Breach preparation: The benefits of ethical hacking for IT security

Last updated: 17 June 2016

Benefits of Ethical HackingHacking is getting easier and cheaper, so every enterprise should do it. Wait… what? Of course, I’m talking about reaping the benefits of ethical hacking as a way of preparing for an actual cyber attack – the odds of which are increasing as hacking services become simpler to obtain.

Just about anything can be bought in the Internet these days, legal or otherwise. Rocket launchers, hard drugs and indeed hacking services have become as easy to purchase as books and music.

While some such services are available on the regular Web, more serious customers turn to the TOR, The Onion Network. Also known as the Dark Web, TOR enables buyers and sellers to transact with full anonymity using cryptocurrencies such as BitCoin.

Through TOR, hacking services have proliferated in recent years. They’ve been used by individuals with an axe to grind, such as Edwin Vargas, an NYPD detective. Driven by jealousy he paid $4000 dollars for over 40 email passwords, half of which belonged to police officers.

Another reason for growth in these services is that they are simpler to deliver. Technology is more straightforward than it used to be — witness how people can create web sites or drive smart phones, for example. By the same token, the barrier to entry for hackers is lower.

As confirms a report from Rand Corporation, “Greater availability of as-a-service models, point-and-click tools, and easy-to-find online tutorials makes it easier for technical novices to use what these markets have to offer.”

Why Hacking Is Becoming Easier

As a result the threat is growing. But isn’t it always? Am I just going to say “be vigilant” and then we all get on with our lives?

Well, no, because there’s an additional factor which means this proliferation can no longer be ignored. It’s about the nature of the attack surface.

In traditional computing models, we could consider this in three parts: first the physical environment; then the computer hardware; then the software. Policies, procedures and protections would be considered for each.

In the virtual world, the physical and hardware layers have been architected to create a reasonably robust underlying platform. Yes, sure, this still needs protecting but to a large extent it already is — the controls are well known and straightforward to check.

On top of this platform we — the global we, of corporations and providers — have created a massively scalable, massively interconnected but massively complex virtual compute environment.

Here’s the point: even as it gets more complex and harder to protect, it is becoming simpler to hack and exploit. We can’t just stand by and hope it isn’t going to happen, because automation will ensure it will.

Continues the Rand report, “Hyperconnectivity will create more points of presence for attack and exploitation, so that crime will increasingly have a networked or cyber component, creating a wider range of opportunities for black markets.”

But Ethical Hacking is Easy, Too

What to do? There’s only one answer really, and that’s to get there first. Penetration testing (ethical hacking) has been around for years; indeed it used to be my job. And just as computers can be programmed, so can exploits — there are libraries of them freely available.

We should not be daunted by kicking off such activities, of running a program of checks for back doors into our own systems. It’s not that hard to do — that’s the point. If it was, the bad guys would be looking for easier ways to make money. The many benefits ethical hacking offer organizations will certainly outweigh the bit of time and effort required to implement it.

If you don’t want to do it yourself, you can engage an (ethical) service to do it for you. As we already know, there are plenty of them around. You don’t have to check all your IT systems and services, just the ones that give access onto the data you have that is worth protecting.

Which raises a final point: If you don’t already know what data you have that is worth exploiting, for heaven’s sake work it out. Then check whether it is accessible.

There will be a cost, but after all, it will be worth your while paying a relatively small sum up front, rather than shelling out to repair the damage later.


2015 Data Breach ReportDownload our complete 2015 Data Breaches Report to learn about the most notable breach statistics of 2015. Or check out the Breach Level Index 2015 infographic for an overview of the breach trends.

Leave a Reply

Your email address will not be published. Required fields are marked *