Does the term ethical hacking sound like an oxymoron?
You may wonder why any kind of hacking is considered ethical however subjecting your vital information to hacking manoeuvres can actually allow for more effective means of information security and data protection.
Ethical hacking services aim to evaluate, and ultimately improve, the security of a system by engaging an independent computer security professional to attempt to break in to the computer system by employing the same tools and techniques as intruders.
And it isn’t just for the movies.
The Matrix, Sneakers and even the self-titled movie Hackers might glorify the hacker culture, but in reality, the ethical hacking movement in the businesses world has gained legitimate professional credit.
These services are typically focused on two different but integrated tests; penetration testing and vulnerability assessment. Teams performing a vulnerability assessment use automated tools or manual methods to point out weaknesses in a system.
By way of example, imagine attempting to break through a wall.
To do this, it would be of benefit to know what kind materials were used and where.
Are they susceptible to damage?
Does part of the wall have signs of wear?
Is it already cracking?
Will part of the wall break into dust when chemicals are applied?
Would a security guard let you through if you asked or impersonated someone?
These are questions that a team performing a vulnerability assessment might ask. The only difference is that the assessment would apply to information systems instead of a physical wall.
By contrast, the penetration test focuses on evaluating computer or network security by actually replicating an attack by a malicious user, or ‘hacker.’ The tester attempts to exploit vulnerabilities to prove that they are realizable risks. In the same example relating to breaking through a wall, a penetration tester would use information about the wall’s faulty or weak materials to break through it. What makes the test an ‘ethical hack’ is the authorization granted to the tester to attempt to breach an organisation’s systems.
Ethical hacking services are not only gaining market traction, but are also gaining attention from CEOs and business leaders. IDC, a global market intelligence firm based in the United States, predicts that proactive security, like ethical hacking, will occupy a larger share of the market compared with passive security products, such as network scanning software.
IDC’s predictions about the increase in market share are confirmed by the Gartner Group, a technology research firm in 75 countries. The group recently released a report that details why penetration testing is more important now than ever before i.e. because hackers have changed their tactics. The majority of hackers carry out targeted and multi-vector attacks on specific companies rather than mass attacks on a broad variety of systems.
CSO magazine, a publication for Chief Security Officers, cites a change in attitude regarding information security to be a market driver for ethical hacking services.
In a recent article, the magazine reported that businesses are beginning to realize that as computer networks become more complex, it is not possible to protect everything. Instead, company managers must prioritise security efforts to protect the most critical assets.
By physically penetrating the host or network, an organisation’s true exposure can be quantified and qualified, just as a real security compromise would reveal.
Andre Gold, director of information security at Continental Airlines, along with many other CSO’s confirmed that a good penetration test provides peace of mind. Companies also use ethical hacking to measure applied fixes for discovered vulnerabilities.
According to trends gathered by Vistorm, an information security consulting firm in the UK, financial auditors are now more demanding when asking for proof that technology defences are secure. Moreover, publicised hacker attacks have resulted in higher demand for web application security tests both for internal and Internet facing assets.
IT managers in Cayman are wise to use penetration tests to take audits and assessments a step further, because a well executed penetration test can prove that a vulnerability is actually a corporate liability. However, many CSOs are faced with resource constraints and must justify the expense of a penetration test. CEOs ask IT managers to distil the argument for a penetration test into financial terms, such as return on investment.
Luckily for IT managers corporate investment in this type of security can be justified easily. According to SecurityFocus, a free, vendor-neutral web site that provides security information worldwide, two key activities serve to justify costs. The first involves aligning ethical hacking services with risks to the business organisation to capture the cost of the penetration testing in the total cost of ownership of business critical projects. The second, requires an understanding of the value of information assets to assist in communicating to executives the potential financial impact of failing to protect them. Once an information asset’s value is known, threats can be analyzed with data from the penetration test, and the potential losses can be annualized, based on the possible occurrence of a particular threat (companies such as Symantec, @Stake and CERT provide this data).
Overall, the benefits of using ethical hacking services are not limited to IT alone. Business stakeholders can realise the benefits of ethical hacking because it allows companies to understand if their investment in the existing security infrastructure is effective in providing the expected level of protection. Ethical hacking reports, are a valuable means by which business managers can learn whether critical business information is exposed and thus vulnerable to misuse. Consistent and proper use of ethical hacking can also help a company to comply with regulatory mandates that address the issues of information security and privacy. And finally, these services can help companies allocate their IT security resources more efficiently and effectively.
Matt Miller is an assistant manager in both the Information Technology Assurance and Security and Privacy Services groups of Deloitte (Cayman) Enterprise Risk Services. Based in Cayman, he leads and participates in IT audit and security engagements across the Caribbean. He is a Certified Information Systems Auditor with over four years experience with the Deloitte US firm. He has served some of the firm’s largest and most complex clients, providing his expertise on security implementation projects as well as Sarbanes Oxley attestation and internal controls consulting. Matt is a member of the Information Systems Audit and Control Association.
Related Videos
