Ethical hacking: Attack is the best form of defence

Put simply, ethical hacking involves external testing of an organisation’s cyber security to identify any vulnerability that could be exploited maliciously, either by industry competitors, state actors or organised crime. Globally, losses from cyber theft are reckoned in the trillions of dollars, with most organisations being slow to understand the scale of the risk involved.

While malicious hackers have become increasingly ingenious is finding ways to penetrate organisations’ IT defences, the majority of companies don’t appreciate the mounting level of risk they face. Firms now hold a growing proportion of their capital in the form of information stored on their IT systems. In the hands of a malicious hacker, customer records, business records and financial records can be used to steal intellectual property, cash or access to client or partner companies’ databases.

“A major problem is that many companies do not fully comprehend the value of the data they hold on their servers,” says Stuart Poole-Robb, chief executive and founder of KCS Group, one of the world’s leading strategic intelligence, risk and security management companies. “An organisation such as a power supplier may have client details and access codes for anything from a power station to a military installation.” 

Malicious intent

Most companies have also been slow to grasp the level of risk involved when opening up their communications systems to other organisations. It is now commonplace to allow other organisations access to parts of a company’s IT system in order to streamline the supply chain and improve customer services. In addition, when exploring potential partnership or merger deals, it has become standard practice in most industries to allow other bodies easy access to a large part of an organisation’s IT system.

Malicious hackers can use these opportunities to breach a company’s IT defences. There are also a growing number of cases of rival organisations using exploratory talks to gain access to privileged information such as vital industry intelligence or confidential customer records. 

In the case of international merger deals, there is a very real and pressing need to understand the cultural, social and commercial dynamics inherent within the market in order to assess the security risks in commercial environments where businesses often routinely play by a different set of rules than those in the UK or the US.

Often those breaches that occur under these or similar circumstances are carried out without the host company’s knowledge and can go undetected for months or even years. Meanwhile, rivals or industrial spies willing to sell information for cash can continue to siphon off intellectual capital until the breach is eventually spotted.

According to KCS, one financial organisation suffered serious internal leaks following the departure of a key manager in China. On leaving, the disaffected employee used current employees to feed him inside information on the client’s strategy and future plans, which was then sold to a competitor.

“You may have the most secure of IT set-ups, but this could be disrupted by your suppliers and clients,” says Poole-Robb. “More and more digital information is shared with partners, and if the third party’s security is found to be lacking, this can impact the integrity of your organisation’s IT security.”

The objectives of an ethical hacking exercise, which must be carried out by an independent third party, are to identify any vulnerability that could be exploited externally or internally by a malicious hacker, in websites, software applications, hardware, mobile devices or people.

The most common type of ‘penetration testing’ – the industry term for ethical hacking – is known as a ‘black box’ exercise. This typically involves ‘outside the building’ testing of all IT systems connected to the internet.

Some companies, however, compromise by commissioning a ‘white box’ exercise. 

In this type of penetration test, the tester is pre-armed with knowledge of the client company’s network, servers and security policy and usually tests only selected elements of its security defences. This type of testing is acknowledged to be inferior to the more thorough ‘black box’ process.

In most cases, penetration testing is an external exercise, with the tester adopting the mindset of a malicious external hacker in an effort to breach IT defences.

But according to KCS, four out of five illegal cyber hacks are carried out internally. Those companies that do not wish to haemorrhage cash and intellectual property should therefore also commission internal tests. These focus on what internal staff can do and see with their own IT network. 

Revealing information

However secure a system may appear on paper, people are the weakest link in IT security. Sometimes staff can be bribed to reveal access codes to malicious hackers or business rivals. But often staff may unwittingly jeopardise their company’s security by revealing information in person to strangers or business associates, or may simply be careless when it comes to using unsecured personal devices such as smartphones to access sensitive areas of the corporate network. 

“Without proper access controls, colleagues may deliberately or unwittingly jeopardise the confidentiality and integrity of the data,” says Poole-Robb.

As well as taking full account of an organisation’s external and internal IT security, a fully effective penetration test should focus on an organisation’s supply chain. Companies with the most secure IT networks can still be compromised by suppliers and clients with access to their systems. 

“Cyber risk is a giant iceberg, with the most dangerous parts of it hidden by waves of misconception, arrogance, ignorance, and naivety,” adds Poole-Robb. “The identification and evaluation of the hidden dangers can provide the decision maker with access to all the risks, weaknesses and threats to enable realistic assessment and informed planning.”

Once a penetration test has been completed and any security weaknesses identified, it is important that the report be presented in a way that is not overly technical. It must be easily understood by senior executives such as the chief executive and chief financial officer, whose background may not be in IT.

A thoroughly executed penetration test will, however, provide a company with detailed knowledge of the level of risk it faces with regard to cyber security. The company undergoing the tests can then set about plugging the holes in its security defences.

A penetration test that reveals security weaknesses is likely to pay for itself many times over, reducing ICT costs in the long term and shielding the company from the kind of dramatic losses often associated with compromised financial data or mission-critical business intelligence.

But even after penetration testing has been successfully accomplished and the results effectively acted on, no organisation is free to rest on its laurels. 

As each test is only a snapshot in time, and cyber criminals are constantly developing new tools and strategies for malicious hacking, regular testing is needed to safeguard crucial data and business intelligence. SR