Why Would You Hire A Hacker?

CEH-logoShould you hire a hacker?  Recently, the US Department of Defense did just that in their “Hack the Pentagon” event this spring.  This event resulted in the discovery of over 200 vulnerabilities that have been remediated, making our Defense network more secure.

The hackers we are recommending would be Certified Ethical Hackers (CEH) or Offensive Security Certified Professionals (OSCP).  These are professional cybersecurity practitioners who have received the specialized training to run a successful penetration test against your company assets.  Certified professionals adhere to a code of conduct that commits these individuals to do no harm and only use their knowledge and powers for good.  For the record, I am a Certified Ethical Hacker.

What can you expect from an engagement with one of these professionals.  There is a great article on Tech Republic that covers this in depth, but basically, will should end up with a view of your network just as a malicious attacker or cyber-criminal would see it, in all it’s vulnerable glory.

What is the difference between a penetration test and an automated vulnerability assessment using a tool such as Nessus?  A vulnerability assessment takes a look at your network and finds instances of known vulnerabilities and relates them to the Common Vulnerabilites and Exposures.  This gives you an idea what an attacker might try to exploit, and a big list of vulnerabilities to mitigate.

A pen-test will be more expensive, more exhaustive, and take more time to execute.  A pen-tester will take the vulnerability information, and move past that to exploitation.  Starting with the reconnaissance phase, a pen-tester will find as much information as they can using public records, the internet, dumpster diving, and social engineering.  In the discovery or foot-printing phase, the pen-tester will locate network hosts and any inherent vulnerabilities.  In the exploitation phase, a pen-tester will actually try to breach the network and take control of network hosts, and access information that is stored on the network.  A pen-tester not only finds what might be exploitable, what what actually can be exploited.  If you have made an investment in an IDS, IPS, or SIEM, the pen-testers activity should allow you to evaluate just how good these defensive network tools are at detecting unauthorized activity.  At the end, the pen-tester will remove all traces of their activity and clean up the network environment to leave it in the same condition they found it.  And finally, the pen-tester will generate a report of finding and recommended remediations.

Last Friday we discussed the 20 questions you need to answer in an IT risk assessment.  Your next step is to engage a professional to perform a vulnerability assessment or penetration test.  The report that they create should satisfy the business partners, vendors, or regulators that are inquiring about your network security.  I think I know somebody I could recommend.



About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.
  Related Posts


  1. hire a hacker canada  November 21, 2016

    Very good information. Lucky me I discovered your blog by accident (stumbleupon).

    I’ve book-marked it for later!


Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.