We use strong passwords, update our systems, install
firewalls and anti-virus systems and encrypt our data to protect our servers,
systems and networks. But are all those enough to ensure that our systems are
protected against malicious attacks? Whether it’s from inside or outside? If we
don’t test our systems we cannot be sure that we are safe. Once we hired a
company to do penetration testing on our network and systems, one of their
tasks were to send a notification to all users to change their password by
accessing a website, we were shocked that 78% of the users, clicked on the link
and tried to change their passwords, even though the link is not branded and
can be easily detected that its fake. The sad news was that 25% of the users
who tried to change their passwords were IT employees.
Was this action from our side ethical? Was the
behavior of the company who hacked our systems ethical? I believe yes, if we
don’t do such tests, the security of our systems cannot be guaranteed. When we
hired this professional company who have knowledge on systems vulnerabilities
and user security behavior, we wanted to use their output to enhance systems
security. Ethical hacking is a controlled way to hack systems to improve their
security, without understanding the way hackers thinks, what tools they use,
whom and why they hack, the weaknesses cannot be discovered and fixed. Since
white hat hackers can crack the systems, black hat hackers can as well, at
least the advantages of the first are that data will not be stolen and systems
won’t be damaged. On the contrary, systems will be tested against known threats
and tools black hat hackers use to attack and damage systems.
The security of the Internet is poor and not every
organization has the caliber to hire professional people in each area to secure
their systems, hackers are finding new ways everyday to break systems or steal
data, stopping them by normal tools is not sufficient as these same tools we
use for protection have their own vulnerabilities, their wide knowledge about
the systems, and the tools they use to automate their tasks cannot be predicted
by normal people. Ethical hacking is the effective solution for this issue, as
only hackers or someone who thinks like them can predict their actions, we
don’t have to wait until we are hacked and the systems are cracked to take an
action, or try to trace the origin of the attack, which might not be known.
Instead, we can follow best practices, secure the systems as much as possible,
and then test our efforts. Experts who have the proper tools and understand the
implications of their work should do security testing.
However, ethical hacking is a double sided coin,
because ethical hackers are professionals in what they do, they can introduce
more vulnerabilities to increase their customer base, and to justify their
existence. In addition to that, they will have access to sensate data; for all
that security testing and ethical hacking should be steered by an organized
security enchantment project.
Reference:
Beaver, K. (2010), ‘Hacking For Dummies’, ed. third,
ISBN: 978-0-470-55093-9. [Online], Available
from: http://media.wiley.com/product_data/excerpt/5X/04700523/047005235X.pdf
(Accessed 1 April 2011)
Palmer, C. (2011), ‘Ethical Hacking’, IBM Systems Journal,
V 40, NO 3, 2001, [Online], Available from:
http://ieeexplore.ieee.org.ezproxy.liv.ac.uk/stamp/stamp.jsp?tp=&arnumber=5386933 (Accessed 1 April 2011)
Smith, B., Yurcik, W. & Doss, D. (2002), ‘Ethical
Hacking: The Security Justification Redux’, [Online], Available from:
ftp://ftp.eng.auburn.edu/pub/avk0002/BE%20Data/PAPERS/Ethical%20hacking/ISTAS02ethicalhack.pdf (Accessed 1 April 2011)
Norfolk, D., (2001), ‘Understanding Ethical Hacking’,
PC Network Advisor, [Online], Available from:
No comments:
Post a Comment