This article is featured in the magazine, Preventing a Cyberattack: A Guide to Cyber Readiness. Download it now.
By Dr. Kenneth Williams, Executive Director, APUS Center for Cyber Defense (CCD)
Why would an organization hire hackers to try to infiltrate its systems? Despite the risks involved, an increasing number of organizations are turning to white-hat hackers, also known as ethical hackers, to test their vulnerability to cyberattacks. Provided an organization understands and has prepared for the risks, hiring a hacking service can deliver expert insight into how that organization can effectively enhance the protection of its network and systems.
Just as doctors are experts in the medical profession, hackers are considered experts in the field of cybersecurity, or more precisely, in methods of cyber intrusion. Hackers know how to infiltrate a network and gain access to an organization’s valuable data. Ethical hackers understand the methods of a malicious hacker, but are motivated to help organizations identify and secure vulnerabilities rather than exploit them.
The Hacker Hierarchy
As most computer users are aware, some hackers are malicious and untrustworthy. One noteworthy example of a hacker who transitioned from “bad to good” is Kevin Mitnick. Mitnick is a notorious U.S. hacker who spent time in jail for hacking into 40 major corporations, but he is now considered one of the most knowledgeable gray-hat hackers in the nation and has been hired by many organizations to help detect vulnerabilities.
- Script Kiddies – Script kiddies are among the lowest levels of the hacker hierarchy. They are usually young, techsavvy individuals who are more interested in exploring the Darknet and testing their own capabilities than they are in performing targeted attacks. Script kiddies often discover vulnerabilities accidentally by playing around with technology. Once they discover valuable or private information, such as the password of a celebrity, script kiddies will often continue their activities until they’re caught or access is denied.
- White-Hat Hackers – White-hat hackers (also known as ethical hackers) are more skilled than script kiddies and usually more respected. Individuals in this category earn the trust of the public more easily than other hackers because they have no previous involvement in illicit activities. Ethical hackers are focused on using their skills to benefit society rather than causing harm.
- Gray-Hat Hackers – Gray-hat hackers, like Kevin Mitnick, are reformed “bad” hackers who have previously engaged in unauthorized hacking attempts. These hackers once worked on the “dark side” with the intent to harm users through illicit activities, but often due to life-changing events, they now apply their skills to help users and organizations find vulnerabilities in their systems and protect against cyberattacks.
- Black-Hat Hackers – Black-hat hackers focus on breaking the law through their actions of stated intent. This group includes hackers who conduct disruptive activities against businesses, usually for financial gain. These hackers often use their skills for their personal benefit and their agenda is considered criminal or closely related to the actions of criminals.
- Suicide Hackers – Suicide hackers are often associated with terrorist or vigilante groups. One such group is Anonymous, a decentralized international group noted for its attack against governments and other well-known public corporations. This category of hackers assumes an antiestablishment stance with causes that include political, terrorist, or other disruptive activities.
Is Hiring an Hacker Necessary?
Organizational leaders place a lot of trust and confidence in the abilities of their IT department. These departments are full of competent and hard-working individuals dedicated to protecting a company’s systems, so why would leadership feel the need to bring in an outside party?
While IT professionals are often highly skilled at designing and implementing security measures, hackers possess the ability to think outside the box and bypass those security measures. The methods they use may not be on the radar of formally trained IT professionals. Hiring ethical hackers, who share the same natural curiosity and mindset as malicious hackers, can help an organization “test” its network security ahead of a real cyberattack.
This approach, done with the support of the IT department, helps identify vulnerabilities and verify security measures of devices and systems. The information gained can help the IT department enhance its protections.
It’s important that organizational leaders explain that hiring an ethical hacking service is not a test of the capabilities of the IT department, but rather an additional measure to help build the most secure infrastructure possible.
Vetting a Hacker or a Hacking Service
One of the initial hurdles when considering whether or not to hire an ethical hacking service is, first and foremost, if the hackers can be trusted. These individuals will be tasked with identifying a system’s vulnerabilities, which could result in access to highly valuable and sensitive information. This risk must be properly evaluated and hackers carefully vetted. In order to assess and select a hacking service, an organization should consider the following:
- The needs of the organization
Is the goal to identify unknown vulnerabilities in the system? Is it to test the cyber readiness of employees? Or is the goal to verify the robustness of the organizational network? Clearly stating the goals and purpose of hiring a hacking service will help determine what skills and services are needed.
- Conducting an organization-wide inventory assessment
As part of the preparation process, conduct a thorough inventory of your organizational assets. An organizational inventory assessment identifies all the networked devices within the system, as well as valuable information stored in its systems. This list will help determine what risks (vulnerabilities) are associated with each asset and what devices should be tested by the hackers.
- Vetting and reference checks
During this phase, it’s important for an organization to consult with a human resources specialist to ensure proper vetting of the selected individual(s) or service. At a minimum, this process should include a thorough and robust background check, multiple character reference verifications, and past customer recommendations.
- Assessing the skills and proficiencies of hackers
As part of the vetting process, organizational leaders should verify the capabilities and skills of candidates to ensure they possess the technical and physical control skills needed to assess the organization’s systems. Technical controls include knowledge of software and hardware devices, such as firewalls and intrusion prevention systems (IPS). The candidates must understand physical control systems that prevent physical entry to buildings. They must also understand the organization’s policies and procedures involving these systems, so they can make recommendations to modify and bolster them.
- Legal considerations
It’s also important to involve the organization’s legal team in the selection and vetting process. Personnel performing the ethical hacking process are agents of the corporation, which is liable for any damage that may occur to its system or to outside parties. Monitoring the actions of ethical hackers can assist in the minimization of damage to property and reduce liability. Organizations remain responsible for the actions of any entity representing the organization—this is a responsibility that cannot be delegated and is considered due diligence. Therefore, it is important that organizations thoroughly understand the liabilities associated with actions of an ethical hacking service.
Expected Outcomes from a Hacking Service
What can an organization expect to gain from using an ethical hacking service to discover vulnerabilities? The short answer is peace of mind.
Using a hacking service allows the organization to discover if someone gained improper access to its computers or network. It may also discover that its software has not been properly updated with the latest security patch or is no longer supported by the supplier.
The hacking service can also expose insider threats and weaknesses. Whether intentional or otherwise—employees often expose blind spots within the organization through their daily interactions. A vulnerability scan can discover actions by employees or partners that cause risks to the organization.
One example of the risk of third-party vendors is the massive 2013 data breach of Target, when a subcontractor stole network credentials and accessed more than 40 million customers’ credit and debit cards. This intrusion cost Target $18.5 million. If Target had completed a comprehensive vulnerability assessment and accepted the security recommendations, the likelihood of such a data breach would have been significantly less.
The strategic decision to employ an ethical hacking service can be extremely beneficial for an organization, resulting in increased awareness of unknown vulnerabilities and the implementation of stronger security measures and network protections.
About the Author: Kenneth Williams, Ph.D., is the Executive Director, APUS Center for Cyber Defense (CCD). He holds a doctoral degree in cybersecurity and a master’s degree in information security/assurance from Capella University. In addition, Dr. Williams is a Certified Information Systems Security Professional (CISSP) and holds Security+ and CompTIA certifications. He has also held positions such as President/Chief Information Officer for Thelka Professional Associates; Adjunct Professor for Northern Virginia Community College, DeVry University and Sullivan University; IT Specialist/Cybersecurity Compliance Auditor for the U.S. Army Inspector General; Information System Security/VOIP Engineer and Contract Lead for the U.S. Army’s CECOM; and Information System Security Engineer and Technical Manager/Chief Information Officer for Onyma, Inc. He is an Army veteran with more than 24 years of active service. To contact the author, please email IPSauthor@apus.edu. For more articles featuring insight from industry experts, subscribe to In Public Safety’s bi-monthly newsletter.