What is Ethical Hacking?
Ethical hacking — which encompasses formal and methodical penetration testing, white hat hacking, and vulnerability testing — involves the same tools, tricks, and techniques that criminal hackers use, but with one major difference: Ethical hacking is performed with the target’s permission in a professional setting.
The intent of ethical hacking is to discover vulnerabilities from a malicious attacker’s viewpoint to better secure systems. Ethical hacking is part of an overall information risk management program that allows for ongoing security improvements. Ethical hacking can also ensure that vendors’ claims about the security of their products are legitimate.
Ethical hacking versus audits
Many people confuse ethical hacking with security auditing, but there are big differences. Security auditing involves comparing a company’s security policies to what’s actually taking place. The intent of security auditing is to validate that security controls exist — typically using a risk-based approach. Auditing often involves reviewing business processes and, in many cases, might not be very technical. Not all audits are this high-level, but the majority are quite simplistic.
Conversely, ethical hacking focuses on vulnerabilities that can be exploited. It validates that security controls do not exist or are ineffectual at best. Ethical hacking can be both highly technical and nontechnical, and although you do use a formal methodology, it tends to be a bit less structured than formal auditing.
If auditing continues to take place in your organization, you might consider integrating ethical hacking techniques into your IT audit program. They complement one another really well.
If you choose to make ethical hacking an important part of your business’s risk management program, you really need to have a documented security testing policy. Such a policy outlines the type of ethical hacking that is done, which systems (such as servers, web applications, laptops, and so on) are tested, and how often the testing is performed.
You might also consider creating a security standards document that outlines the specific security testing tools that are used and specific dates your systems are tested each year. You might list standard testing dates, such as once per quarter for external systems and biannual tests for internal systems — whatever works for your business.
Compliance and regulatory concerns
Your own internal policies might dictate how management views security testing, but you also need to consider the state, federal, and global laws and regulations that affect your business.
Many of the federal laws and regulations in the U.S. — such as the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH) Act, Gramm-Leach-Bliley Act (GLBA), North American Electric Reliability Corporation (NERC) CIP requirements, and Payment Card Industry Data Security Standard (PCI DSS) — require strong security controls and consistent security evaluations.
Related international laws such as the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the European Union Data Protection Directive, and Japan’s Personal Information Protection Act (JPIPA) are no different. Incorporating your ethical hacking tests into these compliance requirements is a great way to meet the state and federal regulations and beef up your overall privacy and security program.