An Ethical Hacker is an expert hired by a company to attempt to attack their network and computer system the same way a hacker would. Ethical Hackers use the same techniques and tactics as those used by illegal hackers to breach corporate security systems. The end result is the company’s ability to prevent an intrusion before it ever occurs.
A company can’t know if their security system is solid unless they test it. It’s hard, though, for a company’s IT team to thoroughly ring out the system. Try as they might, the techs can’t go at the system with all the malicious or mischievous motives of a true illegal hacker. To thoroughly uncover vulnerabilities, the theory goes; you must examine your security system through the eyes of an illegal hacker. The word hacking has strongly negative connotations, and, for the most part, rightly so. But ethical hacking is much different. It takes place with the explicit permission of the company whose system is being attacked. In fact, their “good guy” role is underscored by the nickname “white hat” Ethical Hackers have been given. The nickname is a throwback to old Westerns where the good cowboys could be identified by their white hats.
The company and the Ethical Hacker enter into a legally binding contract. The contract, sometimes called a “get out of jail free card,” sets forth the parameters of the testing. It’s called the “get out of jail free card” because it’s what harbors the Ethical Hacker from prosecution. Hacking is a felony, and a serious one at that. The terms of the agreement are what transform illegal behavior into a legal and legitimate occupation.
Once the hacker has exhausted his attempts, he reports back to the company with a list of the vulnerabilities he uncovered. The list in and of itself, however, is not particularly useful. What’s most valuable is the instructions for eliminating the vulnerabilities that the Ethical Hacker provides.
An Ethical Hacker works to uncover three key pieces of information. First, he determines what information an illegal hacker can gain access to. Next, he explores what an illegal hacker could do with that information once gained. Last, the Ethical Hacker ascertains whether an employee or staff member would be alerted to the break-in, successful or not.
At first it might sound strange that a company would pay someone to try to break into their system. Ethical hacking, though, makes a lot of sense, and it is a concept companies have been employing for years. To test the effectiveness and quality of product, we subject it to the worst case scenario. The safety testing performed by car manufacturers is a good example. Current regulatory requirements including HIPAA, Sarbanes Oxley, and SB-1386 and BS 799 require a trusted third party to check that systems are secure.
In order to get the most out of the assessment, a company should decide in advance the nature of the vulnerabilities they’re most concerned with. Specifically, the company should determine which information they want to keep protected and what they’re concerned would happen if the information was retrieved by an illegal hacker.
Companies should thoroughly assess the qualifications and background of any Ethical Hacker they are considering hiring. This individual will be privy to highly sensitive information. Total honesty and integrity is of the utmost importance.
Why & How of Ethical Hacking:
On the surface, ethical hacking sounds like a pretty straightforward process: You hire somebody to break into your network or application or Web servers, and report what they find. But this simple description, which does adequately explain the basic principal, masks a process that requires a great deal more thought.
Unless you first know what it is you are looking for and why you are hiring an outside vendor to hack your systems in the first place, chances are you won’t get much out of the experience. Sure, you will find out your network needs to be patched or there are X number of security holes, but if that information is not relatable back to the business in some form, it’s pretty much useless.
To get the most from a test, putting results into a business context is imperative, said Klahn. Which holes are truly a security threat? How deep into the network can a hacker get via one of these holes? Which should be patched first?
Security holes can even be a necessary part of your infrastructure, allowing you to do business with partners, for example, so closing them up for security reasons may cause more headaches than the vulnerability. Your contractor should be able to appreciate this nuance.
The firm you hire should be able to provide you with a threat assessment and articulate remedies that take into account business needs. And, even then, the hack should be part of a larger security audit that looks at known vulnerabilities while comparing your IT governance policies and procedures against industry best practices.
The reason for this is simple: If you just hire a hack and do nothing else, on the day it’s complete, you are no more secure than the day before the hack began. This is because hacking provides just a snapshot of your overall security. Yes, it can provide confirmation your security is good or expose unknown threats, but it can’t tell you what those threats will be tomorrow. One configuration change and much of the hacker’s work can be negated.
Basic kinds of Hack:
- IP Hack:
- You hire someone to hack a specific IP address, giving them little or no information beforehand (Be careful if the IP address is an overseas server. You don’t want hackers hacking the wrong IP address, like a foreign government’s computers, causing an international incident.)
- Application Hack:
- A much more sophisticated hack that can delve deep into databases and down production servers. Only experienced hackers, with strict guidelines governing their actions, should be allowed to perform such tests. Never hire a “reformed” black-hat hacker for this type of test.
- Physical Infrastructure Hack:
- This is where people try to get into your facilities to access your systems or go dumpster diving looking for confidential information such as passwords discarded on sticky notes
- Wireless Hacking:
- War-driving is the new term to describe this type of attack where wireless access points are exploited from the back of a van. Ethical hackers do the same thing, but report their findings back to you instead of stealing your passwords. Have them check out your teleworkers as well to see if home offices are a source of entry to your network.
For any of these tests, a reputable firm with clearly defined methodologies should be hired. If a company can’t tell you exactly how it conducts its business, move on. And never hire former hackers to do the work on the cheap. They may not be as reformed as they say and could leave back doors behind or worse.
Scope & Limits:
Once a vendor is selected (never use the RFP process for this type of work), it is very important to outline and define the scope of the project — you don’t want the hacker deciding where to start and stop an attack. Delegate a point person with decision-making authority the hackers can contact day or night if problems arises and authority to continue is required.
But, perhaps most importantly, know what you are looking to get from the experience. Too often companies conduct these tests and feel they are secure. This is not the case. Ethical hacking is just another tool, not a panacea. If viewed as such, it will fall into its proper place alongside other security tools. If not, it can leave you far more exposed through either false feelings of security or outright damage to your systems.