Things to Consider when Seeking an Ethical Hacking Vendor
Outsourcing ethical hacking is very popular and a great way for organizations to get an unbiased third-party perspective of their information security. Outsourcing allows you to have a checks-and-balances system that clients, business partners, auditors, and regulators like to see.
Outsourcing ethical hacking can be expensive. Many organizations spend thousands of dollars — often tens of thousands — depending on the testing needed. However, doing all this yourself isn’t cheap — and quite possibly it isn’t as effective, either!
A lot of confidential information is at stake, so you must trust your outside consultants and vendors. Consider the following questions when looking for an independent expert or vendor to partner with:
Is your ethical-hacking provider on your side or a third-party vendor’s side? Is the provider trying to sell you products, or is the provider vendor neutral? Many providers might try to make a few more dollars off the deal, which might not be necessary for your needs. Just make sure that these potential conflicts of interest aren’t bad for your budget and your business.
What other IT or security services does the provider offer? Does the provider focus solely on security? Having an information security specialist do this testing for you is often better than working with an IT generalist organization. After all, would you hire a general corporate lawyer to help you with a patent, a general family practitioner to perform surgery, or a computer technician to rewire your house?
What are your provider’s hiring and termination policies? Look for measures the provider takes to minimize the chances that an employee will walk off with your sensitive information.
Does the provider understand your business needs? Have the provider repeat the list of your needs and put them in writing to make sure you’re both on the same page.
How well does the provider communicate? Do you trust the provider to keep you informed and follow up with you in a timely manner?
Do you know exactly who will perform the tests? Will one person do the testing, or will subject-matter experts focus on the different areas? (This isn’t a deal breaker but is nice to know.)
Does the provider have the experience to recommend practical and effective countermeasures to the vulnerabilities found? The provider shouldn’t just hand you a think report and say, Good luck with all that! You need realistic solutions.
What are the provider’s motives? Do you get the impression that the provider is in business to make a quick buck off the services, with minimal effort and value added, or is the provider in business to build loyalty with you and establish a long-term relationship?
Finding a good organization to work with long term will make your ongoing efforts much simpler. Ask for several references and sample sanitized deliverables (that is, reports that don’t contain sensitive information) from potential providers. If the organization can’t produce these without difficulty, look for another provider.
Your provider should have its own service agreement for you that includes a mutual nondisclosure statement. Make sure you both sign this to help protect your organization.
Former hackers — these are the black-hat hackers who have hacked into computer systems in the past — can be very good at what they do. Many people swear by hiring reformed hackers to do ethical hacking. Others compare this to hiring the proverbial fox to guard the hen house. If you’re thinking about bringing in a former unethical hacker to test your systems, consider these issues:
Do you really want to reward malicious behavior with your organization’s business?
Claiming to be reformed doesn’t mean he or she is. There could be deep-rooted psychological issues or character flaws you’re going to have to contend with. Buyer beware!
Information gathered and accessed during ethical hacking is some of the most sensitive information your organization possesses. If this information gets into the wrong hands — even ten years down the road — it could be used against your organization. Some hackers and reformed criminals hang out in tight social groups. You might not want your information shared in their circles.
That said, everyone deserves a chance to explain what happened in the past. Zero tolerance is senseless. Listen to his or her story and use common-sense discretion as to whether you trust the person to help you. The supposed black-hat hacker actually might have been a gray-hat hacker or a misguided white-hat hacker who fits well in your organization.