It might sound like a contradiction in terms, but ethical hacking is a crucial weapon in the fight against cyber crime
Put simply, ethical hacking involves external testing of an organisation’s cyber security to identify any vulnerability that could be exploited maliciously, either by industry competitors, state actors or organised crime. Globally, losses from cyber theft are reckoned in the trillions of dollars, with most organisations being slow to understand the scale of the risk involved.
While malicious hackers have become increasingly ingenious is finding ways to penetrate organisations’ IT defences, the majority of companies don’t appreciate the mounting level of risk they face. Firms now hold a growing proportion of their capital in the form of information stored on their IT systems. In the hands of a malicious hacker, customer records, business records and financial records can be used to steal intellectual property, cash or access to client or partner companies’ databases.
“A major problem is that many companies do not fully comprehend the value of the data they hold on their servers,” says Stuart Poole-Robb, chief executive and founder of KCS Group, one of the world’s leading strategic intelligence, risk and security management companies. “An organisation such as a power supplier may have client details and access codes for anything from a power station to a military installation.”
Malicious intent
Most companies have also been slow to grasp the level of risk involved when opening up their communications systems to other organisations. It is now commonplace to allow other organisations access to parts of a company’s IT system in order to streamline the supply chain and improve customer services. In addition, when exploring potential partnership or merger deals, it has become standard practice in most industries to allow other bodies easy access to a large part of an organisation’s IT system.
Malicious hackers can use these opportunities to breach a company’s IT defences. There are also a growing number of cases of rival organisations using exploratory talks to gain access to privileged information such as vital industry intelligence or confidential customer records.
In the case of international merger deals, there is a very real and pressing need to understand the cultural, social and commercial dynamics inherent within the market in order to assess the security risks in commercial environments where businesses often routinely play by a different set of rules than those in the UK or the US.
Often those breaches that occur under these or similar circumstances are carried out without the host company’s knowledge and can go undetected for months or even years. Meanwhile, rivals or industrial spies willing to sell information for cash can continue to siphon off intellectual capital until the breach is eventually spotted.
According to KCS, one financial organisation suffered serious internal leaks following the departure of a key manager in China. On leaving, the disaffected employee used current employees to feed him inside information on the client’s strategy and future plans, which was then sold to a competitor.
“You may have the most secure of IT set-ups, but this could be disrupted by your suppliers and clients,” says Poole-Robb. “More and more digital information is shared with partners, and if the third party’s security is found to be lacking, this can impact the integrity of your organisation’s IT security.”
The objectives of an ethical hacking exercise, which must be carried out by an independent third party, are to identify any vulnerability that could be exploited externally or internally by a malicious hacker, in websites, software applications, hardware, mobile devices or people.
The most common type of ‘penetration testing’ – the industry term for ethical hacking – is known as a ‘black box’ exercise. This typically involves ‘outside the building’ testing of all IT systems connected to the internet.
Some companies, however, compromise by commissioning a ‘white box’ exercise.
In this type of penetration test, the tester is pre-armed with knowledge of the client company’s network, servers and security policy and usually tests only selected elements of its security defences. This type of testing is acknowledged to be inferior to the more thorough ‘black box’ process.
In most cases, penetration testing is an external exercise, with the tester adopting the mindset of a malicious external hacker in an effort to breach IT defences.
But according to KCS, four out of five illegal cyber hacks are carried out internally. Those companies that do not wish to haemorrhage cash and intellectual property should therefore also commission internal tests. These focus on what internal staff can do and see with their own IT network.
Revealing information
However secure a system may appear on paper, people are the weakest link in IT security. Sometimes staff can be bribed to reveal access codes to malicious hackers or business rivals. But often staff may unwittingly jeopardise their company’s security by revealing information in person to strangers or business associates, or may simply be careless when it comes to using unsecured personal devices such as smartphones to access sensitive areas of the corporate network.
“Without proper access controls, colleagues may deliberately or unwittingly jeopardise the confidentiality and integrity of the data,” says Poole-Robb.
As well as taking full account of an organisation’s external and internal IT security, a fully effective penetration test should focus on an organisation’s supply chain. Companies with the most secure IT networks can still be compromised by suppliers and clients with access to their systems.
“Cyber risk is a giant iceberg, with the most dangerous parts of it hidden by waves of misconception, arrogance, ignorance, and naivety,” adds Poole-Robb. “The identification and evaluation of the hidden dangers can provide the decision maker with access to all the risks, weaknesses and threats to enable realistic assessment and informed planning.”
Once a penetration test has been completed and any security weaknesses identified, it is important that the report be presented in a way that is not overly technical. It must be easily understood by senior executives such as the chief executive and chief financial officer, whose background may not be in IT.
A thoroughly executed penetration test will, however, provide a company with detailed knowledge of the level of risk it faces with regard to cyber security. The company undergoing the tests can then set about plugging the holes in its security defences.
A penetration test that reveals security weaknesses is likely to pay for itself many times over, reducing ICT costs in the long term and shielding the company from the kind of dramatic losses often associated with compromised financial data or mission-critical business intelligence.
But even after penetration testing has been successfully accomplished and the results effectively acted on, no organisation is free to rest on its laurels.
As each test is only a snapshot in time, and cyber criminals are constantly developing new tools and strategies for malicious hacking, regular testing is needed to safeguard crucial data and business intelligence. SR
Obstacles exist around confidentiality and need to be addressed
It is important to define what ethical hacking should focus on and, more importantly, outline why and to what extent a corporation is engaging a third-party vendor.
An IT professional hacking the network in an agreed, controlled and secured way is useful if vulnerabilities can be exposed. Otherwise, the outcome could be useless or even worse if it fails to be related back to the business.
Ultimately, it important to understand that the point of the exercise is to protect a company’s intangible assets. In that regard, the awareness and perceived value of intangible assets protection (data, content, brand, reputation, IP etc) is growing. This is particularly the case because insurance can be an asset and not only a commodity for this risk class.
Various risk stakeholders have an opportunity to work together, which can help to incentivise and raise awareness of the corporation’s specific weaknesses, but this is not good enough if it solely demonstrates weaknesses.
In order to make this approach
really valuable for corporations, it is vital to come from a vulnerability stress-testing approach, apply an out-of-the-box mindset and demonstrate how such security holes (vulnerabilities) can be identified, quantified and addressed.
Ethical hacking includes stress testing, which needs to be done with a security mindset − not mere numbers. Corporations cannot afford to put critical operations systems in jeopardy; they have to compensate and review the next step, having identified business vulnerabilities.
The next step should be solutions that help to mitigate, correct or transfer the potential effect in a cost-effective way. If the underlying issue is not resolved or there is a misunderstanding as to how it relates to where the weaknesses and vulnerabilities are, then the exercise is a waste of money.
On the other hand, closing every vulnerability might not be the best solution either. Some holes are essential to work with third-party infrastructure.
At the moment, the perception of the risk and security holes at various levels of the corporation, as far as hacking or intangible asset risks are concerned, can be hugely different and it depends on what level is involved and how it is executed.
One method of making people more aware about where the risk lies, is to look at the issue from a controlled, disciplined and security mindset, and this is when ethical hacking is an essential part of everyday life for some firms.
In my opinion, success is based on a clear agreed project scope, a common understanding of the tested areas and decision and authority support.
Ethical hacking provides the details of potential attacks and enables companies to test their software and hardware to mitigate or prevent such malicious attacks, as long as it is being used in terms of vulnerability management.
If undertaking ethical hacking, it is still possible to come the conclusion that some vulnerabilities cannot or should not be rectified, whether for technical, financial, operational reasons or risk transfer restrictions.
Peter Hacker, chief executive, global communications, technology, media practice, JLT Specialty Ltd
No comments yet