiring hackers to carry out your pen testing can be a risk. You are essentially giving someone the opportunity to plant spyware, viruses and malicious code deep into your systems that could cause an irreversible amount of damage. But this outcome is completely avoidable if the correct due diligence is carried out.
Most service providers will carry out their own penetration testing to prove they have adequate security measures in place to protect customer data. Whilst these are usually completely legitimate, it wouldn't do any harm to insist on performing your own tests on their environment, for a completely objective result. Good services providers will allow you to do so. Also, working with reputable, genuinely ethical hackers is essential. "Ethical Hacker" accreditations from the EC-Council, for example, are a strong indication that a company is legitimate and that your data will not be compromised.
Getting an objective view of your environment and its vulnerabilities enables the implementation of adequate, preventative security measures. Undeniably, there are risks with granting access to your systems to a third party, but a certain amount of trust is necessary when creating a secure and agile infrastructure. At the rate malicious hacking techniques are progressing, it would be reckless to forgo the necessary testing to protect your environment.