How to beat hackers at their own game – the role of ‘ethical hacking’

In light of the recent MSD security breach, I would like to explain the function of penetration testing in securing IT systems, and address the confusion relating to the use of ethical hacking techniques to protect organisations and their data.

In order to protect systems from cyber attack, organisations will often engage specialist companies to perform systems testing prior to launching new systems. This is called ‘penetration testing’ and is part of a discipline known as ‘ethical hacking’. 

These specialist companies provide services that are objective and offer real-world assessments of security weaknesses, risk and remediation options. It is an essential security practice that is necessary for highly secure environments, and should be performed on a regular basis.

To perform this role, ethical hackers must first learn, understand and master the techniques used by cyber criminals. They use this knowledge to uncover the vulnerabilities in client systems. As part of their professional development they participate at conferences attended by both security professionals and corporate specialists.

A significant part of their role is research, which results in the development of tools and methods for testing of systems and applications in order to harden and protect environments in advance of any cyber attack. 

Reputable organisations involved in ethical hacking subscribe to a code of conduct known as ‘responsible disclosure’, whereby advanced warning is provided to hardware and software manufacturers before the vulnerability is shared publicly. This enables companies or agencies to release products that are less vulnerable and patch any discovered vulnerabilities before unethical hackers discover them.

Best practice methods also oblige ethical hackers to share these tools openly with the security community so they can be used to protect others.  There are a number of open source and commercial products used for testing security loopholes.

Some organisations go so far as to include ‘bug bounty programs’ that are designed to encourage security research on their systems by would-be hackers. 

For example, Mozilla will pay a bounty of up to $US3000 for certain bug discoveries that are reported to them. Facebook, Google and other technology companies also have bug bounty programmes to promote positive engagement with hackers in an effort to reward them rather than react.  

This practice, however, is not generally a commercially contracted project but a way of dealing with hackers who would likely be looking for vulnerabilities for fun or nefarious purposes anyway.

Security testing and ethical hacking are key instruments to improve the security posture of organisations.  Ethical hacking companies provide a valuable third-party validation of an organisation’s security. It is great that New Zealand has some of the best global talent in this space, and their expertise should be highly sought after and regularly implemented by providers of both public and private access systems.

Candace Kinser is chief executive of NZICT, the New Zealand Information and Communications Technology Group.