Should you hire a hacker? Recently, the US Department of Defense did just that in their “Hack the Pentagon” event this spring. This event resulted in the discovery of over 200 vulnerabilities that have been remediated, making our Defense network more secure.
The hackers we are recommending would be Certified Ethical Hackers (CEH) or Offensive Security Certified Professionals (OSCP). These are professional cybersecurity practitioners who have received the specialized training to run a successful penetration test against your company assets. Certified professionals adhere to a code of conduct that commits these individuals to do no harm and only use their knowledge and powers for good. For the record, I am a Certified Ethical Hacker.
What can you expect from an engagement with one of these professionals. There is a great article on Tech Republic that covers this in depth, but basically, will should end up with a view of your network just as a malicious attacker or cyber-criminal would see it, in all it’s vulnerable glory.
What is the difference between a penetration test and an automated vulnerability assessment using a tool such as Nessus? A vulnerability assessment takes a look at your network and finds instances of known vulnerabilities and relates them to the Common Vulnerabilites and Exposures. This gives you an idea what an attacker might try to exploit, and a big list of vulnerabilities to mitigate.
A pen-test will be more expensive, more exhaustive, and take more time to execute. A pen-tester will take the vulnerability information, and move past that to exploitation. Starting with the reconnaissance phase, a pen-tester will find as much information as they can using public records, the internet, dumpster diving, and social engineering. In the discovery or foot-printing phase, the pen-tester will locate network hosts and any inherent vulnerabilities. In the exploitation phase, a pen-tester will actually try to breach the network and take control of network hosts, and access information that is stored on the network. A pen-tester not only finds what might be exploitable, what what actually can be exploited. If you have made an investment in an IDS, IPS, or SIEM, the pen-testers activity should allow you to evaluate just how good these defensive network tools are at detecting unauthorized activity. At the end, the pen-tester will remove all traces of their activity and clean up the network environment to leave it in the same condition they found it. And finally, the pen-tester will generate a report of finding and recommended remediations.
Last Friday we discussed the 20 questions you need to answer in an IT risk assessment. Your next step is to engage a professional to perform a vulnerability assessment or penetration test. The report that they create should satisfy the business partners, vendors, or regulators that are inquiring about your network security. I think I know somebody I could recommend.