Businesses are increasingly utilising the skills of ethical hackers to find vulnerabilities in their networks before the bad guys do. Tim Bandos, VP of Cybersecurity at Digital Guardian discusses the rise of ethical hacking as a defence tactic and how organisations can assess whether it is right for them.
The ever-growing and evolving cyberthreat landscape provides a near constant security challenge. In the past, many organisations relied on building high perimeter defences in the hope that criminals wouldn’t find their way in, often with detrimental results.
Fortunately, most modern organisations now realise that taking the time to identify potential weaknesses and addressing them properly is a far more robust and reliable strategy. But what’s the best way to go about doing this?
One increasingly common approach is the use of ethical hackers – professional third parties who organisations can employ to purposefully penetrate their IT ecosystem and tell them where key vulnerabilities are.
This article will explore the concept of ethical hacking, some of its main applications and why it’s becoming increasingly popular amongst businesses of all shapes and sizes.
What is ethical hacking?
Despite Hollywood’s best efforts to convince us otherwise, not all types of hacking are criminally motivated. Ethical Hacking is a specific type of hacking, conducted by professional individuals or companies, which systematically attempts to penetrate target networks, applications, devices or other systems in order to find security vulnerabilities. Once found, they are reported to the resource owner for remediation before they can be exploited.
While many ethical hackers use the same methods and tactics as criminal hackers, there is a very clear distinction between the two. First and foremost, ethical hackers almost always have explicit permission from the ‘target’ company before they commence any sort of hacking activity.
Secondly, they report all findings/vulnerabilities to the company for mitigation as soon as they are found. Finally, they ensure the privacy of both the organisation and its employees is respected throughout the process.
What can ethical hacking be used for?
Most ethical hacking companies offer a variety of services to organisations that are looking to improve their overall security posture.
Vulnerability discovery and remediation
The first and mostly widely recognised service is the identification of security vulnerabilities within an organisation’s existing security. Working alongside the company in question, ethical hackers will perform a full evaluation of all systems, using the same techniques deployed by criminal hackers. Once finished, they will provide a detailed report highlighting any/all vulnerabilities found, which the organisation can use to inform its security strategy and improve overall defences.
Pre-emptive preparation and training
In today’s ever evolving security landscape it’s impossible to be 100% protected against malicious hackers at all times. When a successful cyberattack does occur, it can be devastating for any business but particularly those that aren’t prepared and don’t have a response plan in place. For this reason, many ethical hacking companies also offer a range of pre-emptive services, using their knowledge of how hackers operate to arm employees and security teams with the information they need to act swiftly and decisively in the event of an attack.
Knowledge sharing and attack demonstrations
Another service offered by many ethical hackers is demonstrating popular attacks in action and showing senior executives the real-world impact that such attacks could have on their business, but in a safe and controlled environment. Doing so helps executives to prioritise security spending and understand first-hand how different attacks could impact operations in the short, medium and long term.
Are there any risks involved?
In order for ethical hackers to perform their jobs properly, organisations often have to give them unprecedented access to their systems and architecture, which naturally carries a level of risk with it. How much risk depends on the individual/company used to conduct the hacking activity.
As such, it’s critically important for any organisation thinking of using ethical hackers to make sure they conduct a full background check and ensure the necessary accreditation and certifications are in place before granting access.
As the volume and variety of threats out there continues to grow at an alarming rate, many organisations are employing the services of ethical hackers in order to hack themselves before someone with more malicious intent does it first.
Doing so can be hugely beneficial in terms of both knowledge and preparation in the event of a real attack. However, like so many things in life, there is no one size fits all approach to cybersecurity.
Ultimately it is up to every organisation to look at their existing security approach and decide if employing the services of ethical hackers is right for them.