In the world of cybersecurity, it pays to be paranoid. If black hat hackers are out to get you, then getting some white hat hackers on your side might help to rebalance things in your favour. Ethical hackers are security experts that hack for good, finding weaknesses in a company’s systems so that it can fix them before the bad guys arrive. Here is a guide to the ethical hacking landscape and some strategic tips to creating a solid security testing initiative.
Penetration testing (pen testing) is the most commonly understood kind of ethical hacking initiative for companies. In this model, an organization hires a single hacker or a small group to test its security. The pen tester tries to find as many vulnerabilities in an organization as possible and goes further by attempting to exploit them and report on the results. The best pen tests don’t limit their scope, instead letting the ethical hacker explore think outside the box and explore different avenues of attack. After all, if real attackers won’t limit themselves to predefined rules, why should hired ones?
100 heads are better than one
Recently, crowdsourcing has led to a variation on the pen testing theme. Some organizations are supplementing pen testers with bug bounties or replacing them altogether. In this model, a company will issue an open invitation to a large group of people to find holes in its systems. Often launched with the help of crowdsourcing ethical hacker groups like HackerOne or BugCrowd, these bring the benefit of the crowd to bear.
The US Department of Defense has run several of these campaigns, including a Hack the Army competition that generated thousands of dollars in rewards for ethical hackers. Rather than free-for-alls, these events were invitation-only affairs that strictly controlled the parameters by which well-meaning hackers operate. Nevertheless, the DoD discovered and fixed well over 100 bugs.
Red, blue and purple
Beyond pen testing lies red teaming. Rather than just searching for and proving as many vulnerabilities as possible, a red team tests a company’s ability to respond to an attack by launching an assault on its systems. It will have specific goals such as extracting specific information from a company, and its adversary will be a defensive team, known as the blue team, that tries to stop it.
Red/blue teaming is a technique for more advanced organisations that have already identified most of the gaps in their physical and digital infrastructure and taken steps to remediate them. It would be an initiative for those that have already hired pen testers and now want to take things to the next level.
Recently, experts have suggested a new, less adversarial concept: purple teaming. They worry that if companies create incentives for red and blue teams to ‘win’ at these war games, they may end up refusing to share information that could help to plug security holes.
Rather than pitting red and blue teams against each other and rewarding the outcome, experts suggest that companies can benefit more by creating collaborative teams. Instead of directly competing, they would share information more readily, creating pauses in the games where they could come together and discuss what has been happening and how defenses could improve.
Look for certification. Ethical hackers should be appropriately certified. There are several reputable schemes, including the National Cyber Security Centre (NCSC) CHECK, the EC-Council’s CEH, and CREST.
Cover all elements of the stack. Attackers don’t focus on just one thing, and neither should an ethical hacker. Be sure to include infrastructure and applications in your ethical hacking initiative but go further and look at physical security and social engineering attacks.
Define goals. While ethical hackers can explore many vulnerabilities, you can refine the initiative by giving them specific goals such as gaining access to a specific server or account. Combined with a thorough risk analysis to identify your most valuable assets, this can help test the security surrounding your most critical resources.
Close the circle. Security advice is like medical advice: only useful when followed. Any ethical hacking exercise should generate a thorough report that highlights critical weaknesses in a company’s defenses. It should use these to plug its security holes and to update its incident response policy. This means allocating the budget and resources to deal with issues rather than leaving the report on the shelf.
Avoid blame culture. Taking action doesn’t mean disciplining people. The most valuable employees are those who have learned from their mistakes. When ethical hackers identify weaknesses in your security attributable to specific employees, don’t punish those responsible. Use it as a training exercise to enhance their capabilities. Consider positive incentives for better behaviour and processes that promote security among your staff.
Wash, rinse, repeat. Organizations are constantly evolving. Business conditions, internal systems and staff members change. Repeat ethical hacking initiatives regularly to ensure that new security weaknesses are not emerging. Apply ethical hacking tests to preproduction systems by creating test environments. This will help you to get ahead of the game and secure systems before they go live.
By taking a strategic approach to security testing, you can go beyond mere vulnerability scanning and auditing, benefitting from human ingenuity that measures your security under real-world conditions. In a world that sees more embarrassing data breaches daily, the results from a well-engineered ethical hacking project will be invaluable.