Trust under scrutiny as ethical hacking goes legit

Powered by SC Magazine
 

What value should CIOs place in ethical hacking accreditation?

A number of high profile data breaches are bumping up demand for ethical hacking services, but experts warn not all white hats are worthy of your trust.

Today's 'ethical hackers' are knocking on the doors of corporate Australia armed with credentials and industry certification, but experts warn that the onus is on the company hiring the hacker to ensure their reliability.

The term 'ethical hacking' has been in use for several years, often alternated with pen(etration) testing or security auditing. But some pen testers shy away from the term, believing it cheapens their services.

Once used mostly by the banking, telecommunications and government sectors, penetration testing has enjoyed a steady growth in popularity in the last 12 months thanks to heightened awareness of cyber crime and increased compliance requirements by regulators.

Security breaches at Sony, RSA, Comodo and Epsilon have helped their cause.

Wide deployment of Wi-Fi networks and remote access to private networks from mobile devices are also adding to demand. Retailers, second-tier financial services providers, law firms and even small businesses are subsequently looking to hack-proof their systems.

Companies such as Pure Hacking, Securus Global and Hacklabs claim to be fielding more calls, with some actively hiring to cope with demand.

Securus Global managing director Drazen Drazic said pen testing has found a new audience in online businesses.

“To a degree it is trickling down to smaller businesses that turn over millions of dollars (online),” he said.

New courses for ethical hackers are also popping up, prompting at least one infrastructure technology firm to add hacking and vulnerability assessment to its offerings.

Systems engineer Dan Weis of Kiandra was among the first 10 to complete the EC-Council’s revamped Certified Ethical Hacking (CEH) course v.7.

Weis said it taught testers how to penetrate systems and secure them afterwards.

“Basically we look for what the intruder can see and once inside we (determine) what they can do with that information. We also look to see if one can tell there’s been a breach and give recommendations with video evidence of the attack in action,” Weis said.

However, he admitted there is no 100 percent secure environment.

“If a hacker wants to hack you, they will," he said. "It’s about making it difficult.”

He added adhesion to a code of ethics was part of ethical hacking.

“There are companies out there that will deliberately attack websites then send them an email saying they can fix it. It’s bad practice really. Part of ethical hacking is we sign that we do not do anything without written permission.”

Other pen testing companies said certified courses had a place, but the security professional’s experience was more important. All said they screened candidates’ criminal records.

“Certificates are useful but to be a competent ethical hacker you have to spend a lot of time doing pen testing and need to be taught by a senior member of a team,” said Ty Miller, chief technology officer, Pure Hacking.

Chris Gatford of Hacklabs said ethical hackers needed to invest in themselves to constantly update their skills. “What you can’t teach is a mindset, a hunger for how things work.”

Matthew Hackling, general manager, security testing division, Enex TestLabs, said clients in banking and government demand a minimum of five years’ experience, rather than certificates.

Kathryn Kerr, manager of analysis and assessment at AusCERT said a certificate did not guarantee legitimacy

“But it does provide a higher level of assurance of the skills and quality of the people doing the work.” 

She said there were alternatives to providing audits - including using Defence Signals Directory manuals.

“Penetration testing is certainly popular for some organisations and there will always be a certain level of demand, but it is not the be-all and end-all of system security," she said.

The national director of the Australian Information Security Association (AISA) Keith Price advised companies to engage professionals based on their expertise in individual systems.

“No hacker can do everything. A company needs to assemble a team,” he said. And once tested, companies need to re-engineer their processes and re-test regularly. He stressed the purpose of pen testing was not to break into systems.

“It is to find deficiencies in the internal processes. I’d advise people to think about how they’ll change their internal processes to fix the root cause of the problem.”

Rob McMillan, research director for security, risk and privacy at Gartner recommended clients undertake probity tests to ensure in-house and outsourced testers are trustworthy.

“You’ve got to be certain that the information that was uncovered won’t be misused.”

An experienced hirer of pen testers, Telstra’s chief information officer Patrick Eltridge said as testing popularity increases it would be natural for new providers to come to market.

“My advice for companies considering it is to err on the side of trusted partners. The skills and techniques are well understood – you don’t need people who started a year ago (to be up--to-date). It’d be best to consult with established security people with the experience and the credentials,” Eltridge said.

Copyright © iTnews.com.au . All rights reserved.


Trust under scrutiny as ethical hacking goes legit
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  21%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1424

Vote