The benefits of an ethical hacker

ethical hacker with keys to your dataI have a friend, who over the last couple of years has become an expert in the ethical hacking arena.   He is well thought of in the white hat communities and relatedly feared in the black areas.   He can put together malware, do a little social engineering and infect a business, in most cases easily, within a couple of hours.

That is what an ethical hacker does.   He test defences of Organisations with the same tools and attack vectors that the cybercriminal uses.   In most cases they have a better understanding of the criminal mind than most law enforcement.   They also have a better understanding of the technology than 99% of the supposed bad guys of the digital world.

They are legally allowed to say, if I want to steal data from you how I would do it, mainly because they have asked your permission to do it.   That is one of the keys to a successful ethical hacker.   They ask permission, and get paid, to attack you organisation.

These attacks can be aimed at your main data system, your web site, your ecommerce site or any other technology that is attached to the Internet.   That also includes your users and their devices.

Once a ethical hacker has completed his assessment he will come back with a report to the company on what was attacked, in most cases how they got in and the most important component, how you can stop a real hacker from attacking your business.

A complete tactical ethical hacker attack can cost a couple of thousand dollars.    A compromised business can lose that amount of money in minutes and can continue to lose it for hours, days or even weeks after a real attack.

To me, ethical hacking is a science, but it is something that even the smallest of Organisations needs to consider.

TLR Communications

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

Ethical dilemma’s for an IT consultant

“Ethics consist of knowing what not to do” Aristotle. 

There have been a number of times in my career in the managed services industries where I have been asked by a client about another client in the same business.   How they find out about them is probably through recommendations and testimonials which, at times, can be a double edged sword.    These questions have to be handled delicately but they have to be handled.

When working on client systems we always protect the data from scrutiny without compromising the security of the business.  Unless it is absolutely critical that we know what the data is, our business is to ensure that the data is protected at all times that includes protection from not only your staff but also our IT staff.

My philosophy
In our business you have to be exceedingly honest when it comes to protecting your clients information.   In most cases a service level agreement (SLA) has the necessary protection in place for both your clients and yourself.   The SLA should include a clause stating your understanding of the business requirements for protecting your clients network and data.

Staff involvement 
All of YOUR staff should also have an understanding of the SLA requirement and if any information from a client site is revealed in the process of doing their job it is not to be revealed to anyone outside the clients business.   In most cases we ensure that it is not revealed to anyone in our business either.
The staff should understand their priorities within a business, loyalty is to the business owner or manager first at all times, followed by loyalty to our business then to everyone else.   Mates and friendship are far down the list of approved disclosure routes.   Staff should always err on the side of management no matter what.    Protective resources can also be deployed to ensure better than normal auditing on file and folder access to ensure compliance with these principals.

How to ensure that the data is secure.
Critical client business data – intellectual property, financial records and banking details should be considered highly classified and have a need to know system applied to it.   If you don’t need to know the information then you shouldn’t have access to the information.  Pretty basic but at times the lines can become blurred.

Ethics is a interesting principle when allied to business dealings at a MSP level but they are definitely a driving principle for the client as well,as the supplier.

Just in passing what is the ethical position for an MSP when they discover a client is doing something illegal.   Does disclosure of the information become an issue or are you bound by your SLA.   What would you do?

Are we the weakest link in the security of our business?

3D Helping HandIn a discussion this week I heard a rather interesting quote.    All computer systems can be compromised but it is vigilance and persistence that create a secure environment.    This is very true.   I was talking to someone that makes his living doing penetration tests on business systems using applications that he has developed and also his slant on social engineering.

One of the things that he did bring up was that hacking and gaining access to business systems has started to go full circle.   This means that social engineering is playing a larger part of the hacking repertoire.   Social engineering is a huge subject and a little larger that the space I have here but I will touch on it for now.

In the past the combination of a social engineering attack coordinated with a direct attack usual had the attacker gaining access at some level.    This had then been superseded by the script kiddies and so called hackers who use readily available programs and exploits from the internet (usually infecting themselves in the process) as a means to access business systems.    This has been augmented with virus, spyware and malware applications that have been broadly targeted on the internet and catching unsuspecting and insecure business in the net.

The newest component in the hacker’s ability to gain access to your business system is the use of social engineering and the use of social media to gain insight into a business’s  infrastructure.   In the old days they would get on the phone and ring the company and get as much information out of those people who were answering the phone.   This has changed  greatly with the introduction of social media.

For example – Joe is a payment receipt clerk for your business.   He has a very in-depth profile on a social media site which includes all of his information, where he works, what he does, who and what he like and dislikes and birthdays and family information.   This information he allows anyone to see.   A hacker can do some research and find out about Joe and he can do some further research on your business and who you do business with.   What “Mr Black” the hacker does is creates a carefully prepared infected invoice (infected PDF file) that he sends from one of your subcontractors and from an expected source.   Joe being an innocent worker doesn’t worry about the email because he believes it is coming from a legitimate source so he  clicks on the file.    If this sound familiar – this is how RSA (one of the most secure security systems on the internet) was compromised.

To have this happen, you have to have some serious legitimate information (Critical IP) that the hacker is after or some seriously available unsecure money to make it worth the hackers worth while.

Most high level Government workers and business CIO and CEO, although they have profiles on social media sites don’t have in-depth information concerning their everyday work environment and even that information is only available to friends or contacts that they know.

To protect yourself from a social engineering attack is relatively easy;    Keep critical business and personal information to only those people that you want to have that information, not the whole internet.  Furthermore access systems that need passwords need to have high level complexity and you should also have some level of auditing and reporting on the internal systems to track transactions within the business.