Businesses should embrace hacking to shine a light on their cyber defences
Although newspaper headlines give much attention to state sponsored cyber-attacks, attacks on commercial enterprises also have significant consequences, highlighted recently with the cyber-attack on Yahoo causing the valuation of the company to plummet during acquisition negotiations with Verizon.
The 2016 Democratic National Committee email leak marked a milestone moment for the impact of a destructive attack on an election campaign, and the fact that cyber crime cost the global economy $450 billion last year alone, shows the value to be reaped from it.
Whether mounting attacks on governments, corporations or individuals, it’s clear that the malicious operator is now very well tooled, educated and financed and poses a threat that could have real commercial impact.
In short, the cyber landscape is only becoming more complex.
The ethics of hacking
The term hacker, once reserved for the underground phone phreakers of the 1960s, is nowadays commonly used to describe someone who breaks into computer systems with malicious or criminal intent.
Yet this may be too simple a definition given the multitudes of scenarios in which IT poachers have turned gamekeepers.
Take Kevin Mitnick, for example. Once the world’s most notorious hacker, he’s now working as a Chief Hacking Officer at a security awareness training company, helping businesses detect their security strengths and vulnerabilities.
Professional hacking has helped highlight how hacking skills can support the modern enterprise. Enter from stage left, the ‘ethical hacker.’
An ethical hacker – also known as a ‘white hat’ – is someone using their expertise in computer and organisational systems to test organisations’ defences, configuration and responses against the tools and techniques that could be expected from a malicious attacker.
To best utilise white hats, many legitimate companies have sprung up offering ‘ethical hacking’ services and organisations such as the EC-Council has launched its very own Certified Ethical Hacking Certification, which seeks to reinforce ethical hacking as a unique and self-regulating profession.
Furthermore, the Bank of England’s CBEST framework (available to firms and FMIs which are considered to be core to the UK financial system) demonstrates the vision of an industry which is at the forefront of combating malicious attacks.
The business case for ethical hacking
So what does the daily routine of an ethical hacker actually look like?
A typical scenario would look something like this: Discovery -> Enumeration -> Vulnerability mapping -> Exploitation -> Report to management.
The very first step for an ethical hacker is to gain an understanding of the concerns and business objectives of the organisation they’re working for.
This allows them to determine the parameters of the scenario and, significantly, whether their job will be carried out with the knowledge of wider staff or not. From here, it’s up to the ethical hacker to carry out reconnaissance and prepare their attack – just as a criminal hacker would.
Then it’s show time. The white hat will stage the attack and document all progress in detail so it can be included in a final report that outlines observations and recommendations for future security matters.
The feedback returned from this kind of operation can be invaluable for organisations of all kinds.
While vulnerability scanning and general health-checks enable a basic view of your preventative defences, they won’t provide the insight that real-world testing will.
It’s time to drop the negative reputation of hackers and for businesses to look into how they can leverage their white hat skills to their own benefit.