How Malicious Attackers Beget Ethical Hackers

By Kevin Beaver

You need protection from hacker shenanigans; you have to become as savvy as the guys trying to attack your systems. A true security assessment professional possesses the skills, mindset, and tools of a hacker but is also trustworthy. He or she performs the hacks as security tests against systems based on how hackers might work.

Ethical hacking — which encompasses formal and methodical penetration testing, white hat hacking, and vulnerability testing — involves the same tools, tricks, and techniques that criminal hackers use, but with one major difference: Ethical hacking is performed with the target’s permission in a professional setting. The intent of ethical hacking is to discover vulnerabilities from a malicious attacker’s viewpoint to better secure systems. Ethical hacking is part of an overall information risk management program that allows for ongoing security improvements. Ethical hacking can also ensure that vendors’ claims about the security of their products are legitimate.

If you perform ethical hacking tests and want to add another certification to your credentials, you might want to consider becoming a Certified Ethical Hacker (CEH) through a certification program sponsored by EC-Council. Like the Certified Information Systems Security Professional (CISSP), the CEH certification has become a well-known and respected certification in the industry. It’s even accredited by the American National Standards Institute (ANSI 17024).

Other options include the SANS Global Information Assurance Certification (GIAC) program and the Offensive Security Certified Professional (OSCP) program — a completely hands-on security testing certification. All too often, people performing this type of work don’t have the proper hands-on experience to do it well.

Ethical hacking versus auditing

Many people confuse security testing via the ethical hacking approach with security auditing, but there are big differences, namely in the objectives. Security auditing involves comparing a company’s security policies (or compliance requirements) to what’s actually taking place. The intent of security auditing is to validate that security controls exist — typically using a risk-based approach. Auditing often involves reviewing business processes and, in many cases, might not be very technical. Security audits are usually based on checklists.

Not all audits are high-level, but many (especially around PCI DSS [Payment Card Industry Data Security Standard] compliance) are quite simplistic — often performed by people who have no technical computer, network, and application experience or, worse, they work outside of IT altogether!

Conversely, security assessments based around ethical hacking focus on vulnerabilities that can be exploited. This testing approach validates that security controls do not exist or are ineffectual at best. Ethical hacking can be both highly technical and nontechnical, and although you do use a formal methodology, it tends to be a bit less structured than formal auditing.

Where auditing is required (such as for the ISO 9001 and 27001 certifications) in your organization, you might consider integrating ethical hacking techniques into your IT/security audit program. They complement one another really well.

Policy considerations

If you choose to make ethical hacking an important part of your business’s information risk management program, you really need to have a documented security testing policy. Such a policy outlines who’s doing the testing, the general type of testing that is performed, and how often the testing takes place.

You might also consider creating a security standards document that outlines the specific security testing tools that are used and specific people performing the testing. You might also list standard testing dates, such as once per quarter for external systems and biannual tests for internal systems — whatever works for your business.

Compliance and regulatory concerns

Your own internal policies might dictate how management views security testing, but you also need to consider the state, federal, and international laws and regulations that affect your business. In particular, the Digital Millennium Copyright Act (DMCA) sends chills down the spines of legitimate researchers.

Many of the federal laws and regulations in the United States — such as the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH) Act, Gramm-Leach-Bliley Act (GLBA), North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) requirements, and PCI DSS — require strong security controls and consistent security evaluations. Related international laws such as the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the European Union’s Data Protection Directive, and Japan’s Personal Information Protection Act (JPIPA) are no different.

Incorporating your security tests into these compliance requirements is a great way to meet the state and federal regulations and beef up your overall information security and privacy program.