Mastering the enemy's weapons
Ethical hacking - especially penetration testing - is a fast-growing segment of the information security market.
"To know your enemy, you must become your enemy," exhorts Sun-Tzu, the philosopher of ancient China so beloved in management textbooks. It's a piece of advice that many organisations are now taking to heart, as they implement strategies and technologies to protect their data, networks and applications from malicious attack and information theft.
The field of ethical hacking is all about using the same tools, strategies and techniques as black-hat intruders to test a company's vulnerability to attack. Demand for ethical hacking services is on the rise, because enterprises are required by industry regulations and standards, such as the Payment Card Industry standard, to do rigorous internal and external penetration tests, says Philip Pieterse, senior security consultant at Trustwave in South Africa.
Ethical hackers who perform penetration testing try to breach their clients' infrastructure with complex attack scenarios that mimic the approaches real-world attackers might use. This enables companies to find and fix vulnerabilities to strengthen their overall security posture, says Pieterse.
A step ahead
More frequent penetration testing helps businesses keep up with the ever-changing threat environment, so they stay a step ahead of emerging threats. It's an invaluable service in a world where many companies have network breaches they're not aware of, and where the tools and techniques criminal attackers use are growing in sophistication.
With the potential attack surface widening all the time, there are no automated software tools that can catch all the breaches and vulnerabilities, Pieterse says. For example, SQL injection attacks remain common, despite the fact that they have been around for years. Automated tools struggle to detect SQL injections, he says.
For Pieterse and his team, keeping up to date with the latest tools and strategies hackers use means spending a lot of time watching social networks, blogs and message boards to see which exploits and vulnerabilities the black-hats are discussing. They then take these exploits and experiment with them to see which of them might be a danger to their clients.
Of course, ethical hacking has its limits. Unlike real black-hat hackers, ethical hackers cannot make wild changes to a client's system without knowing what their impact will be, says Pieterse. But, over time, ethical hackers can build up a suite of tools they can use with confidence. And whereas the real criminals have all the time in the world to breach a network, ethical hackers generally need to test a range of scenarios within a matter of days.