The job interview was going well when the young man made a confession: his printer was broken. Could he leave his resume on a thumb drive? That’s all it took. The thumb-drive didn’t just have PDF and Word files on it – the device contained a little snippet of malicious code that now, released onto one of the office’s secured computers, was hard at work multiplying itself. By the time the interviewee had returned to his car, the entire organization’s network security – its entire business – was compromised. You don’t expect to see hackers face-to-face, but in today’s world, hackers will go to any means necessary to gain access. Except this interview was different – the young man wasn’t a malicious hacker. In fact, his actions were sanctioned by the organization’s highest authorities – a hacker for hire employed for one purpose: to submit the company’s expensive security infrastructure to a real test.
Ethical hacking is a growing trend in cyber security – and for good reason. The average annual cost of cybercrime increased six percent in the last year, reaching $8.9 million for the average company. In 2010, McAfee estimated the global cost at $1 trillion. But costs aren’t just measured in dollars – they’re measured in downed services and lost connections, as well as stolen identities or personally identifiable information. In some cases, they can even be measured in lives. A Department of Defense (DoD) report released this year warned that a coordinated cyber attack could have a greater impact than a nuclear weapon. It’s no surprise, then, that last year, companies in the U.S. spent $5.3 billion on securing their infrastructure. But with so much effort being poured into security, and the stakes so high, organizations can’t wait to find out if its security program is effective until after an attack occurs. That’s where ethical hacking comes in.
To understand ethical hacking, you have to first understand hacking and how it has developed over the last decade. Too many people assume that hacking is still undertaken by young computer specialists whose first language is code – that’s no longer true. As basic computer systems have grown larger and more complex, they’ve opened themselves up to more vulnerabilities. At the same time, automated hacking tools have made even the most sophisticated attacks accessible to criminals.
Criminals, though, are just the tip of the iceberg. Media organizations are routinely targeted by “hacktivists” with a social or political agenda; technology companies are breached by overseas competitors; and governments are probed by foreign intelligence organizations. Some hackers in Britain have extorted financial institutions for money, while others – called “suicide hackers” – aim to bring down critical infrastructure, careless of money or punishment. Because hackers are a diverse group, organizations cannot assume that blanket information assurance policies or assessments will serve as a complete defense.
Ethical hackers mimic the behavior of real hackers – attempting to breach a system from a variety of directions. Their goal is to discover what intruders see on the target system, what they can do with that information, and if the organization can detect the intrusion. Even the most secure organizations have made ethical hacking a best practice. Since 2011, the DoD has been integrating cyber attacks into their war games. The ethical hackers are often so effective that they bring the war games to a complete halt.
Ethical hackers can be independent or a component of an existing cybersecurity firm. Their work begins only when client organizations have agreed to the test and all parties have signed agreements ensuring that any data discovered during the event is secure. Usually, only a few top managers at the organization are aware of the arrangement. When the details are worked out, ethical hackers start by researching the client organization, gaining critical information on its existing infrastructure. This can be achieved by probing networks remotely, stealing equipment or gaining access to a local network through social engineering like the thumb drive scenario outlined above. Once access is gained, hackers determine what kind of information they can obtain and the extent to which they can cause damage. At the end of the engagement, the hacking team develops a report detailing the results of the hacking activity, vulnerabilities and, most importantly, suggested prevention measures.
After you lock the door to your house, you turn the knob to make sure it’s locked. Ethical hacking operates on the same principle. The more your organization invests in securing its information infrastructure, the more important it is to test that infrastructure through ethical hacking. What you find might surprise you – but it’s better to be surprised and have the ability to address the situation than it is to find your organization has been compromised.