Why Would You Hire A Hacker?

CEH-logoShould you hire a hacker?  Recently, the US Department of Defense did just that in their “Hack the Pentagon” event this spring.  This event resulted in the discovery of over 200 vulnerabilities that have been remediated, making our Defense network more secure.

The hackers we are recommending would be Certified Ethical Hackers (CEH) or Offensive Security Certified Professionals (OSCP).  These are professional cybersecurity practitioners who have received the specialized training to run a successful penetration test against your company assets.  Certified professionals adhere to a code of conduct that commits these individuals to do no harm and only use their knowledge and powers for good.  For the record, I am a Certified Ethical Hacker.

What can you expect from an engagement with one of these professionals.  There is a great article on Tech Republic that covers this in depth, but basically, will should end up with a view of your network just as a malicious attacker or cyber-criminal would see it, in all it’s vulnerable glory.

What is the difference between a penetration test and an automated vulnerability assessment using a tool such as Nessus?  A vulnerability assessment takes a look at your network and finds instances of known vulnerabilities and relates them to the Common Vulnerabilites and Exposures.  This gives you an idea what an attacker might try to exploit, and a big list of vulnerabilities to mitigate.

A pen-test will be more expensive, more exhaustive, and take more time to execute.  A pen-tester will take the vulnerability information, and move past that to exploitation.  Starting with the reconnaissance phase, a pen-tester will find as much information as they can using public records, the internet, dumpster diving, and social engineering.  In the discovery or foot-printing phase, the pen-tester will locate network hosts and any inherent vulnerabilities.  In the exploitation phase, a pen-tester will actually try to breach the network and take control of network hosts, and access information that is stored on the network.  A pen-tester not only finds what might be exploitable, what what actually can be exploited.  If you have made an investment in an IDS, IPS, or SIEM, the pen-testers activity should allow you to evaluate just how good these defensive network tools are at detecting unauthorized activity.  At the end, the pen-tester will remove all traces of their activity and clean up the network environment to leave it in the same condition they found it.  And finally, the pen-tester will generate a report of finding and recommended remediations.

Last Friday we discussed the 20 questions you need to answer in an IT risk assessment.  Your next step is to engage a professional to perform a vulnerability assessment or penetration test.  The report that they create should satisfy the business partners, vendors, or regulators that are inquiring about your network security.  I think I know somebody I could recommend.

 

1

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.
  Related Posts

Comments

  1. hire a hacker canada  November 21, 2016

    Very good information. Lucky me I discovered your blog by accident (stumbleupon).

    I’ve book-marked it for later!

    reply

Add a Comment