Can you hack my network? Why ethical hacking is essential for improving your security
Congratulations! You’ve selected and deployed a new cybersecurity solution. But, once you’re up and running you might not feel completely secure. Do you need to test your incident response process as much as testing the software? Does the new solution have vulnerabilities you -- or its creators -- don’t know about? Are there emerging attacks that it will miss?
If you want to know that a cybersecurity solution will do what you need it to do, and that you’re ready to respond to whatever it detects, you need to test it. Penetration testing ("pentesting") is a common part of deploying any new tool for cybersecurity, and it may help you identify and fix weaknesses in your defense. Pentesting can be automated through software, but that can lack the ingenuity of a live human trying to breach your system. The surefire way to simulate a real human attack is to enlist the service of a real human attacker -- subjecting your network and its cybersecurity defenses to "ethical hacking."
What Is Ethical Hacking?
Ethical hackers, also called "white hat" hackers as a nod to the fashion sense of good-guy cowboys in old Westerns, go beyond a typical pentest; they’re trying to exploit your system like a real attacker would, including trying to leverage human error.
Many ethical hackers operate on a contract basis. Others are engaged as freelancers in a bug bounty program -- a firm offers a financial incentive (often in the five-figure range) for anyone who can find bugs or gaps in their defenses or successfully breach it, and some of the Internet’s finest white hats are off to the races.
How Ethical Hacking Benefits AI Cybersecurity Solutions
Like humans, AI-based solutions like Mayhem only know what they’ve been taught. The information that goes into an AI cybersecurity tool is arguably just as critical as the tool itself. The more data, and the wider the variety of data, you give an AI-powered cybersecurity solution, the better.
AI-powered cybersecurity tools are very good at recognizing the work of software because malware will usually behave in recognizable patterns. An actual human, though, may not be so predictable. By simulating real attacks, ethical hackers can help AI-based systems learn to recognize the behavior of human attackers.
Ethical hackers can also try to leverage human error in the way a real black-hat hacker might. They might use the business email compromise (BEC) scam or compromised websites, or see how your employees might respond to a phishing attack. Skilled white-hat hackers can help identify vulnerabilities in two ways: 1) They can show security professionals where their human-error-driven weak points are so they can modify or increase training; and, 2) they can teach an AI-based system what it looks like when the first lines of defense have failed.
How to Hire an Ethical Hacker
As ethical hacking becomes an increasingly accepted profession within the field of cybersecurity, it’s increasingly easy to hire one for your own purposes. However, there are several things you should look for, or decide upon, before hiring a white hat hacker.
- Pick a proven pro. Look for hackers and firms with proven records of success for clients willing to discuss their work. And check references.
- Align skills to your goals. Start with what you want tested -- for example, a web app test, testing endpoint protection, or employees’ ability to resist phishing emails -- and then evaluate the skills and experience of your hacker against these goals.
- Plan what type of test you want to run. Certain ethical hackers may specialize in one format over another, such as black-box testing vs. white-box testing, where would-be attackers know less or more about the system they’re attacking.
- If all else fails, offer a bug bounty. This perhaps may not be the most professional option, but offering a prize to someone who can successfully infiltrate your network might wind up delivering some very enlightening results.
Finally, be sure to confer with your legal team about the terms of the contract you have with your white hat hacker. And don’t think that you’re done just because your hacker doesn’t find anything or because you’ve addressed what he did find. New attacks are launched constantly, and the attack surface is constantly changing. Be sure to engage white hat hackers on a regular basis to continually recheck your security.
Brian Laing is SVP of Corporate Development and Strategic Alliances at Lastline. For more than 20 years, he has shared his strategic business vision and technical leadership with a range of start-ups and established companies in various executive level roles. The author of "APT for Dummies," Brian was previously vice president of AhnLab, where he directed the US operations of the internationally known security and software leader.