The ethical side of hacking - is your hire trustworthy?

Hiring professional ethical hackers can prevent zero-day attacks by finding vulnerabilities, Exabeam's Matt Rider explores the ethical side of hacking.

Research shows that over 42% of cyberattacks in 2021 were zero-day exploits taking advantage of vulnerabilities not picked up by traditional penetration tests. It is vulnerabilities like these that can be spotted by a so-called white hat hacker. However, the term ‘hacker’ has numerous - oftennegative - connotations; businesses considering this route may be unsure of how to find one who can be trusted.

Credentials are key
The best starting point is with credentials: the most widely accepted qualification is a Certified Ethical Hacker (CEH) certification issued by The International Council of Electronic Commerce Consultants (EC-Council). In addition, as with any role, previous work experience is an excellent indicator of someone’s skills and work ethic. It’s good practice to check out their previous employers and ask for case studies of previous work they have done, particularly as it relates to your own security priorities.

Research your hacker’s past
One of the most contentious issues within the world of ethical hacking is hiring someone with a criminal history. Individual attitudes will vary – as will those of each company. You might place great value on someone whose track record demonstrates consistent good intentions, which is incompatible with someone with a criminal record.  On the other hand, government agencies and large corporates have the power, money and resources to cover losses and take legal action against any perpetrators, whereas smaller agencies do not. I would encourage any businesses considering hiring a penetration tester with a questionable past to consider what they can afford to lose should the worst happen.

Set a clear brief
Once you have found a trusted, certified hacker, it is time to set the brief. Remember, always be specific with clearly defined objectives and identified blind spots. Your security team, for example, might have valid concerns about senior staff logging in via public WiFi networks, this then forms the basis of the brief. Remember also to make the desired outcome equally clear, whether that is trying to gain access to a specific core business application or the retrieval of sensitive data.

Beware red lines 
Although your ethical hacker will be accessing critical systems, it is important that it doesn’t disrupt day-to-day operations or threaten business continuity – unless that is a specific request. Therefore, avoid methods that might involve data loss or downtime. For example, brute force attacks which consist of submitting hundreds of potential passwords can easily lead to system failure. Some companies will have a legitimate interest in whether they can survive a DDOS attack but, as a general rule, penetration tests should never compromise the business. Another red line concerns data protection. Customer information should always be closely guarded. If you are looking to test data security, a hacker should be asked to demonstrate that they can access the files in question without exfiltrating any information. Legal documents should also be off-limits during tests.

Establish clear deadlines 
Establishing a time frame is an essential constraint for any penetration test - usually, this is set at a week. If you give a hacker unlimited resources and time, they will almost certainly be able to infiltrate your systems eventually. However, for malicious actors, time is very much money, so if your network takes longer than a week to break into, the vast majority of opportunistic cybercriminals will give up. If your ethical hacker can’t break in within one week, you’re in good standing.

Record the results effectively
When it comes to recording the results, the simplest methods are best. Screenshots taken throughout the test, which demonstrate the results, such as proof of infiltration, are very effective. However, ethical hackers and their internal sponsors do need to be tactful when delivering results. IT teams pride themselves on their ability to safeguard their company’s data so demonstrating holes and vulnerabilities in their security protocols can be emotive and provocative. Remember to soften the blow and highlight any positives. 

If you take all these factors into account, you’ll be able to identify and brief an ethical hacker to tackle any security vulnerabilities. Good luck!


Featured Articles

Why CISOs Remain Crucial in the Age of Rampant Ransomware

As ransomware attacks escalate, the CISO has emerged as an indispensable guardian for the cybersecurity of companies

Q&A: Protiviti's Sameer Ansari on CISOs' Growing Challenges

Managing Director - Global Cybersecurity and Privacy Lead at Protiviti, Sameer Ansari discusses his views on the growing challenges CISOs now face

How Partnerships Proved Pivotal for UnitedHealth After Hack

When hackers hit UnitedHealth subsidiary Change Healthcare with a huge cyber attack, its partnership with Vyne Dental proved pivotal in managing fallout.

Transforming Cybersecurity: IBM & Palo Alto's AI Integration

Technology & AI

C-suite Indifference to Cyber Could Cost Business £145k

Operational Security

Why Avast Warn of Social Engineering in Cybersecurity

Operational Security