Do you need an ethical hacker?
Questions to ask before hiring
by Felix Griman*
Most IT systems and networks work under the assumption that everything is working well because we don’t see any evidence of failure or errors while performing routine activities, however, this assumption is maintained from the most basic-level position in organizations up to the CEOs themselves.
Whilst the above statement does not contemplate any errors, failures, information exposure, there may be risks that happen in the background without anyone’s knowledge.
These kinds of situations are regularly brought to the surface when suddenly the infrastructure of a company collapses with no apparent reason, information disappears or gets corrupted, when an organisation begins to notice that its vital data is being used by their competitors, or a series of events tells the company that the systems and network security environments are not working properly.
It is paramount to remember that no system or network is 100% secured, to avoid and reject non-authorised intrusions or external attacks. However, at this point, the company needs to assure themselves that their infrastructure is safe and secured.
But, what does it mean to be hacked? Who performs such actions?
In the first place we need to define what is a hacker. A hacker is a technology professional with a very deep comprehension of IT infrastructure, systems and networks, who applies all of that knowledge to break into IT platforms without any authorisation from anyone.
As a general note, nowadays, there is another term besides a hacker and that is the word cracker. The main difference is that the cracker breaks into company systems without any permission through brute force. A hacker is someone that has more programming knowledge and can build things to break or to protect a network and systems environment and, on the other hand, a cracker only breaks the security of a system to steal information.
For this article’s purposes, we are going to use the term hacker as the person who gets forced access into a system and steals, corrupts, deletes and damages software or hardware.
Having said that, now we can define what is an ethical hacker and that is a person who like the usual hacker is able to get into an IT full infrastructure, the difference being that an ethical hacker has all the authorisation from the organisation to break into the systems and information.
These types of professionals do a lot of vulnerability surveys, penetration testing and brute force attacks on all or part of the company systems and networks in order to detect security holes where a regular hacker would be able to access and steal, corrupt or delete information; or simply destroy and modify software or hardware configurations and functionalities, leaving the organisation and its business disabled.
Normally, any organisation should have an IT security department where they focus on issues such as network device hardening, digital certificates, encryption, security patches, antiviruses, etc. However, issues such as network vulnerabilities, operating system gaps, application breaches, access level misconfigurations are normally left aside. This is not because the IT department is not up to the task, but rather a lack of view of all the risks. In almost all cases, there is only one person specialised in a specific area.
Having a full vision of the risks and its management at all system levels in a company brings the need for hiring an ethical hacker to coordinate, at a very deep and specialised level, all the activities related to the security holes that might exist and then close all those open doors in and between systems and devices to keep all the platform as secure as possible.
Now we can answer the two questions that gave name to this article.
First question: Do you need an ethical hacker inside your company?
Answer: If your IT staff’s training is out of date, or they are not highly specialised in all the segments that form your company’s technological environment, the answer is YES. An ethical hacker has a very deep knowledge of all the areas related to the technical infrastructure and can use a lot of tools to make possible the detection of vulnerabilities, penetration testing and brute force attacks we mentioned at the beginning of this article.
Second question: What should a company ask themselves before hiring an ethical hacker to identify any danger or vulnerability?
The answer to this question is tied to the commitment and economic and time possibilities. The questions to ask would be:
• Am I willing to pay for what it takes to have all or some of my IT staff highly specialised to do these tasks?
• Do I have the resources, time and money, to have my IT staff or even some of them trained to perform all the ethical hacking tasks beside their regular duties?
• Do I have enough staff to cover the absence of those training as an ethical hacker?
• Does my technical infrastructure need to be secured against an external attack?
• What would happen if for any given attack its business is disabled?
The above will take us to the empirical question of how to hire an ethical hacker. Being an ethical hacker brings a lot of responsibility, leading to rising suspicion of the person the company wants to hire.
How can we be certain that this is the right person? or where to find this person? Has the person the full capacity and training and qualifications to assess my company and advise my IT department and even train them on what to look for on their routine security checks? These and many other questions are now appearing on the drawing board, producing sleepless nights for many executives and IT managers that are too shy to come forward and request additional training and resources at a moment when companies are tightening the purse strings trying to maximize savings in a very competitive world.
*About the Author
Felix Griman is an international expert in the design and administration of high-performance, resilient systems and network infrastructure with more than two decades of experience in national security projects in several countries; implementation of secure transmissions, encryption, access levels; delivery time management, relationship with governments and companies; as well as change management and conflict management at the high level in the administration of the different countries where he has taken his projects. Bachelor of Systems Engineering and Chemical Engineering; Cisco CCNP, Microsoft MCSE. His interest is cybersecurity applied to the shipping industry.