As part of #CyberSecurityAwarenessMonth, we’re taking a look at what you should expect when bringing an ethical hacker into your business with our Practice Director for Security, Andy Bates.
WHAT IS AN ETHICAL HACKER?
Ethical hacking is the process of hacking into IT systems to identify flaws, weaknesses and blind spots on behalf of an organisation. Due to the specificity and skill required to undertake ethical hacking safely, organisations typically hire specialists via consultancies or Managed Service Security Providers (MSSPs) like Node4.
An ethical hacker is also known as a “blue hat” hacker – they use the same tactics and tools of criminal “red hat” hackers to uncover breach points, minus the malicious intent. After the organised hack – which is always tightly briefed and often takes place in a replicated environment – ethical hackers report vulnerability findings and recommend fixes or security roadmaps.
WHERE DO YOU HIRE A CREDIBLE ETHICAL HACKER?
Ethical hackers aren’t the easiest to come by, but demand is on the rise – and the number of professionals in this line of work is predicted to rise by 20% by the end of 2023 in comparison to 2022.
If you’re looking to introduce an ethical hacker to your organisation, freelance platforms are probably the best place to start your search for one that can best fit your organisation’s needs. Remember to gain proof to relevant certifications before hiring, though – certificates like Certified Ethical Hacker (CEH) and Offensive Security Certified Professional (OSCP) are a good place to start, as they evidence a hacker’s relevant knowledge and experience.
WHAT TO EXPECT WHEN HIRING AN ETHICAL HACKER
As a cybersecurity niche, ethical hacking can feel like an enigma, even to those of us in IT. As a result, many organisations struggle to differentiate between the credible and the questionable. If you’re unsure what to expect when hiring an ethical hacker, we’re here to provide you with the vital details you need.
1. REFLECTIVE DAY RATES
Ethical hacking is a scarce and coveted skill and, as such, comes with a caveat: it can be expensive. Of course, compared to the cost of a successful system or data breach (from operational downtime to regulatory fines or financial theft), a day rate of around £2,000.00 is negligible. Nevertheless, IT, data and technology leaders can struggle to get sign-off.
If budget is a challenge, follow a robust due diligence procedure to identify the most credible ethical hacker for your budget, with a strong emphasis on evidence and references. And remember – not all ethical hackers are created equal. Although the best are cybersecurity professionals at the very top of their game, under-skilled testers severely threaten your organisation’s security.
Consultancies and MSSPs are constantly exploring how ethical hacking can be more cost-effective, such as Node4’s upcoming Ethical Hacking product. But, at least in this cybersecurity discipline, competence often correlates with cost.
2. TOTAL TRANSPARENCY
We’re all familiar with the hacker stereotype: stealthy, under the radar, a suspiciously bare online presence. But ethical, white-hat hackers couldn’t be more different from the bad guys. One quick Google and you can expect to find them in every corner of cybersecurity’s digital sphere.
From guest blogs and webinar keynotes to transparent career portfolios and listings on rating and directory sites, you’ll find credible ethical hackers discussing their work, insight and opinions openly and regularly.
3. HEAPS OF HORROR STORIES
Whether you work with a large specialist organisation, an MSSP or a solo expert, your ethical hacker should be exceptionally experienced and passionate to boot. So, when you ask about their background, similar projects and white-hat approach, expect to be met by a wealth of insight and (anonymised!) tales from their ethical hacking history.
When green-lighting an ethical hacker, your business essentially surrenders its IT infrastructure to a third party. As a result, there is zero room for compromise in knowledge, skills and experience. Therefore, when shortlisting your ethical hackers, pay special attention to their authenticity and enthusiasm when recalling past projects – it may well set apart the smart but under-practised from a trusted white-hat veteran.
4. CERTIFICATIONS THEY CAN EXPLAIN
When hiring an ethical hacker to test your organisation’s security posture, look for tester certifications indicative of the highest skill levels, such as CREST. It’s also a good sign when consultancies or MSSPs hold information security and quality management certifications, including ISO9001, ISO 27001 and ISO22301. After all, ethical hacking demands you put your faith in secretive skills and you may appreciate knowing that your white-hat hacker is accountable beyond the four walls of their operation.
Most importantly, ask your potential ethical hacker how they apply the knowledge acquired through certification. Achieving a certification is one thing – living its principles after the fact determines the quality of service you receive.
5. BULLETPROOF BRIEFING
If you hire an ethical hacker, expect to add “limit of exploitation” to your cybersecurity vocabulary. This describes how deep you’ll permit ethical hackers into your IT systems and what they’re allowed to do.
With IT and data being the backbone of business operations, it makes sense that you create a bulletproof, crystal-clear brief, ideally in collaboration with Compliance teams. Where live testing threatens availability, consider developing a replicated environment for ethical hacking.
6. SURPRISING PROPOSITIONS
Don’t be surprised if an ethical hacker suggests that you stretch the limits of your comfort zone. Some white-hat hackers like to thoroughly test the rigour of your digital perimeter by incorporating nefarious social engineering tactics. For example, they may target selected employees with personalised phishing emails, or take their deception further by physically infiltrating your premises with forged passes or planted USBs.
An ethical hacker will never enter the physical realm unless your briefing scope allows it. So, although it may seem alarming initially, consider any social engineering proposition an ethical hacker puts to you. Doing so may unmask your most significant security vulnerability.
7. NEW THINKING
One of the major costs in engaging and ethical hacker is the time taken to understand your architecture and configure testing equipment, with the act of running a scan then largely down to supervising a machine process.
Finally, there is human effort in digesting and translating the evidence into a report. An emergent trend in the industry which a few companies have adopted (including Node4) is to let this test continue to run throughout the remainder of the year, rather than a dedicated testing window. In this way, your testing maintains its “currency” by constantly scanning your network. Clearly, invasive tests are not ideal when running unsupervised, but this new proposition is addressing the challenge of expensive resources who programme complex machines to give you better value throughout the year.
The phrase “play them at their own game” has never been more accurate than in the context of ethical hacking.
With the cyberthreat landscape expanding and maturing, organisations cannot afford to let hackers gain the upper hand. The bottom line? To outpace cybercriminals, you need a defence capable of thinking and acting like the threat you face.