The job interview was going well when the young man made a confession: his printer was broken. Could he leave his resume on a thumb drive? That’s all it took. The thumb-drive didn’t just have PDF and Word files on it – the device contained a little snippet of malicious code that now, released onto one of the office’s secured computers, was hard at work multiplying itself. By the time the interviewee had returned to his car, the entire organization’s network security – its entire business – was compromised. You don’t expect to see hackers face-to-face, but in today’s world, hackers will go to any means necessary to gain access. Except this interview was different – the young man wasn’t a malicious hacker. In fact, his actions were sanctioned by the organization’s highest authorities – a hacker for hire employed for one purpose: to submit the company’s expensive security infrastructure to a real test.
Ethical hacking is a growing trend in cyber security – and for good reason. The average annual cost of cybercrime increased six percent in the last year, reaching $8.9 million for the average company. In 2010, McAfee estimated the global cost at $1 trillion. But costs aren’t just measured in dollars – they’re measured in downed services and lost connections, as well as stolen identities or personally identifiable information. In some cases, they can even be measured in lives. A Department of Defense (DoD) report released this year warned that a coordinated cyber attack could have a greater impact than a nuclear weapon. It’s no surprise, then, that last year, companies in the U.S. spent $5.3 billion on securing their infrastructure. But with so much effort being poured into security, and the stakes so high, organizations can’t wait to find out if its security program is effective until after an attack occurs. That’s where ethical hacking comes in.