Ethical hackers: Should businesses tread with caution?
With cybercrime continuing to pose a major threat around the globe, businesses everywhere are increasing their spending on both information security solutions and regular security testing to find vulnerabilities before criminals can exploit them. However, with the latest research showing over 40 percent of cyberattacks last year were in fact zero-day exploits that took advantage of vulnerabilities missed by traditional pen testing, it’s clear that more still needs to be done.
For this reason, a growing number of organizations are turning to so-called 'ethical hackers' or grey hats, who use their skills to find the vulnerabilities that traditional penetration testing organizations can’t. However, while the services on offer can be incredibly effective, the idea of hacking still tends to carry (mostly) negative connotations, which often leaves businesses unsure about finding an ethical hacking service they can trust. For those that wish to explore the idea of ethical hacking further, below are a number of best practice guidelines for doing so:
Always check credentials and qualifications
Before engaging the services of any ethical hacker, businesses should always check and verify their credentials and qualifications. The most widely accepted qualification is a Certified Ethical Hacker (C|EH) certification, which is issued by The International Council of Electronic Commerce Consultants (EC-Council). Previous work experience is also a great way to gauge someone’s skills and work ethic, as well as where their specialist skills lie (and if they align with the security needs of the business). Speaking with past employers and/or asking for case studies of previous projects can be a valuable way to build trust at this early stage.
Be wary of ethical hackers with questionable pasts
One of the biggest talking points within the world of ethical hacking is whether businesses should consider hiring ethical hackers with past criminal convictions. Of course, different people/businesses will have different opinions on this. There’s undoubtedly a wealth of highly skilled individuals out there who have changed course in their lives and now use their skills for positive means. However, many businesses will likely prefer to stick with professionals whose track records demonstrate consistent good intentions.
Set clear goals and outcomes from the start
Once a business has identified a security tester that is both certified and trusted, the next task is to set a brief for them to work against. To maximize the chances of success, it’s vital that the brief contains clearly defined goals and properly identified blind spots. For instance, if the in-house security team’s top concern relates to senior executives logging in via unsecured public WiFi networks, this should form the main basis of the brief. It’s equally important to ensure desired outcomes are stated in the brief where possible, whether it be trying to access specific core business applications or extracting sensitive data.
Ensure day-to-day business operations aren’t disrupted (unless by design)
Ethical hacking often involves accessing critical systems, but it shouldn’t disrupt day-to-day operations unless specifically by design. In many businesses, even minor data loss or short periods of unplanned downtime can have severe knock-on effects. Of course, some companies will engage with ethical hackers specifically to test whether their systems can withstand a major DDOS attack, for example, but this kind of testing should be conducted in controlled environments that won’t impact business continuity.
Data protection is another key area that’s subject to all manner of legal restrictions and should never be compromised. In any scenario designed to test data security, the security tester should only demonstrate they can access the files in question, not remove or alter any of them. Legal documents are also off-limits during any kind of test.
Build firm deadlines into every brief
It’s important to build clear deadlines into every brief. With enough time and resources, skilled attackers will eventually be able to compromise most systems. However, this isn’t representative of the real world where time is money and cybercriminals tend to look for the path of least resistance. A good benchmark for these kinds of penetration tests is one week. If a network takes longer than that to break into, most opportunistic cybercriminals would likely have given up and moved on to an easier target by then, making it a realistic timeframe for ethical hacking tests too.
When conducted properly, ethical hacking can bolster almost any cyber security defense. However, giving outside parties access to critical data and systems is not something that should be done lightly. For this reason, any business thinking about employing the services of an ethical hacker must do their homework beforehand and manage the process carefully from start to finish. While the vast majority of ethical hackers out there are highly ethical and professional, it never hurts to tread with caution.
Matt Rider is VP of Security Engineering EMEA at Exabeam.