Do you know why hacking will continue to be with us for a long time? Well, the answer is quite simple – ‘People are dumb!’ … and always in a hurry.
According to security blogger Graham Cluley, ‘Humans can't be upgraded… you can't fix the bug in people's brain that makes them click a link, or choose a really dumb password.’ This is one of the reasons why their companies get hacked on a consistent basis – because people still make easily avoidable mistakes.
Which is why we will always need ethical hackers to keep our I.T. systems safe. Most recently the DDos (Distributed denial of services) attacks posed a big problem for many.
But, what is Ethical Hacking, anyway? Ethical hacker is defined as “an individual who is usually employed with the organization and who can be trusted to undertake an attempt to penetrate networks and/or computer systems using the same methods and techniques as a Hacker.”
There are plenty of examples of corporate companies whose businesses have been negatively impacted by hacking. Usually, getting hacked entails a loss of intellectual property, divulging of secrets, theft of resources, and in the worst-case scenario, the exposure of information that could lead to the destruction of the organization.
Many companies skimp on security spending and merely ‘tick boxes’ by hiring a few cyber security professionals. According to the book, Why Do Companies Keep Getting Hacked?, "Security isn't always a priority for developers in a rush to bring a product to market’.
Hiring professional ethical penetration testers is the best way to ensure security as they provide a combination of different technologies and processes that fit the needs of the organization in question.
So, with this in mind, what are some considerations to keep in mind when hiring ethical hackers?
Listed below are answers to this very question.
Who Exactly Are You Looking to Hire?
For starters, you should not compromise on the quality of the person that you are seeking to hire. This means that formal training, as well as , personal drive and passion should be your main considerations. That being said, you should also ensure that the hacker that you hire does not pose any conflict of interest to you.
Avoid those trying to sell you a specific product that and those that have an interest in a competitor organization or business. In essence, the hacker should have your company’s best interests as the main priority.
Depth and Breadth of Skill
Depending on your needs, you will need an ethical hacker who can address your exact needs as well as anticipate future needs. As such, if you don’t have any IT security in place, then hiring a robust service with a lot of depth, breadth, and experience in IT security will be the best option for you. On the other hand, if you have an in-house ethical hacker (or are considering training your current IT staff), then hiring a consultant to further bolster your security may be the solution for you.
What Are the Terms of Engagement?
This will include issues like hiring and termination policies, non-compete arrangements, non-disclosure agreements, communication protocols, and other measures to prevent the leaking of sensitive information, including the number of people involved in any penetration testing and other ethical hacking activities.
The Main Hiring Considerations
What's Your Budget?
When hiring an ethical hacker, a lot will depend on how much you are willing to spend and how much you have to spend. Of course, the size of the IT environment and how thorough you need the penetration testing to be will be very important considerations too. In actual fact, hiring an ethical hacker can cost you anywhere from between a few hundred dollars to millions of dollars.
Therefore, being clear about how much you are willing to spend is a good idea.
According to Art Gilliland, of Skyport Systems, if you don’t have a budget or the executive backing to spend on ethical hacking, then hiring an initial penetration tester is ‘an excellent way to free up budget if your executive team cares about security; the [the tester] will give you a roadmap of what to do to fix it.’
Where Do You Find Ethical Hackers?
Depending on your budget, you can choose brand name consultants or highly regarded individuals in the industry. You can find these ethical hackers through referrals from peers that you, trust and from organizations that train the best ethical hackers.
Additionally, finding hackers from dedicated hacking conventions like Def Con or SHARKFEST can help you network and find useful resources and affiliated groups.
One other important consideration to keep in mind is that hacking and penetration testing is more than just a matter of finding a qualified person to run some tests for you. Passion, skill, curiosity, creativity, resourcefulness are also important skills to look for.
Rules of Engagement
When hiring an ethical hacker, it is critical that you understand the whole ecosystem and the interactions that you will be putting to the test. In fact, a group of ethical hackers has put forth a good set of standards that can help you know what you can expect and what you should do. The standards include detailed information categorized into 7 main sections including:
- Pre-engagement Interactions
- Intelligence Gathering
- Threat Modeling
- Vulnerability Analysis
- Post Exploitation and
Hiring an ethical hacker to find your security vulnerabilities is just half the job. The other half is fixing the vulnerabilities. As such, you should ensure that the ethical hacker you hire can fix the vulnerabilities that have been found.