Why Would You Hire A Hacker?

CEH-logoShould you hire a hacker?  Recently, the US Department of Defense did just that in their “Hack the Pentagon” event this spring.  This event resulted in the discovery of over 200 vulnerabilities that have been remediated, making our Defense network more secure.

The hackers we are recommending would be Certified Ethical Hackers (CEH) or Offensive Security Certified Professionals (OSCP).  These are professional cybersecurity practitioners who have received the specialized training to run a successful penetration test against your company assets.  Certified professionals adhere to a code of conduct that commits these individuals to do no harm and only use their knowledge and powers for good.  For the record, I am a Certified Ethical Hacker.

What can you expect from an engagement with one of these professionals.  There is a great article on Tech Republic that covers this in depth, but basically, will should end up with a view of your network just as a malicious attacker or cyber-criminal would see it, in all it’s vulnerable glory.

What is the difference between a penetration test and an automated vulnerability assessment using a tool such as Nessus?  A vulnerability assessment takes a look at your network and finds instances of known vulnerabilities and relates them to the Common Vulnerabilites and Exposures.  This gives you an idea what an attacker might try to exploit, and a big list of vulnerabilities to mitigate.

A pen-test will be more expensive, more exhaustive, and take more time to execute.  A pen-tester will take the vulnerability information, and move past that to exploitation.  Starting with the reconnaissance phase, a pen-tester will find as much information as they can using public records, the internet, dumpster diving, and social engineering.  In the discovery or foot-printing phase, the pen-tester will locate network hosts and any inherent vulnerabilities.  In the exploitation phase, a pen-tester will actually try to breach the network and take control of network hosts, and access information that is stored on the network.  A pen-tester not only finds what might be exploitable, what what actually can be exploited.  If you have made an investment in an IDS, IPS, or SIEM, the pen-testers activity should allow you to evaluate just how good these defensive network tools are at detecting unauthorized activity.  At the end, the pen-tester will remove all traces of their activity and clean up the network environment to leave it in the same condition they found it.  And finally, the pen-tester will generate a report of finding and recommended remediations.

Last Friday we discussed the 20 questions you need to answer in an IT risk assessment.  Your next step is to engage a professional to perform a vulnerability assessment or penetration test.  The report that they create should satisfy the business partners, vendors, or regulators that are inquiring about your network security.  I think I know somebody I could recommend.

 

1

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com
  Related Posts

Comments

  1. hire a hacker canada  November 21, 2016

    Very good information. Lucky me I discovered your blog by accident (stumbleupon).

    I’ve book-marked it for later!

    reply

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.