The ethical side of hacking - is your hire trustworthy?
Research shows that over 42% of cyberattacks in 2021 were zero-day exploits taking advantage of vulnerabilities not picked up by traditional penetration tests. It is vulnerabilities like these that can be spotted by a so-called white hat hacker. However, the term ‘hacker’ has numerous - oftennegative - connotations; businesses considering this route may be unsure of how to find one who can be trusted.
Credentials are key
The best starting point is with credentials: the most widely accepted qualification is a Certified Ethical Hacker (CEH) certification issued by The International Council of Electronic Commerce Consultants (EC-Council). In addition, as with any role, previous work experience is an excellent indicator of someone’s skills and work ethic. It’s good practice to check out their previous employers and ask for case studies of previous work they have done, particularly as it relates to your own security priorities.
Research your hacker’s past
One of the most contentious issues within the world of ethical hacking is hiring someone with a criminal history. Individual attitudes will vary – as will those of each company. You might place great value on someone whose track record demonstrates consistent good intentions, which is incompatible with someone with a criminal record. On the other hand, government agencies and large corporates have the power, money and resources to cover losses and take legal action against any perpetrators, whereas smaller agencies do not. I would encourage any businesses considering hiring a penetration tester with a questionable past to consider what they can afford to lose should the worst happen.
Set a clear brief
Once you have found a trusted, certified hacker, it is time to set the brief. Remember, always be specific with clearly defined objectives and identified blind spots. Your security team, for example, might have valid concerns about senior staff logging in via public WiFi networks, this then forms the basis of the brief. Remember also to make the desired outcome equally clear, whether that is trying to gain access to a specific core business application or the retrieval of sensitive data.
Beware red lines
Although your ethical hacker will be accessing critical systems, it is important that it doesn’t disrupt day-to-day operations or threaten business continuity – unless that is a specific request. Therefore, avoid methods that might involve data loss or downtime. For example, brute force attacks which consist of submitting hundreds of potential passwords can easily lead to system failure. Some companies will have a legitimate interest in whether they can survive a DDOS attack but, as a general rule, penetration tests should never compromise the business. Another red line concerns data protection. Customer information should always be closely guarded. If you are looking to test data security, a hacker should be asked to demonstrate that they can access the files in question without exfiltrating any information. Legal documents should also be off-limits during tests.
Establish clear deadlines
Establishing a time frame is an essential constraint for any penetration test - usually, this is set at a week. If you give a hacker unlimited resources and time, they will almost certainly be able to infiltrate your systems eventually. However, for malicious actors, time is very much money, so if your network takes longer than a week to break into, the vast majority of opportunistic cybercriminals will give up. If your ethical hacker can’t break in within one week, you’re in good standing.
Record the results effectively
When it comes to recording the results, the simplest methods are best. Screenshots taken throughout the test, which demonstrate the results, such as proof of infiltration, are very effective. However, ethical hackers and their internal sponsors do need to be tactful when delivering results. IT teams pride themselves on their ability to safeguard their company’s data so demonstrating holes and vulnerabilities in their security protocols can be emotive and provocative. Remember to soften the blow and highlight any positives.
If you take all these factors into account, you’ll be able to identify and brief an ethical hacker to tackle any security vulnerabilities. Good luck!
