SolisImages - stock.adobe.com
Ethical hacking: What, why, and overcoming concerns
We find out why and how hitting your own business with a cyber attack can help improve security
According to internet service provider (ISP) Beaming, 2020 was the busiest year on record for cyber attacks against UK firms, which is no surprise, given that reliance on technology increases every year.
Given the increase in number and variety of attacks, one would hope businesses are ready to defend themselves. Unfortunately, that is not the case. Recent research by the Scottish Business Resilience Centre found that 38% of Scottish businesses do not feel prepared for a cyber attack.
It’s therefore more critical than ever for businesses to strengthen their cyber defences to stay ahead of cyber criminals – but they clearly need help. Enter: ethical hackers, or offensive security testers and researchers.
Understanding ethical hacking
The best way to check your business can withstand a cyber attack is by attacking it yourself. This way, should you have any vulnerabilities in your defences, you’re not at risk of sharing sensitive data.
Ethical hackers, sometimes called white hat hackers, are typically information security experts granted permission to break into a business system to uncover security vulnerabilities. In doing so, they can demonstrate to the business how to prevent criminals from obtaining access. Ethical hacking can also involve testing employees’ responses to an attempted attack. Businesses are increasingly realising the benefits of this, and turning to ethical hackers to test and strengthen their cyber resilience.
Declan Doyle, Scottish Business Resilience Centre
Following an ethical hack, in-house security experts can identify and help resolve any vulnerabilities, including providing staff education where necessary.
Finding and trusting hackers
Ethical hacking requires a level of trust between the hacker and the organisation – specifically, the organisation must trust that the hacker is experienced, well-trained and has no malicious intent. While it’s still a relatively new job function – no licensing is involved – there are now certifications that ensure the hacker understands both the technology and the ethical responsibilities.
The EC-Council and the Sans Institute both offer degrees and certifications around ethical hacking, and Abertay University in Scotland is home to the world’s first ethical hacking degree to train the next generation of white hat experts.
Regardless of certification, the onus is on the hiring organisation to ensure the hacker’s reliability. Working with a trusted security provider rather than an independent hacker is one way of going about this, particularly as many providers will screen their hackers’ criminal records to help ensure legitimacy.
It may feel strange inviting someone to poke around your systems, especially as some of the most famous ethical hackers got their start as cyber criminals. One such person is Kevin Mitnick, who previously sat on the FBI’s Most Wanted Fugitives list and now runs a computer security consulting firm.
It’s important to remember the origins of the word “hacking”. The term first appeared in this context in the 1960s. Then, it referred to applying creative engineering techniques to hack machinery to make it more efficient, and so had positive connotations and was a skill to be admired.
Ethical hacking, in a way, is about taking hackers back to these origins, to help organisations by highlighting vulnerabilities and closing any gaps in security.
As odd as it may feel encouraging people to expose and access private data, hackers are effectively like any other employee. They are contracted and can be required to sign a non-disclosure agreement if there are any concerns about the information they uncover.
Building secure defences
Despite this, given the wide-ranging types of cyber attacks, it’s not enough to rely solely on ethical hackers for security. The best ethical hackers in the world can’t prevent an employee from accidentally emailing sensitive data to the wrong person, or clicking on a rogue link. However, ethical hackers will help an organisation find holes in their security and can advise how to change internal processes to tighten things up.
There are myriad internal processes to help increase security, ranging from requiring good password practices and keeping devices updated, to training staff to identify suspicious emails. These can be summed up as ensuring all employees recognise that security is not just the responsibility of the IT team, and that they have a role to play in building defences, too.
With cyber crime on the rise, it is vital for businesses to use every tactic they can to build their defences. Ethical hacking is the best way to put your security to the test without risk and, as such, should be a key part of every business’s cyber security arsenal.
As head of ethical hacking at the Scottish Business Resilience Centre (SBRC), Declan Doyle is responsible for managing ethical hacking students and aiding the cyber team in delivering the full range of cyber services and support offered by the organisation. He is a graduate of Abertay University’s white hat course.
Read more about penetration testing
- In the wake of conducting social engineering penetration testing, companies need to have a plan ready to prevent or minimise phishing, vishing and other attacks.
- Authentication, patching and configuration are among the most common vulnerabilities found through network penetration testing. Learn more in this free chapter excerpt.