Member log in

How to beat hackers at their own game – the role of ‘ethical hacking’

In light of the recent MSD security breach, I would like to explain the function of penetration testing in securing IT systems, and address the confusion relating to the use of ethical hacking techniques to protect organisations and their data.

In order to protect systems from cyber attack, organisations will often engage specialist companies to perform systems testing prior to launching new systems. This is called ‘penetration testing’ and is part of a discipline known as ‘ethical hacking’. 

These specialist companies provide services that are objective and offer real-world assessments of security weaknesses, risk and remediation options. It is an essential security practice that is necessary for highly secure environments, and should be performed on a regular basis.

To perform this role, ethical hackers must first learn, understand and master the techniques used by cyber criminals. They use this knowledge to uncover the vulnerabilities in client systems. As part of their professional development they participate at conferences attended by both security professionals and corporate specialists.

A significant part of their role is research, which results in the development of tools and methods for testing of systems and applications in order to harden and protect environments in advance of any cyber attack. 

Reputable organisations involved in ethical hacking subscribe to a code of conduct known as ‘responsible disclosure’, whereby advanced warning is provided to hardware and software manufacturers before the vulnerability is shared publicly. This enables companies or agencies to release products that are less vulnerable and patch any discovered vulnerabilities before unethical hackers discover them.

Best practice methods also oblige ethical hackers to share these tools openly with the security community so they can be used to protect others.  There are a number of open source and commercial products used for testing security loopholes.

Some organisations go so far as to include ‘bug bounty programs’ that are designed to encourage security research on their systems by would-be hackers. 

For example, Mozilla will pay a bounty of up to $US3000 for certain bug discoveries that are reported to them. Facebook, Google and other technology companies also have bug bounty programmes to promote positive engagement with hackers in an effort to reward them rather than react.  

This practice, however, is not generally a commercially contracted project but a way of dealing with hackers who would likely be looking for vulnerabilities for fun or nefarious purposes anyway.

Security testing and ethical hacking are key instruments to improve the security posture of organisations.  Ethical hacking companies provide a valuable third-party validation of an organisation’s security. It is great that New Zealand has some of the best global talent in this space, and their expertise should be highly sought after and regularly implemented by providers of both public and private access systems.

Candace Kinser is chief executive of NZICT, the New Zealand Information and Communications Technology Group.

More by Candace Kinser

Comments and questions

Clicking on "File/Open" does not rank as hacking or penetration analysis. It is just walking in through the front door with the big sign "Please Enter" on it.

Wonder if gangs can now participate in some "ethical trespass", you know, go on properties, check that the doors really are locked and if they are not ask for payment for checking on them so they are not forced to tell another gang to come in and help themselves.

@Cactus Kate

Gangs or not, if they wait 5 days after telling the owner is that not proper behaviour?

Alan - I have (in my role as security auditor) used 'File/Open' to get past the lockdown defenses on a bank PC and take it over. Amazing what one can do.

Penetration testing is one way for organisations to ensure that the systems that they have function correctly in the presence of sustained attacks from the internet, malicious insiders, and vulnerable partners in the supply chain.

Its a defence against the sloppy coding and badly trained systems administration that seems to be the usual these days. If you don't like the idea, don't hire them, but then don't be surprised when your database is splashed all over the internet while you were busy sticking your head in the sand and congratulating yourself.

It's very trouble-free to find out any topic on net as compared to textbooks, as I found this piece of writing at this web site.

From a thrid party perspective, there was a simple problem with the MSB kiosks, they were designed with ALL ACCESS, they then tried to limit access to certain areas by simply hiding them. This is incompetence.

Data sharing systems must be designed with "physical" access to only those systems that the user is intended to access. They then must use usernames and encrypted keys (passwords) as a basic security measure. This allows access to information based on user security and has been the basic method of authentication for the last decade and more.

More sophisticated methods exist.