Trust under scrutiny as ethical hacking goes legit

What value should CIOs place in ethical hacking accreditation?

A number of high profile data breaches are bumping up demand for ethical hacking services, but experts warn not all white hats are worthy of your trust.

Today's 'ethical hackers' are knocking on the doors of corporate Australia armed with credentials and industry certification, but experts warn that the onus is on the company hiring the hacker to ensure their reliability.

The term 'ethical hacking' has been in use for several years, often alternated with pen(etration) testing or security auditing. But some pen testers shy away from the term, believing it cheapens their services.

Once used mostly by the banking, telecommunications and government sectors, penetration testing has enjoyed a steady growth in popularity in the last 12 months thanks to heightened awareness of cyber crime and increased compliance requirements by regulators.

Security breaches at Sony, RSA, Comodo and Epsilon have helped their cause.

Wide deployment of Wi-Fi networks and remote access to private networks from mobile devices are also adding to demand. Retailers, second-tier financial services providers, law firms and even small businesses are subsequently looking to hack-proof their systems.

Companies such as Pure Hacking, Securus Global and Hacklabs claim to be fielding more calls, with some actively hiring to cope with demand.

Securus Global managing director Drazen Drazic said pen testing has found a new audience in online businesses.

“To a degree it is trickling down to smaller businesses that turn over millions of dollars (online),” he said.

New courses for ethical hackers are also popping up, prompting at least one infrastructure technology firm to add hacking and vulnerability assessment to its offerings.

Systems engineer Dan Weis of Kiandra was among the first 10 to complete the EC-Council’s revamped Certified Ethical Hacking (CEH) course v.7.

Weis said it taught testers how to penetrate systems and secure them afterwards.

“Basically we look for what the intruder can see and once inside we (determine) what they can do with that information. We also look to see if one can tell there’s been a breach and give recommendations with video evidence of the attack in action,” Weis said.

However, he admitted there is no 100 percent secure environment.

“If a hacker wants to hack you, they will," he said. "It’s about making it difficult.”

He added adhesion to a code of ethics was part of ethical hacking.

“There are companies out there that will deliberately attack websites then send them an email saying they can fix it. It’s bad practice really. Part of ethical hacking is we sign that we do not do anything without written permission.”

Other pen testing companies said certified courses had a place, but the security professional’s experience was more important. All said they screened candidates’ criminal records.

“Certificates are useful but to be a competent ethical hacker you have to spend a lot of time doing pen testing and need to be taught by a senior member of a team,” said Ty Miller, chief technology officer, Pure Hacking.

Chris Gatford of Hacklabs said ethical hackers needed to invest in themselves to constantly update their skills. “What you can’t teach is a mindset, a hunger for how things work.”

Matthew Hackling, general manager, security testing division, Enex TestLabs, said clients in banking and government demand a minimum of five years’ experience, rather than certificates.

Kathryn Kerr, manager of analysis and assessment at AusCERT said a certificate did not guarantee legitimacy

“But it does provide a higher level of assurance of the skills and quality of the people doing the work.” 

She said there were alternatives to providing audits - including using Defence Signals Directory manuals.

“Penetration testing is certainly popular for some organisations and there will always be a certain level of demand, but it is not the be-all and end-all of system security," she said.

The national director of the Australian Information Security Association (AISA) Keith Price advised companies to engage professionals based on their expertise in individual systems.

“No hacker can do everything. A company needs to assemble a team,” he said. And once tested, companies need to re-engineer their processes and re-test regularly. He stressed the purpose of pen testing was not to break into systems.

“It is to find deficiencies in the internal processes. I’d advise people to think about how they’ll change their internal processes to fix the root cause of the problem.”

Rob McMillan, research director for security, risk and privacy at Gartner recommended clients undertake probity tests to ensure in-house and outsourced testers are trustworthy.

“You’ve got to be certain that the information that was uncovered won’t be misused.”

An experienced hirer of pen testers, Telstra’s chief information officer Patrick Eltridge said as testing popularity increases it would be natural for new providers to come to market.

“My advice for companies considering it is to err on the side of trusted partners. The skills and techniques are well understood – you don’t need people who started a year ago (to be up--to-date). It’d be best to consult with established security people with the experience and the credentials,” Eltridge said.